studio/wfe - wfe - Gitea: Git with a cup of tea

studio/wfe

Fork 0

Commit Graph

Author	SHA1	Message	Date
Sienna Meridian Satterwhite	f6a7a3c360	feat(workflows.yaml): shared_volume + shell config; fix(wfe-server): log_search probe + webhook tests - workflows.yaml: declare `shared_volume: { mount_path: /workspace, size: 30Gi }` on the ci workflow so all sub-workflows share a PVC; set `shell: /bin/bash` on ci_config/ci_long_config anchors. - log_search.rs: fix opensearch_url() TCP probe to resolve hostnames (not just IPs); make ensure_index handle resource_already_exists races gracefully. - webhook.rs: 14 new handler-level tests covering generic event auth (accept/reject/missing), GitHub/Gitea HMAC verification, bad JSON 400s, trigger matching, trigger ref-mismatch skip, and real workflow-start side effect verification.	2026-04-09 15:46:25 +01:00
Sienna Meridian Satterwhite	02a574b24e	style: apply cargo fmt workspace-wide Pure formatting pass from `cargo fmt --all`. No logic changes. Separating this out so the 1.9 release feature commits that follow show only their intentional edits.	2026-04-07 18:44:21 +01:00
Sienna Meridian Satterwhite	cbbeaf6d67	feat(wfe-server): headless workflow server with gRPC, webhooks, and OIDC auth Single-binary server exposing the WFE engine over gRPC (13 RPCs) with HTTP webhook support (GitHub, Gitea, generic events). Features: - gRPC API: workflow CRUD, lifecycle event streaming, log streaming, log search via OpenSearch - HTTP webhooks: HMAC-SHA256 verified GitHub/Gitea webhooks with configurable triggers that auto-start workflows - OIDC/JWT auth: discovers JWKS from issuer, validates with asymmetric algorithm allowlist to prevent algorithm confusion attacks - Static bearer token auth with constant-time comparison - Lifecycle event broadcasting via tokio::broadcast - Log streaming: real-time stdout/stderr via LogSink trait, history replay, follow mode - Log search: full-text search via OpenSearch with workflow/step/stream filters - Layered config: CLI flags > env vars > TOML file - Fail-closed on OIDC discovery failure, fail-loud on config parse errors - 2MB webhook payload size limit - Blocked sensitive env var injection (PATH, LD_PRELOAD, etc.)	2026-04-01 14:37:25 +01:00

Author

SHA1

Message

Date

Sienna Meridian Satterwhite

f6a7a3c360

feat(workflows.yaml): shared_volume + shell config; fix(wfe-server): log_search probe + webhook tests

- workflows.yaml: declare `shared_volume: { mount_path: /workspace,
  size: 30Gi }` on the ci workflow so all sub-workflows share a PVC;
  set `shell: /bin/bash` on ci_config/ci_long_config anchors.

- log_search.rs: fix opensearch_url() TCP probe to resolve hostnames
  (not just IPs); make ensure_index handle resource_already_exists
  races gracefully.

- webhook.rs: 14 new handler-level tests covering generic event auth
  (accept/reject/missing), GitHub/Gitea HMAC verification, bad JSON
  400s, trigger matching, trigger ref-mismatch skip, and real
  workflow-start side effect verification.

2026-04-09 15:46:25 +01:00

Sienna Meridian Satterwhite

02a574b24e

style: apply cargo fmt workspace-wide

Pure formatting pass from `cargo fmt --all`. No logic changes. Separating
this out so the 1.9 release feature commits that follow show only their
intentional edits.

2026-04-07 18:44:21 +01:00

Sienna Meridian Satterwhite

cbbeaf6d67

feat(wfe-server): headless workflow server with gRPC, webhooks, and OIDC auth

Single-binary server exposing the WFE engine over gRPC (13 RPCs) with
HTTP webhook support (GitHub, Gitea, generic events).

Features:
- gRPC API: workflow CRUD, lifecycle event streaming, log streaming,
  log search via OpenSearch
- HTTP webhooks: HMAC-SHA256 verified GitHub/Gitea webhooks with
  configurable triggers that auto-start workflows
- OIDC/JWT auth: discovers JWKS from issuer, validates with asymmetric
  algorithm allowlist to prevent algorithm confusion attacks
- Static bearer token auth with constant-time comparison
- Lifecycle event broadcasting via tokio::broadcast
- Log streaming: real-time stdout/stderr via LogSink trait, history
  replay, follow mode
- Log search: full-text search via OpenSearch with workflow/step/stream
  filters
- Layered config: CLI flags > env vars > TOML file
- Fail-closed on OIDC discovery failure, fail-loud on config parse errors
- 2MB webhook payload size limit
- Blocked sensitive env var injection (PATH, LD_PRELOAD, etc.)

2026-04-01 14:37:25 +01:00

3 Commits