test: isolate repository credential status fixtures
This commit is contained in:
@@ -4,7 +4,34 @@ import {
|
||||
readGiteaConfig,
|
||||
resolveTarget,
|
||||
} from "./platform-infra-gitea-config";
|
||||
import { renderManifest } from "./platform-infra-gitea";
|
||||
import { buildMirrorWebhookCredentialBlockedResult, renderManifest } from "./platform-infra-gitea";
|
||||
import { renderMirrorWebhookCredentialBlocked } from "./platform-infra-gitea-render";
|
||||
|
||||
function syntheticMissingSelfmediaCredential(): Record<string, unknown> {
|
||||
return {
|
||||
id: "github-upstream:selfmedia-nc01",
|
||||
repository: "pikainc/selfmedia",
|
||||
sourceRef: "pikainc-selfmedia-gh-token.txt",
|
||||
present: false,
|
||||
requiredKeysPresent: false,
|
||||
fingerprint: null,
|
||||
permissionResult: {
|
||||
status: "blocked-missing-credential",
|
||||
permissions: { contents: "read", metadata: "read", webhooks: "read-write" },
|
||||
error: "credential material is absent",
|
||||
},
|
||||
valuesPrinted: false,
|
||||
};
|
||||
}
|
||||
|
||||
function syntheticBlockedResult(allTargetRepositories = false): Record<string, unknown> {
|
||||
const config = readGiteaConfig();
|
||||
const target = resolveTarget(config, "NC01");
|
||||
const repositories = config.sourceAuthority.repositories.filter((repo) => repo.targetId === "NC01"
|
||||
&& (allTargetRepositories || repo.key === "selfmedia-nc01"));
|
||||
const credential = syntheticMissingSelfmediaCredential();
|
||||
return buildMirrorWebhookCredentialBlockedResult(config, target, repositories, [credential], [String(credential.id)]);
|
||||
}
|
||||
|
||||
describe("platform-infra Gitea repository GitHub credentials", () => {
|
||||
test("keeps the global credential and selfmedia override on distinct Secret keys", () => {
|
||||
@@ -40,39 +67,25 @@ describe("platform-infra Gitea repository GitHub credentials", () => {
|
||||
|
||||
test("does not inject the NC01 selfmedia token into JD01 bridge containers", () => {
|
||||
const config = readGiteaConfig();
|
||||
const tokenEnv = githubTokenEnvNameForSecretKey("github-token-pikainc-selfmedia");
|
||||
const selfmediaTokenEnv = githubTokenEnvNameForSecretKey("github-token-pikainc-selfmedia");
|
||||
const globalTokenEnv = githubTokenEnvNameForSecretKey(config.sourceAuthority.credentials.github.gitFetchCredential.secretRef.key);
|
||||
const jd01Manifest = renderManifest(config, resolveTarget(config, "JD01"));
|
||||
const nc01Manifest = renderManifest(config, resolveTarget(config, "NC01"));
|
||||
|
||||
expect(jd01Manifest).not.toContain(tokenEnv);
|
||||
expect(nc01Manifest).toContain(tokenEnv);
|
||||
expect(jd01Manifest).toContain(globalTokenEnv);
|
||||
expect(jd01Manifest).not.toContain(selfmediaTokenEnv);
|
||||
expect(nc01Manifest).toContain(globalTokenEnv);
|
||||
expect(nc01Manifest).toContain(selfmediaTokenEnv);
|
||||
expect(nc01Manifest).toContain(`"tokenEnv": "${selfmediaTokenEnv}"`);
|
||||
});
|
||||
|
||||
test("keeps missing selfmedia webhook status bounded and stack-free", () => {
|
||||
const result = Bun.spawnSync({
|
||||
cmd: [
|
||||
"bun",
|
||||
"scripts/cli.ts",
|
||||
"platform-infra",
|
||||
"gitea",
|
||||
"mirror",
|
||||
"webhook",
|
||||
"status",
|
||||
"--target",
|
||||
"NC01",
|
||||
"--repo",
|
||||
"selfmedia-nc01",
|
||||
"--full",
|
||||
],
|
||||
stdout: "pipe",
|
||||
stderr: "pipe",
|
||||
});
|
||||
const stdout = result.stdout.toString();
|
||||
const payload = JSON.parse(stdout);
|
||||
const credentials = payload.data.credentials as Array<Record<string, unknown>>;
|
||||
const selfmedia = credentials.find((item) => item.id === "github-upstream:selfmedia-nc01");
|
||||
const payload = syntheticBlockedResult();
|
||||
const credentials = payload.credentials as Array<Record<string, unknown>>;
|
||||
const selfmedia = credentials[0];
|
||||
const serialized = JSON.stringify(payload);
|
||||
|
||||
expect(payload.data.error.code).toBe("github-credential-unavailable");
|
||||
expect((payload.error as Record<string, unknown>).code).toBe("github-credential-unavailable");
|
||||
expect(selfmedia).toMatchObject({
|
||||
sourceRef: "pikainc-selfmedia-gh-token.txt",
|
||||
present: false,
|
||||
@@ -80,29 +93,12 @@ describe("platform-infra Gitea repository GitHub credentials", () => {
|
||||
valuesPrinted: false,
|
||||
});
|
||||
expect(selfmedia).not.toHaveProperty("sourcePath");
|
||||
expect(stdout).not.toContain('"stack"');
|
||||
expect(result.stderr.toString()).not.toContain("platform-infra-gitea.ts:");
|
||||
expect(serialized).not.toContain('"stack"');
|
||||
expect(serialized).not.toContain("/root/.worktrees/");
|
||||
});
|
||||
|
||||
test("renders missing selfmedia webhook status as compact text by default", () => {
|
||||
const result = Bun.spawnSync({
|
||||
cmd: [
|
||||
"bun",
|
||||
"scripts/cli.ts",
|
||||
"platform-infra",
|
||||
"gitea",
|
||||
"mirror",
|
||||
"webhook",
|
||||
"status",
|
||||
"--target",
|
||||
"NC01",
|
||||
"--repo",
|
||||
"selfmedia-nc01",
|
||||
],
|
||||
stdout: "pipe",
|
||||
stderr: "pipe",
|
||||
});
|
||||
const stdout = result.stdout.toString();
|
||||
const stdout = renderMirrorWebhookCredentialBlocked(syntheticBlockedResult()).renderedText;
|
||||
|
||||
expect(stdout).toContain("PLATFORM-INFRA GITEA MIRROR WEBHOOK STATUS");
|
||||
expect(stdout).toContain("SOURCE_REF");
|
||||
@@ -111,26 +107,10 @@ describe("platform-infra Gitea repository GitHub credentials", () => {
|
||||
expect(stdout).toContain("github-upstream:selfmedia-nc01");
|
||||
expect(stdout.trimStart()).not.toStartWith("{");
|
||||
expect(stdout).not.toContain('"stack"');
|
||||
expect(result.stderr.toString()).not.toContain("platform-infra-gitea.ts:");
|
||||
});
|
||||
|
||||
test("matches compact blocker rows to their repository without --repo", () => {
|
||||
const result = Bun.spawnSync({
|
||||
cmd: [
|
||||
"bun",
|
||||
"scripts/cli.ts",
|
||||
"platform-infra",
|
||||
"gitea",
|
||||
"mirror",
|
||||
"webhook",
|
||||
"status",
|
||||
"--target",
|
||||
"NC01",
|
||||
],
|
||||
stdout: "pipe",
|
||||
stderr: "pipe",
|
||||
});
|
||||
const stdout = result.stdout.toString();
|
||||
const stdout = renderMirrorWebhookCredentialBlocked(syntheticBlockedResult(true)).renderedText;
|
||||
|
||||
expect(stdout).toContain("pikainc/selfmedia");
|
||||
expect(stdout).toContain("pikainc-selfmedia-gh-token.txt");
|
||||
|
||||
@@ -475,20 +475,7 @@ async function mirrorWebhookStatus(config: UniDeskConfig, options: MirrorWebhook
|
||||
const repos = selectedRepositories(gitea, target, options.repoKey);
|
||||
const credentials = credentialSummaries(gitea, repos);
|
||||
const blockers = credentialBlockers(credentials);
|
||||
if (blockers.length > 0) {
|
||||
return {
|
||||
ok: false,
|
||||
action: "platform-infra-gitea-mirror-webhook-status",
|
||||
mutation: false,
|
||||
credentialBlocked: true,
|
||||
target: targetSummary(target),
|
||||
webhook: webhookSyncSummary(gitea, target),
|
||||
repositories: repos.map((repo) => repositorySummary(gitea, repo)),
|
||||
credentials,
|
||||
error: { code: "github-credential-unavailable", blockers, valuesPrinted: false },
|
||||
next: mirrorReadOnlyNextCommands(target.id),
|
||||
};
|
||||
}
|
||||
if (blockers.length > 0) return buildMirrorWebhookCredentialBlockedResult(gitea, target, repos, credentials, blockers);
|
||||
const secrets = ensureMirrorSecrets(gitea, target, repos, false, false, false);
|
||||
const result = await capture(config, target.route, ["sh"], remoteScript("mirror-webhook-status", gitea, target, "", { ...options, confirm: false, dryRun: true, wait: false }, { repos, secrets }).script);
|
||||
const parsed = parseJsonOutput(result.stdout);
|
||||
@@ -508,6 +495,27 @@ async function mirrorWebhookStatus(config: UniDeskConfig, options: MirrorWebhook
|
||||
};
|
||||
}
|
||||
|
||||
export function buildMirrorWebhookCredentialBlockedResult(
|
||||
gitea: GiteaConfig,
|
||||
target: GiteaTarget,
|
||||
repos: GiteaMirrorRepository[],
|
||||
credentials: Array<Record<string, unknown>>,
|
||||
blockers: string[],
|
||||
): Record<string, unknown> {
|
||||
return {
|
||||
ok: false,
|
||||
action: "platform-infra-gitea-mirror-webhook-status",
|
||||
mutation: false,
|
||||
credentialBlocked: true,
|
||||
target: targetSummary(target),
|
||||
webhook: webhookSyncSummary(gitea, target),
|
||||
repositories: repos.map((repo) => repositorySummary(gitea, repo)),
|
||||
credentials,
|
||||
error: { code: "github-credential-unavailable", blockers, valuesPrinted: false },
|
||||
next: mirrorReadOnlyNextCommands(target.id),
|
||||
};
|
||||
}
|
||||
|
||||
export function renderManifest(gitea: GiteaConfig, target: GiteaTarget): string {
|
||||
const app = gitea.app;
|
||||
const image = `${app.image.repository}:${app.image.tag}`;
|
||||
|
||||
Reference in New Issue
Block a user