refactor: move agentrun session policy into yaml

This commit is contained in:
Codex
2026-06-14 17:51:42 +00:00
parent 13c84af59f
commit 961d8f1d43
3 changed files with 212 additions and 36 deletions
+53 -4
View File
@@ -22,6 +22,16 @@ export interface AgentRunLaneSecretSpec {
readonly sourceMode: "env" | "file";
readonly sourceKey: string | null;
readonly targetRef: AgentRunSecretRef;
readonly providerCredentialProfile: string | null;
}
export interface AgentRunProviderCredentialRef {
readonly profile: string;
readonly secretRef: {
readonly namespace: string;
readonly name: string;
readonly keys: readonly string[];
};
}
export interface AgentRunLaneSpec {
@@ -193,10 +203,6 @@ export function resolveAgentRunLaneTarget(options: { node?: string | null; lane?
return { configPath: config.sourcePath, spec };
}
export function agentRunDefaultProviderId(env: NodeJS.ProcessEnv = process.env): string {
return resolveAgentRunLaneTarget({}, env).spec.nodeId;
}
export function agentRunLaneSummary(spec: AgentRunLaneSpec): Record<string, unknown> {
return {
node: {
@@ -306,11 +312,43 @@ export function agentRunLaneSummary(spec: AgentRunLaneSpec): Record<string, unkn
sourceMode: secret.sourceMode,
sourceKey: secret.sourceKey,
targetRef: secret.targetRef,
providerCredential: secret.providerCredentialProfile === null ? null : { profile: secret.providerCredentialProfile },
valuesPrinted: false,
})),
providerCredentials: agentRunProviderCredentialRefs(spec).map((credential) => ({
profile: credential.profile,
secretRef: credential.secretRef,
valuesPrinted: false,
})),
};
}
export function agentRunProviderCredentialRefs(spec: AgentRunLaneSpec, profile?: string | null): readonly AgentRunProviderCredentialRef[] {
const groups = new Map<string, { profile: string; namespace: string; name: string; keys: string[] }>();
for (const secret of spec.secrets) {
const credentialProfile = secret.providerCredentialProfile;
if (credentialProfile === null) continue;
if (profile !== undefined && profile !== null && credentialProfile !== profile) continue;
const groupKey = `${credentialProfile}\0${secret.targetRef.namespace}\0${secret.targetRef.name}`;
const group = groups.get(groupKey) ?? {
profile: credentialProfile,
namespace: secret.targetRef.namespace,
name: secret.targetRef.name,
keys: [],
};
if (!group.keys.includes(secret.targetRef.key)) group.keys.push(secret.targetRef.key);
groups.set(groupKey, group);
}
return Array.from(groups.values()).map((group) => ({
profile: group.profile,
secretRef: {
namespace: group.namespace,
name: group.name,
keys: group.keys,
},
}));
}
export function agentRunPipelineRunName(spec: AgentRunLaneSpec, sourceCommit: string): string {
return `${spec.ci.pipelineRunPrefix}-${sourceCommit.slice(0, 12)}`;
}
@@ -531,15 +569,26 @@ function parseLaneSecret(input: Record<string, unknown>, path: string): AgentRun
if (sourceMode !== "env" && sourceMode !== "file") throw new Error(`${path}.sourceMode must be env or file`);
const sourceKey = optionalStringField(input, "sourceKey", path) ?? null;
if (sourceMode === "env" && sourceKey === null) throw new Error(`${path}.sourceKey is required when sourceMode is env`);
const providerCredential = parseProviderCredentialBinding(input, `${path}.providerCredential`);
return {
id: stringField(input, "id", path),
sourceRef: secretSourceRefField(input, "sourceRef", path),
sourceMode,
sourceKey,
targetRef: parseNamespacedSecretRef(recordField(input, "targetRef", path), `${path}.targetRef`),
providerCredentialProfile: providerCredential,
};
}
function parseProviderCredentialBinding(input: Record<string, unknown>, path: string): string | null {
const value = input.providerCredential;
if (value === undefined || value === null) return null;
const record = asRecord(value, path);
const profile = stringField(record, "profile", path);
validateSimpleId(profile, path);
return profile;
}
function parseGitMirrorRepository(input: Record<string, unknown>, path: string): AgentRunGitMirrorRepositorySpec {
const gitopsBranch = optionalStringField(input, "gitopsBranch", path);
return {