fix: 修正 PaC 相同 revision 状态判定

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Codex
2026-07-14 19:07:41 +02:00
parent f4aec43c80
commit 23cfc5e9cb
3 changed files with 104 additions and 4 deletions
@@ -15,6 +15,7 @@ const evaluator = createRequire(import.meta.url)("../native/cicd/pac-status-eval
evaluatePacAdmissionState: (input: Record<string, unknown>) => Record<string, any>;
evaluatePacStatus: (input: Record<string, unknown>) => Record<string, any>;
extractPacArtifactEvidence: (records: unknown[], logText: string) => Record<string, any>;
normalizeGitopsRevisionRelation: (input: Record<string, unknown>) => Record<string, any>;
taskTerminalRecord: (taskRun: Record<string, unknown>) => Record<string, any> | null;
runPacStatusFixtureChecks: () => { ok: boolean; checks: Array<{ id: string; ok: boolean }> };
};
@@ -347,11 +348,41 @@ test("AgentRun rendered delivery plan and real TaskRun terminals close the statu
test("provenance fixtures fail closed for pre-bootstrap, forged marker, wrong SA, and policy mismatch", () => {
const result = evaluator.runPacStatusFixtureChecks();
expect(result.ok).toBe(true);
for (const id of ["gitops-only-registry-not-configured", "image-registry-missing-fails-closed", "admission-provenance-verified", "pre-bootstrap-run-fails-closed", "forged-name-candidate-fails-closed", "forged-label-candidate-fails-closed", "forged-pipeline-ref-candidate-fails-closed", "wrong-service-account-fails-closed", "policy-identity-mismatch-fails-closed"]) {
for (const id of ["gitops-only-registry-not-configured", "image-registry-missing-fails-closed", "equal-revisions-ignore-owning-git-fetch-failure", "different-revisions-fetch-failure-remains-unknown", "admission-provenance-verified", "pre-bootstrap-run-fails-closed", "forged-name-candidate-fails-closed", "forged-label-candidate-fails-closed", "forged-pipeline-ref-candidate-fails-closed", "wrong-service-account-fails-closed", "policy-identity-mismatch-fails-closed"]) {
expect(result.checks.find((item) => item.id === id)?.ok).toBe(true);
}
});
test("equal GitOps revisions stay exact when the supplemental owning Git fetch fails", () => {
const revision = "b".repeat(40);
const raw = {
relation: "unknown",
expectedRevision: revision,
observedRevision: revision,
proof: "unavailable",
reason: "owning-git-fetch-failed",
fetchOk: false,
};
const normalized = evaluator.normalizeGitopsRevisionRelation(raw);
expect(normalized).toMatchObject({
relation: "exact",
proof: "direct-revision-equality",
reason: "revisions-equal",
contextReason: "owning-git-fetch-failed",
warnings: [{
warning: true,
blocking: false,
code: "pac-owning-git-fetch-failed",
mutation: false,
valuesPrinted: false,
}],
valuesPrinted: false,
});
expect(evaluator.normalizeGitopsRevisionRelation(normalized)).toEqual(normalized);
const remote = readFileSync(resolve(root, "scripts/src/platform-infra-pipelines-as-code-remote.sh"), "utf8");
expect(remote).toContain("normalizeGitopsRevisionRelation({");
});
test("history evaluates admission and default RBAC in each consumer namespace", () => {
const remote = readFileSync(resolve(root, "scripts/src/platform-infra-pipelines-as-code-remote.sh"), "utf8");
expect(remote).toContain("consumer.admissionState = admissionStateForConsumer(consumer)");
@@ -1258,7 +1258,8 @@ NODE
UNIDESK_PAC_GITOPS_PROOF="$proof" \
UNIDESK_PAC_GITOPS_REASON="$reason" \
UNIDESK_PAC_GITOPS_FETCH_OK="$fetch_ok" node <<'NODE'
process.stdout.write(JSON.stringify({
const { normalizeGitopsRevisionRelation } = require(process.env.UNIDESK_PAC_EVALUATOR_PATH);
process.stdout.write(JSON.stringify(normalizeGitopsRevisionRelation({
relation: process.env.UNIDESK_PAC_GITOPS_RELATION || 'unknown',
expectedRevision: process.env.UNIDESK_PAC_GITOPS_EXPECTED || null,
observedRevision: process.env.UNIDESK_PAC_GITOPS_OBSERVED || null,
@@ -1272,7 +1273,7 @@ process.stdout.write(JSON.stringify({
reason: process.env.UNIDESK_PAC_GITOPS_REASON || null,
fetchOk: process.env.UNIDESK_PAC_GITOPS_FETCH_OK === 'true',
valuesPrinted: false,
}));
})));
NODE
}