Move scripts out of the workflow itself

.gitea/workflows/test.yaml

@@ -23,21 +23,15 @@ jobs:
         with:
           go-version-file: 'go.mod'
 
-      - name: Setup Hashicorp Vault (on Linux)
+      - name: Install Hashicorp Vault (on Linux)
         if: matrix.arch != 'darwin-amd64' && matrix.arch != 'windows-amd64'
         run: |
-          wget -O - https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
+          ./script/vault-install.sh
-          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(grep -oP '(?<=UBUNTU_CODENAME=).*' /etc/os-release || lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
-          apt-get update && apt-get -y install vault
 
-      - name: Setup Hashicorp Vault (on Windows)
+      - name: Install Hashicorp Vault (on Windows)
         if: matrix.arch == 'windows-amd64'
         run: |
-          $vaultVersion = "1.20.3"
+          & "./scripts/vault-install.ps1"
-          $vaultUrl = "https://releases.hashicorp.com/vault/$vaultVersion/vault_${vaultVersion}_windows_amd64.zip"
-          Invoke-WebRequest -Uri $vaultUrl -OutFile "vault.zip"
-          Expand-Archive -Path "vault.zip" -DestinationPath .
-          & "./vault.exe" version
         shell: pwsh
 
       - name: Start Vault in background (on Unix)
@@ -47,21 +41,7 @@ jobs:
           VAULT_ADDR: "https://127.0.0.1:8200"
           VAULT_SKIP_VERIFY: "true"
         run: |
-          # Start Vault server in background
+          ./script/vault-start.sh
-          echo "🔐 Starting Hashicorp Vault development server"
-          vault server -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8200 -dev-tls > vault.log 2>&1 &
-          VAULT_PID=$!
-          echo $VAULT_PID > vault.pid
-
-          sleep 3
-          export VAULT_SKIP_VERIFY=true
-          if ! vault status; then
-            echo "❌ Vault failed to start. Logs ($(wc -l vault.log) lines):"
-            cat vault.log
-            exit 1
-          fi
-
-          echo "✅ Vault started successfully with PID: $VAULT_PID"
 
       - name: Start Vault in background (on Windows)
         id: start-vault-windows
@@ -71,64 +51,7 @@ jobs:
           VAULT_ADDR: "https://127.0.0.1:8200"
           VAULT_SKIP_VERIFY: "true"
         run: |
-          # Create directories
+          & "./scripts/vault-start.ps1"
-          New-Item -ItemType Directory -Path ".\vault-data" -Force
-          New-Item -ItemType Directory -Path ".\vault-logs" -Force
-
-          # Start Vault server with output redirected to log file
-          $vaultArgs = @(
-            "server",
-            "-dev",
-            "-dev-tls",
-            "-dev-root-token-id=root",
-            "-dev-listen-address=127.0.0.1:8200"
-          )
-
-          # Start process and capture PID
-          $process = Start-Process -FilePath "vault.exe" `
-            -ArgumentList $vaultArgs `
-            -PassThru `
-            -NoNewWindow `
-            -RedirectStandardOutput "vault-logs/stdout.log" `
-            -RedirectStandardError "vault-logs/stderr.log"
-
-          $process.Id | Out-File -FilePath "vault-pid.txt"
-          Write-Output "Vault process started with PID: $($process.Id)"
-
-          ## Wait for Vault to become ready with timeout
-          $timeout = 30
-          $counter = 0
-          $isReady = $false
-
-          # Set environment variables for current step
-          $env:VAULT_ADDR = "https://127.0.0.1:8200"
-          $env:VAULT_TOKEN = "root"
-          $env:VAULT_SKIP_VERIFY = "true"
-
-          while ($counter -lt $timeout) {
-            try {
-              & "./vault.exe" status 2>$null
-              if ($LASTEXITCODE -eq 0) {
-                $isReady = $true
-                Write-Output "Vault server is ready!"
-                exit 0
-              }
-            } catch {
-              # Ignore errors during startup
-            }
-            Write-Output "Waiting for Vault to start... ($counter/$timeout)"
-            Start-Sleep -Seconds 1
-            $counter++
-          }
-
-          if (-not $isReady) {
-            Write-Output "::error::Vault server failed to start within $timeout seconds"
-            Write-Output "=== VAULT SERVER STDOUT ==="
-            Get-Content "vault-logs/stdout.log" -ErrorAction SilentlyContinue
-            Write-Output "=== VAULT SERVER STDERR ==="
-            Get-Content "vault-logs/stderr.log" -ErrorAction SilentlyContinue
-            exit 1
-          }
 
       - name: Setup Vault test data (on Unix)
         if: matrix.arch != 'windows-amd64'
@@ -139,14 +62,7 @@ jobs:
           VAULT_TOKEN: root
           VAULT_SKIP_VERIFY: "true"
         run: |
-          # Populate our test secrets
+          ./script/vault-setup.sh
-          echo "🔐 Populating test secrets:"
-          vault kv put "${TEST_VAULT_KEY}" data="${TEST_VAULT_VALUE}"
-
-          # Populate our test transit backend with key
-          echo "🔐 Populating test transit backend:"
-          vault secrets enable transit
-          vault write -f transit/keys/test
 
       - name: Setup Vault test data (on Windows)
         if: matrix.arch == 'windows-amd64'
@@ -156,14 +72,7 @@ jobs:
           VAULT_SKIP_VERIFY: "true"
         shell: pwsh
         run: |
-          # Populate our test secrets
+          & "./scripts/vault-setup.ps1"
-          Write-Output "🔐 Populating test secrets:"
-          & "./vault.exe" vault kv put "${{ vars.TEST_VAULT_KEY }}" data="${{ vars.TEST_VAULT_VALUE }}"
-
-          # Populate our test transit backend with key
-          Write-Output "🔐 Populating test transit backend:"
-          & "./vault.exe" vault secrets enable transit
-          & "./vault.exe" vault write -f transit/keys/test
 
       - name: Vet
         run: go vet -v ./...

script/vault-install.ps1

@@ -0,0 +1,7 @@
+$vaultVersion = "1.20.3"
+$vaultUrl = "https://releases.hashicorp.com/vault/$vaultVersion/vault_${vaultVersion}_windows_amd64.zip"
+Write-Output "🌍 Downloading Vault ${vaultVersion}"
+Invoke-WebRequest -Uri $vaultUrl -OutFile "vault.zip"
+Write-Output "⚡️ Extracting vault_${vaultVersion}_windows_amd64.zip"
+Expand-Archive -Path "vault.zip" -DestinationPath .
+& "./vault.exe" version

script/vault-install.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+wget -O - https://apt.releases.hashicorp.com/gpg | \
+    sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(grep -oP '(?<=UBUNTU_CODENAME=).*' /etc/os-release || lsb_release -cs) main" | \
+    sudo tee /etc/apt/sources.list.d/hashicorp.list
+sudo apt-get update && sudo apt-get -y install vault

script/vault-setup.ps1

@@ -0,0 +1,8 @@
+# Populate our test secrets
+Write-Output "🔐 Populating test secrets:"
+& "./vault.exe" vault kv put "${{ vars.TEST_VAULT_KEY }}" data="${{ vars.TEST_VAULT_VALUE }}"
+
+# Populate our test transit backend with key
+Write-Output "🔐 Populating test transit backend:"
+& "./vault.exe" vault secrets enable transit
+& "./vault.exe" vault write -f transit/keys/test

script/vault-setup.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -u
+
+# Populate our test secrets
+echo "🔐 Populating test secrets:"
+vault kv put "${TEST_VAULT_KEY}" data="${TEST_VAULT_VALUE}"
+
+# Populate our test transit backend with key
+echo "🔐 Populating test transit backend:"
+vault secrets enable transit
+vault write -f transit/keys/test

script/vault-start.ps1

@@ -0,0 +1,101 @@
+# Create directories
+New-Item -ItemType Directory -Path ".\vault-data" -Force -ErrorAction SilentlyContinue
+New-Item -ItemType Directory -Path ".\vault-logs" -Force -ErrorAction SilentlyContinue
+
+# Start Vault server
+$vaultArgs = @(
+    "server",
+    "-dev",
+    "-dev-tls",
+    "-dev-root-token-id=root",
+    "-dev-listen-address=127.0.0.1:8200"
+)
+
+Write-Output "✅ Starting Vault server..."
+$process = Start-Process -FilePath ".\vault.exe" `
+    -ArgumentList $vaultArgs `
+    -PassThru `
+    -NoNewWindow `
+    -RedirectStandardOutput "vault-logs/stdout.log" `
+    -RedirectStandardError "vault-logs/stderr.log"
+
+$vaultPid = $process.Id
+Write-Output "✅ Vault process started with PID: $vaultPid"
+
+# Wait for Vault to become ready using port check
+$timeout = 30
+$counter = 0
+$isReady = $false
+$vaultPort = 8200
+
+Write-Output "🕐 Waiting for Vault to start on port $vaultPort..."
+
+while ($counter -lt $timeout) {
+    # Check if process is still running
+    if (-not (Get-Process -Id $vaultPid -ErrorAction SilentlyContinue)) {
+        Write-Output "❌ Vault process died unexpectedly!"
+        break
+    }
+    
+    # Check if port is listening
+    try {
+        $tcpClient = New-Object System.Net.Sockets.TcpClient
+        $asyncResult = $tcpClient.BeginConnect("127.0.0.1", $vaultPort, $null, $null)
+        $wait = $asyncResult.AsyncWaitHandle.WaitOne(1000, $false)
+        if ($wait) {
+            $tcpClient.EndConnect($asyncResult)
+            $tcpClient.Close()
+            $isReady = $true
+            Write-Output "✅ Vault server is listening on port $vaultPort!"
+            break
+        }
+        $tcpClient.Close()
+    } catch {
+        # Port not ready yet
+    }
+    
+    Write-Output "🕐 Waiting for Vault to start... ($counter/$timeout)"
+    Start-Sleep -Seconds 1
+    $counter++
+}
+
+if (-not $isReady) {
+    Write-Output "❌ Vault server failed to start within $timeout seconds"
+    
+    # Show process status
+    Write-Output "=== PROCESS STATUS ==="
+    Get-Process -Id $vaultPid -ErrorAction SilentlyContinue | Format-List *
+    
+    # Show logs
+    Write-Output "=== STDOUT (last 20 lines) ==="
+    Get-Content "vault-logs/stdout.log" -ErrorAction SilentlyContinue | Select-Object -Last 20
+    
+    Write-Output "=== STDERR (last 20 lines) ==="
+    Get-Content "vault-logs/stderr.log" -ErrorAction SilentlyContinue | Select-Object -Last 20
+    
+    # Cleanup
+    Stop-Process -Id $vaultPid -Force -ErrorAction SilentlyContinue
+    exit 1
+}
+
+# Set environment variables
+$env:VAULT_ADDR = "https://127.0.0.1:8200"
+$env:VAULT_TOKEN = "test-token"
+$env:VAULT_SKIP_VERIFY = "true"
+
+# Final check with vault status (with timeout)
+Write-Output "🕐 Performing final status check..."
+$statusCheck = Start-Process -FilePath ".\vault.exe" `
+    -ArgumentList "status" `
+    -PassThru `
+    -NoNewWindow `
+    -Wait `
+    -TimeoutSec 10
+
+if ($LASTEXITCODE -ne 0) {
+    Write-Output "❌ Vault status check failed after startup"
+    Write-Output "❌ Status exit code: $LASTEXITCODE"
+    exit 1
+}
+
+Write-Output "✅ Vault server started successfully!"

script/vault-start.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Start Vault server in background
+echo "🔐 Starting Hashicorp Vault development server"
+vault server -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8200 -dev-tls > vault.log 2>&1 &
+VAULT_PID=$!
+echo $VAULT_PID > vault.pid
+
+sleep 3
+export VAULT_SKIP_VERIFY=true
+if ! vault status; then
+    echo "❌ Vault failed to start. Logs ($(wc -l vault.log) lines):"
+    cat vault.log
+    exit 1
+fi
+
+echo "✅ Vault started successfully with PID: $VAULT_PID"