Promote Qa to Prod - (User Invitations, integration tests)

.github/workflows/test.yml

@@ -4,6 +4,10 @@ on: pull_request
 
 jobs:
   quality:
+    env:
+      ZITADEL_IMAGE: ghcr.io/zitadel/zitadel:v2.63.4
+      POSTGRES_IMAGE: postgres:17.0-alpine3.19
+
     name: Ensure Quality
 
     runs-on: ubuntu-latest
@@ -21,6 +25,7 @@ jobs:
           - lint
           - test:unit
           - test:integration
+          - test:acceptance
 
     steps:
       - name: Checkout Repo
@@ -29,33 +34,14 @@ jobs:
       - name: Setup Buf
         uses: bufbuild/[email protected]
 
-      - name: Setup Node.js 20.x
-        uses: actions/[email protected]
-        with:
-          node-version: 20.x
-
       - name: Setup pnpm
         uses: pnpm/[email protected]
 
-      - uses: pnpm/[email protected]
-        name: Install pnpm
-        id: pnpm-install
-        with:
-          run_install: false
-
-      - name: Get pnpm store directory
-        id: pnpm-cache
-        shell: bash
-        run: |
-          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-
-      - uses: actions/[email protected]
-        name: Setup pnpm cache
+      - name: Setup Node.js 20.x
+        uses: actions/[email protected]
         with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
+          node-version: 20.x
+          cache: 'pnpm'
 
       - uses: actions/[email protected]
         name: Setup Cypress binary cache
@@ -64,10 +50,42 @@ jobs:
           key: ${{ runner.os }}-cypress-binary-${{ hashFiles('**/pnpm-lock.yaml') }}
           restore-keys: |
             ${{ runner.os }}-cypress-binary-
-        if: ${{ matrix.command }} == "test:integration"
+        # The Cypress binary cache needs to be updated together with the pnpm dependencies cache.
+        # That's why we don't conditionally cache it using if: ${{ matrix.command == 'test:integration' }}
 
       - name: Install Dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
+
+        # We can cache the Playwright binary independently from the pnpm cache, because we install it separately.
+        # After pnpm install --frozen-lockfile, we can get the version so we only have to download the binary once per version.
+      - run: echo "PLAYWRIGHT_VERSION=$(npx playwright --version | cut -d ' ' -f 2)" >> $GITHUB_ENV
+        if: ${{ matrix.command == 'test:acceptance' }}
+
+      - uses: actions/[email protected]
+        name: Setup Playwright binary cache
+        id: playwright-cache
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-binary-${{ env.PLAYWRIGHT_VERSION }}
+          restore-keys: |
+            ${{ runner.os }}-playwright-binary-
+        if: ${{ matrix.command == 'test:acceptance' }}
+
+      - name: Install Playwright Browsers
+        run: pnpm exec playwright install --with-deps
+        if: ${{ matrix.command == 'test:acceptance' && steps.playwright-cache.outputs.cache-hit != 'true' }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        if: ${{ matrix.command == 'test:acceptance' }}
+
+      - name: Run ZITADEL
+        run: ZITADEL_DEV_UID=root pnpm run-zitadel
+        if: ${{ matrix.command == 'test:acceptance' }}
+
+      - name: Create Production Build
+        run: pnpm build
+        if: ${{ matrix.command == 'test:acceptance' }}
 
       - name: Check
         id: check

.gitignore

@@ -18,3 +18,7 @@ packages/zitadel-server/src/app/proto
 .idea
 .vercel
 .env*.local
+/test-results/
+/playwright-report/
+/blob-report/
+/playwright/.cache/

README.md

@@ -178,32 +178,57 @@ To run the application make sure to install the dependencies with
 pnpm install
 ```
 
-then setup the environment for the login application which needs a `.env.local` in `/apps/login`.
-Go to your instance and create a service user for the application having the `IAM_OWNER` manager role.
-This user is required to have access to create users on your primary organization and reading policy data so it can be
-restricted to your personal use case but we'll stick with `IAM_OWNER` for convenience. Create a PAT and copy the value to
-paste it under the `ZITADEL_SERVICE_USER_TOKEN` key.
-The file should look as follows:
+then generate the GRPC stubs with
 
-```
-ZITADEL_API_URL=[yourinstanceurl]
-ZITADEL_ORG_ID=[yourprimaryorg]
-ZITADEL_SERVICE_USER_TOKEN=[yourserviceuserpersonalaccesstoken]
+```sh
+pnpm generate
 ```
 
-then generate the GRPC stubs with
+To run the application against a local ZITADEL instance, run the following command:
 
 ```sh
-pnpm generate
+pnpm run-zitadel
+```
+
+This sets up ZITADEL using docker compose and writes the configuration to the file `apps/login/.env.local`.
+
+<details>
+<summary>Alternatively, use another environment</summary>
+You can develop against any ZITADEL instance in which you have sufficient rights to execute the following steps.
+Just create or overwrite the file `apps/login/.env.local` yourself.
+Add your instances base URL to the file at the key `ZITADEL_API_URL`.
+Go to your instance and create a service user for the login application.
+The login application creates users on your primary organization and reads policy data.
+For the sake of simplicity, just make the service user an instance member with the role `IAM_OWNER`.
+Create a PAT and copy it to the file `apps/login/.env.local` using the key `ZITADEL_SERVICE_USER_TOKEN`.
+Also add the users ID to the file using the key `ZITADEL_SERVICE_USER_ID`.
+
+The file should look similar to this:
+
+```
+ZITADEL_API_URL=https://zitadel-tlx3du.us1.zitadel.cloud
+ZITADEL_SERVICE_USER_ID=289106423158521850
+ZITADEL_SERVICE_USER_TOKEN=1S6w48thfWFI2klgfwkCnhXJLf9FQ457E-_3H74ePQxfO3Af0Tm4V5Xi-ji7urIl_xbn-Rk
 ```
 
-and then run it with
+</details>
+
+Start the login application in dev mode:
 
 ```sh
 pnpm dev
 ```
 
 Open the login application with your favorite browser at `localhost:3000`.
+Change the source code and see the changes live in your browser.
+
+Make sure the application still behaves as expected by running all tests
+
+```sh
+pnpm test
+```
+
+To satisfy your unique workflow requirements, check out the package.json in the root directory for more detailed scripts.
 
 ### Deploy to Vercel
 

acceptance/Dockerfile

@@ -1,6 +1,5 @@
 FROM golang:1.19-alpine
 RUN apk add curl jq
-RUN go install github.com/zitadel/[email protected]
 COPY setup.sh /setup.sh
 RUN chmod +x /setup.sh
 ENTRYPOINT [ "/setup.sh" ]

acceptance/docker-compose.yaml

@@ -1,5 +1,3 @@
-version: "3.8"
-
 services:
   zitadel:
     user: "${ZITADEL_DEV_UID}"
@@ -8,32 +6,37 @@ services:
     ports:
       - "8080:8080"
     volumes:
-      - ./machinekey:/machinekey
+      - ./pat:/pat
       - ./zitadel.yaml:/zitadel.yaml
     depends_on:
       db:
         condition: "service_healthy"
 
   db:
-    image: "cockroachdb/cockroach:v22.2.2"
-    command: "start-single-node --insecure --http-addr :9090"
+    restart: 'always'
+    image: "${POSTGRES_IMAGE:-postgres:latest}"
+    environment:
+      - POSTGRES_USER=zitadel
+      - PGUSER=zitadel
+      - POSTGRES_DB=zitadel
+      - POSTGRES_HOST_AUTH_METHOD=trust
+    command: postgres -c shared_preload_libraries=pg_stat_statements -c pg_stat_statements.track=all -c shared_buffers=1GB -c work_mem=16MB -c effective_io_concurrency=100 -c wal_level=minimal -c archive_mode=off -c max_wal_senders=0
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:9090/health?ready=1"]
-      interval: "10s"
-      timeout: "30s"
+      test: ["CMD-SHELL", "pg_isready"]
+      interval: '10s'
+      timeout: '30s'
       retries: 5
-      start_period: "20s"
+      start_period: '20s'
     ports:
-      - "26257:26257"
-      - "9090:9090"
+      - 5432:5432
 
   wait_for_zitadel:
     image: curlimages/curl:8.00.1
     command:
       [
         "/bin/sh",
         "-c",
-        "i=0; while ! curl http://zitadel:8080/debug/ready && [ $$i -lt 30 ]; do sleep 1; i=$$((i+1)); done; [ $$i -eq 30 ] && exit 1 || exit 0",
+        "i=0; while ! curl http://zitadel:8080/debug/ready && [ $$i -lt 30 ]; do sleep 1; i=$$((i+1)); done; [ $$i -eq 120 ] && exit 1 || exit 0",
       ]
     depends_on:
       - zitadel
@@ -43,11 +46,11 @@ services:
     container_name: setup
     build: .
     environment:
-      KEY: /key/zitadel-admin-sa.json
-      SERVICE: http://zitadel:8080
-      WRITE_ENVIRONMENT_FILE: /apps/login/.env.acceptance
+      PAT_FILE: /pat/zitadel-admin-sa.pat
+      ZITADEL_API_INTERNAL_URL: http://zitadel:8080
+      WRITE_ENVIRONMENT_FILE: /apps/login/.env.local
     volumes:
-      - "./machinekey:/key"
+      - "./pat:/pat"
       - "../apps/login:/apps/login"
     depends_on:
       wait_for_zitadel:

acceptance/pat/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitkeep