fix(ci): airlock smoke test runs on PRs and binds broker to IPAddress.Any#100
Merged
GordonBeeming merged 2 commits intomainfrom Apr 9, 2026
Merged
fix(ci): airlock smoke test runs on PRs and binds broker to IPAddress.Any#100GordonBeeming merged 2 commits intomainfrom
GordonBeeming merged 2 commits intomainfrom
Conversation
….Any
Two fixes for the airlock + DinD smoke test job:
## 1. AirlockSmokeTests was binding the broker to IPAddress.Loopback
Same Linux-runner bug we hit in BrokerSmokeTests two commits ago and
fixed there. The proxy container resolves host.docker.internal via
host-gateway, which on Linux maps to the docker bridge IP (e.g.
172.17.0.1). A loopback-only listener cannot accept connections
coming in from the bridge gateway, so socat in the proxy container
hits "EOF" trying to forward to the host broker, and the integration
test fails with:
docker version through proxy bridge failed: stderr=error during
connect: Get "http://proxy:2375/v1.54/version": EOF
macOS / Docker Desktop / OrbStack route loopback magically. Linux CI
runners do not. Switch the smoke broker to IPAddress.Any so it
accepts connections on every interface, same as BrokerSmokeTests.
## 2. integration-tests-airlock now runs on every PR, not just main
The previous shape depended on build-proxy + build-images having
pushed the canonical proxy-sha-<sha> and copilot-default-sha-<sha>
tags to ghcr, both of which are gated to main. So PRs were never
exercising the airlock smoke test, and bugs in the airlock + DinD
path only got caught after merge — exactly what just happened with
the IPAddress.Loopback regression.
Restructured the job to:
* not depend on build-proxy / build-images / prepare-versions
* run dev-build.sh inline to build the proxy + default app images
locally with the canonical :proxy and :latest tags
* point COPILOT_HERE_PROXY_IMAGE / COPILOT_HERE_APP_IMAGE at those
local tags via the override env vars introduced earlier
* drop the "if: github.ref == refs/heads/main" gate
Cost: one extra ~5 min image build per PR. Benefit: airlock + DinD
regressions get caught at PR time instead of post-merge on main.
556/556 unit tests still pass.
Refs #20
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: GitButler <gitbutler@gitbutler.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes the Airlock integration smoke test to work on Linux CI runners by binding the broker listener to IPAddress.Any, and updates CI so the full airlock + DinD smoke test can run on pull requests by building required images locally.
Changes:
- Update
AirlockSmokeTeststo bind the broker TCP listener toIPAddress.Any(fixes Linux CI connectivity viahost.docker.internal:host-gateway). - Add a PR-time
integration-tests-airlockworkflow job that builds proxy/default images locally viadev-build.shand runs the airlock smoke test.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
tests/CopilotHere.IntegrationTests/AirlockSmokeTests.cs |
Switch broker listener from loopback to IPAddress.Any so proxy bridge can connect on Linux CI. |
.github/workflows/publish.yml |
Adds a PR-running airlock integration test job that locally builds images before running the smoke test. |
The previous commit on this branch was supposed to replace the main-only job definition with the PR-friendly one, but the patch restore left both definitions in the file. Two jobs with the same name made GitHub Actions reject the workflow file before it even queued — the publish.yml run failed without producing any jobs. Removing the original (main-only, dependent on build-proxy / build-images / prepare-versions) leaves just the new PR-friendly definition that builds images locally via dev-build.sh. Refs #20 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: GitButler <gitbutler@gitbutler.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
AirlockSmokeTests.cswas still binding the broker toIPAddress.Loopback, which only works on macOS / Docker Desktop / OrbStack — Linux CI runners routehost.docker.internal:host-gatewayto the bridge IP and a loopback-only listener can't accept connections from there. Switch toIPAddress.Any, same fix already applied toBrokerSmokeTests.integration-tests-airlockwas gated tomainbecause it depended onbuild-proxy/build-imageshaving pushed the canonical sha tags. Now it builds the proxy + default app images locally viadev-build.shand runs on every PR. Catches airlock + DinD regressions at PR time instead of post-merge.Why this matters
The current main build is failing on this exact bug — the regression slipped past PRs because the airlock smoke test only ran on main. (failing run)
Test plan
Refs #20