Simplify e2e test

[lucacome]

Summary by CodeRabbit

• Chores
  • Removed a custom CI setup action previously used in workflows.
  • Simplified CI from a matrix-driven pipeline to a single linear sequence of steps.
  • Consolidated environment and credential setup, remote-runner/tunneling steps, and artifact handling into dedicated sequential steps.
  • Added a unified, always-run cleanup sequence to ensure teardown after runs.

[coderabbitai]

📝 Walkthrough

Walkthrough

Removed the composite action .github/actions/setup/action.yaml and refactored .github/workflows/ci.yaml from a matrix-driven e2e flow to an explicit linear sequence that performs AWS credential setup, Tailscale connect, artifact restore, binary placement, TailOut lifecycle commands, and an always-run cleanup.

Changes

Cohort / File(s)	Summary
Composite Action Removed \.github/actions/setup/action.yaml``	Deleted the composite action that declared inputs (e.g., binary_name, Tailscale creds/version, role_arn, region) and steps for AWS credential setup, Tailscale connect, artifact fetch/restore, and moving the built binary to /usr/local/bin.
CI Workflow Refactor — Inlined Setup & TailOut Flow \.github/workflows/ci.yaml``	Replaced the previous matrix-driven e2e job with a linear sequence of steps: configure AWS credentials, connect runner to Tailscale, restore cached artifacts, move binary to /usr/local/bin, run TailOut lifecycle commands (init, create, status, disconnect, status), and an always-run cleanup step.

Sequence Diagram

sequenceDiagram
    autonumber
    participant CI as CI Runner
    participant AWS as AWS
    participant TS as Tailscale
    participant Cache as Artifact Cache
    participant TailOut as TailOut

    rect rgba(100,150,200,0.12)
    note right of CI: Inlined setup (composite action removed)
    CI->>AWS: configure-credentials
    CI->>TS: tailscale-connect
    CI->>Cache: restore artifacts
    CI->>CI: move binary -> /usr/local/bin
    end

    rect rgba(120,180,140,0.10)
    note right of CI: TailOut lifecycle
    CI->>TailOut: tailout init
    CI->>TailOut: tailout create
    CI->>TailOut: tailout status
    CI->>TailOut: tailout disconnect
    CI->>TailOut: tailout status
    end

    rect rgba(200,180,180,0.08)
    note right of CI: Always-run cleanup
    CI->>TS: teardown / cleanup
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Inspect secrets/credentials handling and assumed IAM role usage in .github/workflows/ci.yaml.
• Verify tailscale connection/teardown steps are safe for runners and don't leak keys.
• Confirm artifact cache restore and binary move preserve permissions and correct paths.
• Ensure no other workflows or actions referenced the removed composite action.

Poem

🐇 I hopped through YAML lines and nudged the steps in place,
Keys tucked, tailscale bridged, artifacts found their space.
A linear path now hums, no matrix left to chase,
I nibble on the logs — CI runs with steady pace.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Simplify e2e test" is directly related to the primary changes in this pull request, which restructure the CI workflow by removing the separate setup action and replacing the matrix-driven e2e flow with a linear sequence of steps. This reorganization does genuinely simplify the e2e test configuration and execution. The title is concise, refers to a real and substantial aspect of the changeset, and would provide a developer scanning the history with a reasonable understanding that the e2e test infrastructure was modified to be simpler. While the term "simplify" could be more specific about the nature of the changes (e.g., mentioning the restructuring from matrix to sequential), it remains sufficiently descriptive and is not as generic as examples like "misc updates" or "stuff."

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/e2e

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 89a076d and 232c0b1.

📒 Files selected for processing (1)

• .github/workflows/ci.yaml (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

.github/workflows/ci.yaml (3)

246-251: Hardcoded AWS region may limit operational flexibility.

While us-west-1 is a valid choice, consider whether this should be configurable (e.g., via a secret or environment variable) to support multi-region deployments or disaster recovery scenarios in the future. For now, this is acceptable if single-region operation is the intended design.

---

262-266: Consider explicit cache miss handling.

The artifact cache restore lacks a fail-on-cache-miss: true flag. If the cache is missing (e.g., due to a binary job artifact save failure), the subsequent binary move step will fail with an unclear error. Either add fail-on-cache-miss: true here or add explicit validation after the move to ensure the binary exists.

- name: Fetch Cached Artifacts
  uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
  with:
    path: ${{ github.workspace }}/dist
    key: ${{ needs.binary.outputs.cache-key }}
    fail-on-cache-miss: true

---

268-270: Tighten binary path glob pattern for robustness.

The glob dist/tailout_linux_amd64*/tailout could match multiple directories if the build output structure changes or produces multiple variants. Consider verifying the actual directory structure produced by GoReleaser and using a more specific path if possible (e.g., dist/tailout_linux_amd64_v1/tailout if that's the only output).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9e063da and 5e45289.

📒 Files selected for processing (2)

• .github/actions/setup/action.yaml (0 hunks)
• .github/workflows/ci.yaml (1 hunks)

💤 Files with no reviewable changes (1)

• .github/actions/setup/action.yaml

🔇 Additional comments (3)

.github/workflows/ci.yaml (3)

253-260: Clean Tailscale configuration.

The OIDC-based OAuth setup and explicit version pinning are good practices. The runner operator tag is appropriate for this context.

---

284-285: Cleanup step is well-structured.

The if: always() condition ensures instances are stopped regardless of test outcome. This is the correct pattern for cleanup.

---

239-286: Verify that the e2e-tests job doesn't need repository checkout.

Unlike other jobs in this workflow (checks, binary, build-and-push-image), the e2e-tests job does not include a actions/checkout step. This is likely intentional since the job only executes the tailout binary and doesn't reference repository files. However, please verify that no test fixtures, e2e test scripts, or other repository content are needed to run the full e2e test suite. If repository content is required (e.g., test fixtures or additional scripts), add a checkout step near line 246.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

.github/workflows/ci.yaml (1)

276-283: Address error handling and complete IP validation (Duplicate of past review concern).

This block still lacks error handling and the TODO for IP validation remains incomplete. If tailout create fails, subsequent commands (status, disconnect, etc.) still execute, potentially masking the failure.

Additionally, the TODO comment indicates incomplete IP validation logic that was flagged in the prior review.

Consider implementing:

- name: Create instance and test workflow
  run: |
    set -e  # Fail fast on any error
    
    # Capture public IP from create output
    create_output=$(tailout create)
    created_ip=$(echo "$create_output" | grep -oP 'public_ip[=:]\s*\K[\d.]+' || echo "")
    
    tailout status
    
    # Extract public IP from status output
    status_output=$(tailout status)
    status_ip=$(echo "$status_output" | grep -oP 'public_ip[=:]\s*\K[\d.]+' || echo "")
    
    # Validate IP match
    if [ -z "$created_ip" ] || [ -z "$status_ip" ]; then
      echo "Failed to extract public IP from outputs"
      exit 1
    fi
    
    if [ "$created_ip" != "$status_ip" ]; then
      echo "Public IP mismatch: created=$created_ip, status=$status_ip"
      exit 1
    fi
    
    tailout disconnect
    tailout status

This approach:

• Adds set -e to fail fast
• Captures and validates the public IP as noted in the TODO
• Provides clear error messages

🧹 Nitpick comments (1)

.github/workflows/ci.yaml (1)

268-270: Harden glob pattern for binary placement to handle edge cases.

The glob pattern dist/tailout_linux_amd64*/tailout assumes exactly one match exists. If GoReleaser output changes or the pattern doesn't match, the command silently fails and subsequent steps run anyway (no error handling).

Consider a more defensive approach:

- name: Move binary to /usr/local/bin
  run: |
    set -e
    binary=$(ls dist/tailout_linux_amd64*/tailout)
    [ -f "$binary" ] || { echo "Binary not found"; exit 1; }
    sudo mv "$binary" /usr/local/bin/
  shell: bash

Alternatively, add set -e at the start of the "Create instance and test workflow" run block (line 276) to fail fast on any error.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5e45289 and d80d8ae.

📒 Files selected for processing (1)

• .github/workflows/ci.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: binary

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

.github/workflows/ci.yaml (1)

287-287: Unresolved TODO: IP validation not implemented.

The TODO comment about verifying that the public IP address matches the one from the new instance remains unaddressed. Either implement the IP validation or remove the TODO comment.

If implementing: capture the IP from tailout create output, extract it from tailout status, compare them, and exit non-zero on mismatch.

🧹 Nitpick comments (1)

.github/workflows/ci.yaml (1)

268-270: Glob pattern may be fragile; consider explicit path.

Line 269 uses dist/tailout_linux_amd64*/tailout to locate the binary. This glob pattern could match multiple directories or fail silently if the expected structure changes.

Consider using an explicit, deterministic path or validating the match count beforehand:

# Option 1: More explicit glob with validation
binary=$(ls dist/tailout_linux_amd64_v1/tailout 2>/dev/null || ls dist/tailout_linux_amd64*/tailout | head -1)
[ -f "$binary" ] || { echo "Binary not found"; exit 1; }
sudo mv "$binary" /usr/local/bin/

# Option 2: Check GoReleaser output format in binary job and hard-code the path
sudo mv dist/tailout_linux_amd64_v1/tailout /usr/local/bin/

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d80d8ae and c522e22.

📒 Files selected for processing (1)

• .github/workflows/ci.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: binary

🔇 Additional comments (1)

.github/workflows/ci.yaml (1)

246-291: Improved structure for error handling and clarity.

The refactoring separates each step into atomic, individually-failing GitHub Actions steps. This is a good improvement over a single multi-command block, as each command now fails independently and stops the workflow without requiring set -e. The explicit inlining of the setup logic is clearer and easier to debug than the composite action.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

.github/workflows/ci.yaml (1)

237-289: Refactoring improves error handling but TODO remains unaddressed.

By separating TailOut commands into individual steps, the job now has implicit error handling—each step fails independently without requiring set -e. This is an improvement over the previous multi-line script approach.

However, the TODO comment on line 285 about validating the instance public IP address remains unimplemented. The previous review flagged this as requiring either IP validation logic or explicit error handling.

Please address one of the following:

1. Implement the IP validation (capture the public IP from tailout create, extract it from tailout status, compare, and fail if they don't match).
2. Confirm whether this is being deferred to a follow-up PR and document that decision.

Additionally, verify whether the job truly doesn't need a checkout step. While it only uses cached artifacts, some workflows benefit from having the repo available for debugging or status checks.

🧹 Nitpick comments (1)

.github/workflows/ci.yaml (1)

266-268: Binary placement step uses glob pattern; verify it matches exactly one binary.

The step uses dist/tailout_linux_amd64*/tailout which relies on glob expansion. If the binary path ever changes (e.g., different architecture or naming), this could silently fail to move the binary or move multiple files unexpectedly.

Consider making the path more explicit:

-      - name: Move binary to /usr/local/bin
-        run: sudo mv dist/tailout_linux_amd64*/tailout /usr/local/bin/
+      - name: Move binary to /usr/local/bin
+        run: |
+          binary_path=$(find dist -name "tailout_linux_amd64*/tailout" -type f | head -1)
+          if [[ -z "$binary_path" ]]; then
+            echo "Error: binary not found" >&2
+            exit 1
+          fi
+          sudo mv "$binary_path" /usr/local/bin/

This ensures a binary is found and avoids ambiguity if glob expansion produces unexpected results.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e5262cb and e0e6fc6.

📒 Files selected for processing (2)

• .github/actions/setup/action.yaml (0 hunks)
• .github/workflows/ci.yaml (1 hunks)

💤 Files with no reviewable changes (1)

• .github/actions/setup/action.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: binary

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e0e6fc6 and 89a076d.

📒 Files selected for processing (1)

• .github/workflows/ci.yaml (1 hunks)

🔇 Additional comments (2)

.github/workflows/ci.yaml (2)

236-289: Refactoring improves clarity and debuggability.

The shift from a matrix-driven e2e flow to explicit linear steps is a solid improvement:

• Each lifecycle phase (init → create → status → disconnect → status) is now a discrete step, making failures transparent
• Default GitHub Actions behavior (any step failure stops the job) eliminates the need for inline set -e
• The if: always() on cleanup ensures resources are released even if tests fail
• Sequential separation makes it easier to trace which command failed

This addresses the prior concern about error handling in multi-line scripts.

---

285-286: Address the unaddressed TODO about IP validation in the workflow.

The TODO comment on line 285 is confirmed to be orphaned and unimplemented. No IP address validation logic exists in the workflow file.

Before merging, choose one of the following:

1. Implement the IP validation logic as a new step (capture public IP, compare with expected value, fail if mismatch)
2. Remove the TODO comment if this validation is not needed
3. Open a separate tracking issue if this is deferred work

The orphaned comment suggests incomplete work that needs resolution.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify binary path glob pattern and remove redundant shell directive.

Line 267 uses the glob dist/tailout_linux_amd64*/tailout which must match the actual goreleaser build output structure. Confirm this aligns with the .goreleaser.yaml configuration.

Additionally, the shell: bash on line 268 is redundant since defaults.run.shell is already set to bash on line 15.

Remove line 268 (shell: bash) as it duplicates the default shell setting.

---

🏁 Script executed:

#!/bin/bash
# Verify the binary glob pattern matches goreleaser output by checking the binary job
rg -n 'dist/tailout' .github/workflows/ci.yaml | head -20

Length of output: 137

---

🏁 Script executed:

#!/bin/bash
# Find and examine goreleaser configuration to verify binary output structure
fd -type f -name '.goreleaser.yaml' -o -name '.goreleaser.yml' -o -name 'goreleaser.yaml' -o -name 'goreleaser.yml' | head -5

Length of output: 170

---

🏁 Script executed:

#!/bin/bash
# Also check the build job that produces the binary to see goreleaser output
rg -n -A 10 'name.*build' .github/workflows/ci.yaml | grep -A 10 'runs-on.*ubuntu' | head -40

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Check goreleaser release step in the workflow
rg -n -B 5 -A 15 'goreleaser' .github/workflows/ci.yaml | head -60

Length of output: 1087

---

🏁 Script executed:

#!/bin/bash
# Check what's in the dist directory references throughout the workflow
rg -n 'dist/tailout' .github/workflows/ci.yaml

Length of output: 137

---

🏁 Script executed:

#!/bin/bash
# Find the exact build output directory structure by looking at upload-artifact steps
rg -n -B 2 -A 2 'upload.*artifact' .github/workflows/ci.yaml | head -30

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Find goreleaser config file
find . -maxdepth 2 -name '.goreleaser*' -o -name 'goreleaser*' 2>/dev/null | head -10

Length of output: 18

---

🏁 Script executed:

#!/bin/bash
# Check if goreleaser config exists and examine its structure
cat .goreleaser.yaml 2>/dev/null | head -100

Length of output: 1457

---

🏁 Script executed:

#!/bin/bash
# Look for the specific build output path in workflow or config
rg -n 'tailout_linux_amd64' .github/workflows/ci.yaml

Length of output: 137

---

🏁 Script executed:

#!/bin/bash
# Check the cache key to understand what binary is being cached
rg -n -B 2 -A 5 'cache.*key' .github/workflows/ci.yaml | grep -A 5 -B 2 'tailout\|dist' | head -40

Length of output: 828

---

🏁 Script executed:

#!/bin/bash
# Look at the build job output path and artifact uploads
rg -n -B 5 -A 5 'build.*dist' .github/workflows/ci.yaml

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Check goreleaser outputs configuration
rg -n 'outputs:' .goreleaser.yaml 2>/dev/null | head -5

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Examine the entire goreleaser.yaml file
cat .goreleaser.yaml 2>/dev/null || echo "File not found"

Length of output: 1457

---

🏁 Script executed:

#!/bin/bash
# Simple check - look at build job in workflow to see what artifacts are created
rg -n -A 30 'jobs:' .github/workflows/ci.yaml | grep -A 30 'build:' | head -50

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Find the line where cache is saved/restored in the build and e2e-tests jobs
rg -n 'cache-hit\|actions/cache' .github/workflows/ci.yaml -A 3 -B 3

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Look for where dist directory is created/populated in build job
rg -n 'goreleaser\|make\|build' .github/workflows/ci.yaml -B 2 -A 2 | head -80

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Check if there's a Make target that runs goreleaser
fd -type f -name 'Makefile' -o -name 'makefile' | xargs cat 2>/dev/null | head -100

Length of output: 170

---

🏁 Script executed:

#!/bin/bash
# Let's look at the build step more carefully - find what produces the dist directory
rg -n -B 10 'cache.*save' .github/workflows/ci.yaml | grep -B 10 'dist'

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Check if there's version info in the dist directory naming
rg -n 'version\|v1' .github/workflows/ci.yaml | grep -i dist

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# List all lines mentioning the dist directory structure
rg -n 'dist/.*linux' .github/workflows/ci.yaml

Length of output: 137

---

🏁 Script executed:

#!/bin/bash
# Get complete context around line 122 and 267 to understand the binary paths
sed -n '110,130p' .github/workflows/ci.yaml

Length of output: 860

---

🏁 Script executed:

#!/bin/bash
# Get complete context around the binary move in e2e-tests
sed -n '260,275p' .github/workflows/ci.yaml

Length of output: 480

---

🏁 Script executed:

#!/bin/bash
# Check if there are multiple goreleaser builds or if the version suffix is dynamic
rg -n 'dist/tailout_linux_amd64' .github/workflows/ci.yaml -A 1 -B 1

Length of output: 257

---

🏁 Script executed:

#!/bin/bash
# Look at the goreleaser install/run step in build job
rg -n 'goreleaser.*release' .github/workflows/ci.yaml -A 5 -B 5

Length of output: 625

---

🏁 Script executed:

#!/bin/bash
# Check for the TODO comment around line 285
sed -n '280,290p' .github/workflows/ci.yaml

Length of output: 285

---

🏁 Script executed:

#!/bin/bash
# Get context for the complete lifecycle steps and cleanup
sed -n '270,290p' .github/workflows/ci.yaml

Length of output: 493

---

🏁 Script executed:

#!/bin/bash
# Check if there are any TODO or FIXME comments in the e2e-tests job
rg -n 'TODO|FIXME' .github/workflows/ci.yaml | grep -A 2 -B 2 e2e

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Get full e2e-tests job section to see all steps and any comments
sed -n '236,295p' .github/workflows/ci.yaml

Length of output: 1922

---

🏁 Script executed:

#!/bin/bash
# Verify the defaults.run.shell setting on line 15
sed -n '10,20p' .github/workflows/ci.yaml

Length of output: 137

---

Glob pattern is correct; remove redundant shell directive and address TODO comment.

The glob pattern dist/tailout_linux_amd64*/ correctly matches both tagged releases (e.g., tailout_linux_amd64_v1) and snapshot builds (e.g., tailout_linux_amd64), making it more robust than the hardcoded path on line 122. No changes needed.

However, the shell: bash on line 268 is redundant—defaults.run.shell already specifies bash globally on line 15. Remove it.

Additionally, the TODO comment on line 285 remains incomplete from the previous review: either implement the public IP validation check or remove the placeholder.

🤖 Prompt for AI Agents

.github/workflows/ci.yaml lines 266-268: the glob pattern for moving the binary
is fine and should be left as-is, but remove the redundant "shell: bash"
directive on line 268 since defaults.run.shell is already set globally; also
address the lingering TODO comment at line 285 by either implementing the
public-IP validation logic referenced there or removing the placeholder comment
and any related no-op steps so the workflow has no incomplete TODOs.