import { spawnSync } from "node:child_process"; import { mkdtempSync, rmSync, writeFileSync } from "node:fs"; import { tmpdir } from "node:os"; import { join } from "node:path"; type JsonRecord = Record; interface CliResult { status: number | null; ok: boolean; json: JsonRecord | null; stdoutBytes: number; stderrBytes: number; stdoutPreview?: string; stderrPreview?: string; } const DEFAULT_REPO = "pikasTech/unidesk"; const DEFAULT_BASE = "master"; const DEFAULT_HEAD = "code-queue/pr-preflight-example"; const DEFAULT_COMMENT_PR = "1"; const PREVIEW_CHARS = 400; function optionValue(args: string[], name: string, defaultValue: string): string { const index = args.indexOf(name); if (index === -1) return defaultValue; const value = args[index + 1]; if (value === undefined || value.length === 0 || value.startsWith("--")) throw new Error(`${name} requires a value`); return value; } function secrets(): string[] { return [process.env.GH_TOKEN, process.env.GITHUB_TOKEN].filter((value): value is string => value !== undefined && value.length > 0); } function redactText(text: string): string { let redacted = text; for (const secret of secrets()) { redacted = redacted.split(secret).join(""); } return redacted; } function redactUnknown(value: unknown): unknown { if (typeof value === "string") return redactText(value); if (Array.isArray(value)) return value.map(redactUnknown); if (typeof value === "object" && value !== null) { const entries = Object.entries(value).map(([key, entry]) => [key, redactUnknown(entry)]); return Object.fromEntries(entries); } return value; } function preview(text: string): string { return redactText(text.length > PREVIEW_CHARS ? `${text.slice(0, PREVIEW_CHARS)}...` : text); } function runCli(args: string[]): CliResult { const result = spawnSync("bun", ["scripts/cli.ts", ...args], { cwd: process.cwd(), env: process.env, encoding: "utf8", timeout: 30_000, }); const stdout = result.stdout ?? ""; const stderr = result.stderr ?? ""; let json: JsonRecord | null = null; try { json = redactUnknown(JSON.parse(stdout) as unknown) as JsonRecord; } catch { json = null; } return { status: result.status, ok: result.status === 0 && json?.ok === true, json, stdoutBytes: Buffer.byteLength(stdout), stderrBytes: Buffer.byteLength(stderr), ...(json === null && stdout.length > 0 ? { stdoutPreview: preview(stdout) } : {}), ...(stderr.length > 0 ? { stderrPreview: preview(stderr) } : {}), }; } function dataOf(result: CliResult): JsonRecord | null { const data = result.json?.data; return typeof data === "object" && data !== null && !Array.isArray(data) ? data as JsonRecord : null; } function envTokenProbe(): JsonRecord { if (process.env.GH_TOKEN && process.env.GH_TOKEN.length > 0) return { ok: true, present: true, source: "GH_TOKEN" }; if (process.env.GITHUB_TOKEN && process.env.GITHUB_TOKEN.length > 0) return { ok: true, present: true, source: "GITHUB_TOKEN" }; return { ok: false, present: false, source: null, message: "Runner PR workflow requires GH_TOKEN or GITHUB_TOKEN in the environment; token values must never be printed.", }; } function dryRunSummary(result: CliResult): JsonRecord { const data = dataOf(result); return { ok: result.ok, status: result.status, stdoutBytes: result.stdoutBytes, stderrBytes: result.stderrBytes, ...(data === null ? {} : { command: data.command, dryRun: data.dryRun, planned: data.planned, repo: data.repo, base: data.base, head: data.head, issueNumber: data.issueNumber, bodyChars: data.bodyChars, request: data.request, }), ...(result.stdoutPreview === undefined ? {} : { stdoutPreview: result.stdoutPreview }), ...(result.stderrPreview === undefined ? {} : { stderrPreview: result.stderrPreview }), }; } function main(): void { const args = process.argv.slice(2); if (args.includes("--help") || args.includes("-h")) { process.stdout.write(`${JSON.stringify({ ok: true, command: "code-queue-pr-preflight-example", usage: "bun scripts/code-queue-pr-preflight-example.ts [--repo owner/name] [--base branch] [--head branch] [--comment-pr number]", note: "Read-only/dry-run runner preflight. It checks GH_TOKEN/GITHUB_TOKEN presence, GitHub REST egress and repo visibility through gh auth status, then exercises PR create/comment dry-run paths without creating or merging a PR.", }, null, 2)}\n`); return; } const repo = optionValue(args, "--repo", DEFAULT_REPO); const base = optionValue(args, "--base", DEFAULT_BASE); const head = optionValue(args, "--head", process.env.CODE_QUEUE_HEAD_BRANCH ?? DEFAULT_HEAD); const commentPr = optionValue(args, "--comment-pr", DEFAULT_COMMENT_PR); const tmp = mkdtempSync(join(tmpdir(), "unidesk-pr-preflight-")); const bodyFile = join(tmp, "body.md"); writeFileSync(bodyFile, [ "# Code Queue PR preflight", "", "This file is used only for local dry-run planning.", "", ].join("\n"), "utf8"); try { const token = envTokenProbe(); const auth = runCli(["gh", "auth", "status", "--repo", repo]); const createDryRun = runCli([ "gh", "pr", "create", "--repo", repo, "--title", "Code Queue PR preflight dry run", "--body-file", bodyFile, "--base", base, "--head", head, "--dry-run", ]); const commentDryRun = runCli([ "gh", "pr", "comment", commentPr, "--repo", repo, "--body-file", bodyFile, "--dry-run", ]); const authData = dataOf(auth); const ok = token.ok === true && auth.ok && createDryRun.ok && commentDryRun.ok; process.stdout.write(`${JSON.stringify({ ok, command: "code-queue-pr-preflight-example", repo, base, head, commentPr, checks: { envToken: token, githubAuthStatus: { ok: auth.ok, status: auth.status, stdoutBytes: auth.stdoutBytes, stderrBytes: auth.stderrBytes, ...(authData === null ? {} : { degraded: authData.degraded, token: authData.token, probes: authData.probes, restFallback: authData.restFallback, }), ...(auth.stdoutPreview === undefined ? {} : { stdoutPreview: auth.stdoutPreview }), ...(auth.stderrPreview === undefined ? {} : { stderrPreview: auth.stderrPreview }), }, prCreateDryRun: dryRunSummary(createDryRun), prCommentDryRun: dryRunSummary(commentDryRun), }, safety: { writesRemote: false, createsPullRequest: false, commentsPullRequest: false, mergesPullRequest: false, tokenValuesPrinted: false, }, }, null, 2)}\n`); if (!ok) process.exitCode = 1; } finally { rmSync(tmp, { recursive: true, force: true }); } } try { main(); } catch (error) { process.stdout.write(`${JSON.stringify({ ok: false, command: "code-queue-pr-preflight-example", error: redactText(error instanceof Error ? error.message : String(error)), }, null, 2)}\n`); process.exitCode = 1; }