fix: grant provider profile secret rbac

This commit is contained in:
Codex
2026-06-05 16:23:33 +08:00
parent aef9a66a11
commit 8099207353
2 changed files with 33 additions and 2 deletions
@@ -10,6 +10,13 @@ import { assertNoSecretLeak, type SelfTestCase } from "../harness.js";
const secretText = "sk-selftest-provider-profile-secret";
const selfTest: SelfTestCase = async (context) => {
const gitopsRenderer = await readFile(path.join(context.root, "scripts/src/gitops-render.ts"), "utf8");
assert.equal(gitopsRenderer.includes("agentrun-v01-mgr-provider-secret-manager"), true);
assert.equal(gitopsRenderer.includes('verbs: ["get", "patch", "update"]'), true);
for (const profile of ["codex", "deepseek", "minimax-m3"]) {
assert.equal(gitopsRenderer.includes(`agentrun-v01-provider-${profile}`), true);
}
const fakeKubectl = path.join(context.tmp, "fake-provider-kubectl.js");
const appliedManifestPath = path.join(context.tmp, "provider-secret-apply.json");
const createdJobPath = path.join(context.tmp, "provider-validation-job.json");
@@ -102,7 +109,7 @@ process.exit(1);
assert.equal(finalValidation.status, "completed");
assert.equal(JSON.stringify(finalValidation).includes(secretText), false);
assertNoSecretLeak(finalValidation);
return { name: "provider-profile-management", tests: ["provider-profiles-list-redacted", "provider-profile-set-key-redacted", "provider-profile-deepseek-moon-bridge", "provider-profile-validation-runner-job"] };
return { name: "provider-profile-management", tests: ["provider-profiles-list-redacted", "provider-profile-set-key-redacted", "provider-profile-deepseek-moon-bridge", "provider-profile-manager-secret-rbac", "provider-profile-validation-runner-job"] };
} finally {
await new Promise<void>((resolve) => server.server.close(() => resolve()));
}