fix(ci): airlock smoke test runs on PRs and binds broker to IPAddress.Any

.github/workflows/publish.yml

@@ -523,20 +523,19 @@ jobs:
           cache-from: type=registry,ref=ghcr.io/${{ needs.prepare-versions.outputs.repo_name }}:copilot-${{ matrix.image }},mode=max
           cache-to: type=inline
 
-  # Full airlock + DinD smoke test using the freshly published proxy and
-  # default app images. This is the unblocker test from issue #20: it spins
-  # up a real airlock compose project, points the workload at the broker via
-  # the proxy bridge, and verifies that spawned siblings get the airlock
-  # NetworkMode injected via Phase 2 body inspection.
+  # Full airlock + DinD smoke test. Spins up a real airlock compose project,
+  # points the workload at the broker via the proxy bridge, and verifies that
+  # spawned siblings get the airlock NetworkMode injected via Phase 2 body
+  # inspection. This is the unblocker test from issue #20.
   #
-  # Only runs on main because it depends on build-proxy and build-images
-  # having pushed the canonical sha-tagged images. PRs are covered by the
-  # cheaper integration-tests-broker job above.
+  # Builds the proxy + default app images LOCALLY via dev-build.sh so the job
+  # can run on every PR without depending on the published ghcr tags (which
+  # are main-only). On the order of ~5 minutes for the image build, plus
+  # ~30 seconds for the test itself.
   integration-tests-airlock:
     name: Integration Tests (Airlock)
-    needs: [build-proxy, build-images, prepare-versions]
+    needs: [test-cli]
     runs-on: ubuntu-24.04
-    if: github.ref == 'refs/heads/main'
     steps:
       - name: Checkout repository
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
@@ -546,24 +545,23 @@ jobs:
         with:
           global-json-file: global.json
 
-      - name: Log in to the Container registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Pre-pull alpine (sibling target)
+        run: docker pull alpine:3.21
 
-      - name: Pre-pull test images
+      - name: Build proxy + default app images locally
         run: |
-          docker pull alpine:3.21
-          docker pull ghcr.io/${{ needs.prepare-versions.outputs.repo_name }}:proxy-sha-${{ github.sha }}
-          docker pull ghcr.io/${{ needs.prepare-versions.outputs.repo_name }}:copilot-default-sha-${{ github.sha }}
+          chmod +x ./dev-build.sh
+          ./dev-build.sh
 
       - name: Run integration tests (airlock + dind)
         env:
           RUN_LIVE_DOCKER_TESTS: "1"
-          COPILOT_HERE_PROXY_IMAGE: ghcr.io/${{ needs.prepare-versions.outputs.repo_name }}:proxy-sha-${{ github.sha }}
-          COPILOT_HERE_APP_IMAGE: ghcr.io/${{ needs.prepare-versions.outputs.repo_name }}:copilot-default-sha-${{ github.sha }}
+          # dev-build.sh tags the proxy as :proxy and the default app image
+          # as :latest / :copilot-latest. Point the smoke test at those
+          # local tags via the override env vars (the test skips when both
+          # are unset to avoid running against random pulls).
+          COPILOT_HERE_PROXY_IMAGE: ghcr.io/gordonbeeming/copilot_here:proxy
+          COPILOT_HERE_APP_IMAGE: ghcr.io/gordonbeeming/copilot_here:latest
         working-directory: tests/CopilotHere.IntegrationTests
         run: dotnet run --configuration Release
 

tests/CopilotHere.IntegrationTests/AirlockSmokeTests.cs

@@ -61,10 +61,16 @@ public async Task AirlockComposeWithBroker_SpawnsSiblingOnAirlockNetwork()
     var projectName = $"copilot-airlock-it-{sessionId}";
     var logPath = Path.Combine(Path.GetTempPath(), $"airlock-broker-{sessionId}.jsonl");
 
+    // Bind to IPAddress.Any so the proxy container's socat bridge can reach
+    // the broker. The proxy container resolves host.docker.internal via
+    // host-gateway, which on Linux runners points at the docker bridge IP
+    // (e.g. 172.17.0.1) — a loopback-only listener can't accept connections
+    // from there. macOS / OrbStack would route loopback magically, Linux CI
+    // does not. Same fix as BrokerSmokeTests.
     await using var broker = new DockerSocketBroker(
       rules,
       hostSocket,
-      BrokerListenEndpoint.Tcp(IPAddress.Loopback, 0),
+      BrokerListenEndpoint.Tcp(IPAddress.Any, 0),
       logPath);
     await broker.StartAsync(CancellationToken.None);