chore: upgrade GitHub Actions + close e2e/smoke test coverage gaps

[PenguinzTech]

Summary

• Upgraded all GitHub Actions to latest Node.js 24-compatible versions (checkout v6, cache v5, setup-go v6, docker actions v4/v7, etc.) — eliminates deprecation warnings ahead of the June 2, 2026 Node.js 20 removal
• Closed e2e and smoke test gaps identified against testing.md / testing-react.md / testing-python.md standards

Test coverage added

File	What was added
tests/smoke/test_dns_server_api.py	test_ready_endpoint — /ready readiness check
tests/smoke/test_web_console_api.py	/ready test; TestQueryFilterParams — pagination params, empty far-page, active domain filter, logs pagination, invalid IOC feed ID → 404
tests/e2e/dns-webui.spec.ts	One-time auth fixture; 7 protected-route page-load tests (index, tokens, domains, permissions, blacklist, certs, logs); form modal validation-error tests (new token, new domain)
.github/workflows/build.yml	Playwright artifact cleanup step (if: always())

Standards compliance

• testing.md — /ready smoke test, API filter coverage, Playwright outputDir cleanup
• testing-react.md — auth-protected page loads, form modal open/validation, CI: add cleanup step with if: always()

Test plan

• Smoke: pytest tests/smoke/test_dns_server_api.py::TestDNSServerHealth::test_ready_endpoint -v
• Smoke: pytest tests/smoke/test_web_console_api.py::TestWebConsoleHealth -v
• Smoke: pytest tests/smoke/test_web_console_api.py::TestQueryFilterParams -v
• E2E: cd tests/e2e && CI_SERVICES_RUNNING=true npx playwright test dns-webui (with services running)
• CI passes on this PR (build-and-test, docker-multi-build, security-scanning)

🤖 Generated with Claude Code

Summary by Sourcery

Upgrade CI workflows to current GitHub Actions versions and expand readiness, filtering, and UI smoke coverage for the DNS server and web console.

New Features:

• Add Playwright-authenticated smoke tests for protected DNS WebUI routes and form modal validation errors.
• Add smoke tests for DNS server and web console /ready readiness endpoints.
• Add smoke tests for web console API pagination, filtering, and invalid IOC feed ID behavior.

Enhancements:

• Introduce shared Playwright authentication setup to reuse storage state across protected-route tests.

Build:

• Add a CI step to always clean up Playwright artifacts after test runs.

CI:

• Update GitHub Actions workflows to latest major versions for checkout, cache, setup-go, Docker, artifact, Trivy, Codecov, and gitStream actions.

[sourcery-ai]

Reviewer's Guide

This PR upgrades all GitHub Actions to Node.js 24–compatible versions across workflows and expands smoke/e2e coverage for DNS server and web console readiness, API filters/pagination, and auth-protected UI flows, including Playwright artifact cleanup in CI.

Sequence diagram for CI build-and-test workflow with Playwright cleanup

sequenceDiagram
  participant Dev as Developer
  participant GH as GitHub_Actions
  participant Job as build-and-test_job
  participant PW as Playwright_tests
  participant FS as CI_FileSystem

  Dev->>GH: Push commit / open PR
  GH->>Job: Start build-and-test workflow

  Job->>Job: Run unit tests and smoke tests
  Job->>PW: Start Playwright E2E tests (dns-webui)
  PW->>FS: Write artifacts to /tmp/playwright-squawk
  PW-->>Job: Report test result (pass/fail)

  Job->>Job: Execute Clean_up_Playwright_artifacts (if always)
  Job->>FS: rm -rf /tmp/playwright-squawk
  FS-->>Job: Artifacts directory removed

  Job-->>GH: Report overall job status
  GH-->>Dev: Show CI result on PR

Loading

File-Level Changes

Change	Details	Files
Added Playwright-based authenticated UI coverage and form validation tests for the DNS WebUI, with reusable auth state.	Introduced environment-driven config (BASE URL, test credentials) and a CI_SERVICES_RUNNING helper for conditional skipping. Implemented a one-time login in test.beforeAll that saves Playwright storage state to a JSON file and reuses it via test.use({ storageState }). Added a set of protected-route smoke tests that assert authenticated access to core console pages without JS errors or login redirects. Added form-modal tests for creating new tokens/domains that assert client-side/server-side validation errors on empty submit.	tests/e2e/dns-webui.spec.ts
Expanded smoke API coverage for web console and DNS server readiness and query/log/domain IOC APIs.	Added TestWebConsoleHealth suite with a /ready endpoint smoke test that validates 200 status and a healthy status field. Added TestQueryFilterParams suite covering pagination on /api/v1/queries and /api/v1/logs, active/inactive filters on /api/v1/domains, and 404 behavior for invalid IOC feed IDs. Added a DNS server /ready readiness test to mirror the existing /health coverage.	tests/smoke/test_web_console_api.py tests/smoke/test_dns_server_api.py
Upgraded GitHub Actions and Docker-related actions across workflows to latest Node.js 24–compatible SHAs and versions, and improved CI hygiene.	Bumped actions/checkout from v5 to v6, setup-go to v6, actions/cache to v5, and actions/download-artifact/upload-artifact to their latest major versions in all affected workflows. Updated docker/setup-buildx-action, docker/setup-qemu-action, docker/login-action, docker/build-push-action, docker/metadata-action, and gitStream GitHub Action to newer major versions/SHAs. Updated securego/gosec, aquasecurity/trivy-action, and github/codeql-action/upload-sarif to newer SHAs while keeping configured behavior the same. Added a build.yml step that always removes Playwright artifacts from /tmp/playwright-squawk with if: always() to keep CI runners clean.	.github/workflows/go-client-release.yml .github/workflows/cron.yml .github/workflows/server-release.yml .github/workflows/build.yml .github/workflows/release.yml .github/workflows/push.yml .github/workflows/version-monitor.yml .github/workflows/gitstream.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• In dns-webui.spec.ts, consider applying the servicesRunning() skip at the describe level (e.g., via test.describe.configure or a beforeEach that calls test.skip) to avoid repeating the same skip logic in every test body.
• The Playwright form modal tests rely on broad CSS selectors for the submit button and error messages; if possible, introducing stable data-testid attributes and targeting those would make these tests less brittle against UI or styling changes.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `dns-webui.spec.ts`, consider applying the `servicesRunning()` skip at the `describe` level (e.g., via `test.describe.configure` or a `beforeEach` that calls `test.skip`) to avoid repeating the same skip logic in every test body.
- The Playwright form modal tests rely on broad CSS selectors for the submit button and error messages; if possible, introducing stable `data-testid` attributes and targeting those would make these tests less brittle against UI or styling changes.

## Individual Comments

### Comment 1
<location path="tests/smoke/test_web_console_api.py" line_range="195-202" />
<code_context>
+        assert "queries" in data
+        assert len(data["queries"]) <= 10
+
+    def test_queries_empty_far_page(self, authenticated_client):
+        """GET /api/v1/queries with a far-out page returns empty list, not error"""
+        response = authenticated_client.get("/api/v1/queries", params={"page": 99999, "limit": 10})
+
+        assert response.status_code == 200
+        data = response.json()
+        items = data.get("queries", data.get("items", data.get("data", [])))
+        assert isinstance(items, list)
+
+    def test_domains_filter_active(self, authenticated_client):
</code_context>
<issue_to_address>
**issue (testing):** Test name/docstring say "returns empty list" but the assertions only check list type, not emptiness.

Right now the test would still pass if the far-out page returned a non-empty list, which conflicts with the described behavior and reduces its value as a regression test.

If the contract is truly “empty list for far pages”, please assert that explicitly, e.g.:

```python
items = data.get("queries", data.get("items", data.get("data", [])))
assert isinstance(items, list)
assert len(items) == 0
```

Otherwise, if some items are acceptable, consider relaxing the docstring and instead asserting a more accurate invariant (e.g. no error and correct payload shape).
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (testing): Test name/docstring say "returns empty list" but the assertions only check list type, not emptiness.

Right now the test would still pass if the far-out page returned a non-empty list, which conflicts with the described behavior and reduces its value as a regression test.

If the contract is truly “empty list for far pages”, please assert that explicitly, e.g.:

items = data.get("queries", data.get("items", data.get("data", [])))
assert isinstance(items, list)
assert len(items) == 0

Otherwise, if some items are acceptable, consider relaxing the docstring and instead asserting a more accurate invariant (e.g. no error and correct payload shape).

[socket-security]

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request