From ad05e6db7f99ce9f02c0750989b84d03de068d01 Mon Sep 17 00:00:00 2001 From: "Molecule AI Dev Engineer A (Kimi)" Date: Wed, 3 Jun 2026 19:12:02 +0000 Subject: [PATCH 1/2] test(integration): close fail-open routes in handler Postgres integration tests (#2166 blocker #2) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **Step A — Go-level fail-closed** Extract a shared `requireIntegrationDBURL(t)` helper into `integration_helper_test.go` (build-tag: integration). The helper: - Returns $INTEGRATION_DB_URL when present - Calls `t.Fatalf` when the URL is empty AND any CI marker is set (`CI`, `GITHUB_ACTIONS`, or `GITEA_ACTIONS`), preventing a silent skip-to-green in CI - Calls `t.Skip` when the URL is empty AND no CI marker is set, preserving the local-dev ergonomics Update all three integration test files to use the shared helper: - delegation_ledger_integration_test.go - pending_uploads_integration_test.go - workspace_create_name_integration_test.go This closes the Go-level fail-open where a missing INTEGRATION_DB_URL in CI would cause every integration test to skip and report PASS. **Step C — Workflow bash preflight** Add a `Preflight — INTEGRATION_DB_URL must be present` step in `.gitea/workflows/handlers-postgres-integration.yml` immediately before the `go test` invocation. If the postgres-start step failed to export the variable, the preflight exits 1 with `::error::` so the job fails loud before the test binary can even start. **Step B — Workflow CoE mask** ALREADY FIXED in current main: both `detect-changes` and `integration` jobs have `continue-on-error: false` (lines 93 and 125). The context is already listed in `audit-force-merge.yml` REQUIRED_CHECKS_JSON for `main`. Co-Authored-By: Claude Opus 4.7 --- .../handlers-postgres-integration.yml | 13 ++++++ .../delegation_ledger_integration_test.go | 6 +-- .../handlers/integration_helper_test.go | 40 +++++++++++++++++++ .../pending_uploads_integration_test.go | 6 +-- .../workspace_create_name_integration_test.go | 6 +-- 5 files changed, 56 insertions(+), 15 deletions(-) create mode 100644 workspace-server/internal/handlers/integration_helper_test.go diff --git a/.gitea/workflows/handlers-postgres-integration.yml b/.gitea/workflows/handlers-postgres-integration.yml index 21f6e0a96..42e76e89d 100644 --- a/.gitea/workflows/handlers-postgres-integration.yml +++ b/.gitea/workflows/handlers-postgres-integration.yml @@ -253,6 +253,19 @@ jobs: echo "✓ $tbl table present" done + - if: needs.detect-changes.outputs.handlers == 'true' + name: Preflight — INTEGRATION_DB_URL must be present + run: | + # Belt-and-suspenders: if the postgres-start step failed to + # export INTEGRATION_DB_URL, fail loud BEFORE go test can + # t.Skip its way to a green build. Closes the workflow-level + # fail-open gap identified in PR #2166 blocker #2. + if [ -z "${INTEGRATION_DB_URL:-}" ]; then + echo "::error::INTEGRATION_DB_URL is empty — postgres-start step did not export the connection string" + exit 1 + fi + echo "INTEGRATION_DB_URL is set (${INTEGRATION_DB_URL%%@*}@...)" + - if: needs.detect-changes.outputs.handlers == 'true' name: Run integration tests run: | diff --git a/workspace-server/internal/handlers/delegation_ledger_integration_test.go b/workspace-server/internal/handlers/delegation_ledger_integration_test.go index 97da5a524..fb0bf85e7 100644 --- a/workspace-server/internal/handlers/delegation_ledger_integration_test.go +++ b/workspace-server/internal/handlers/delegation_ledger_integration_test.go @@ -36,7 +36,6 @@ package handlers import ( "context" "database/sql" - "os" "strings" "testing" "time" @@ -57,10 +56,7 @@ import ( // directly rather than going through the package global. func integrationDB(t *testing.T) *sql.DB { t.Helper() - url := os.Getenv("INTEGRATION_DB_URL") - if url == "" { - t.Skip("INTEGRATION_DB_URL not set; skipping (local devs: see file header)") - } + url := requireIntegrationDBURL(t) conn, err := sql.Open("postgres", url) if err != nil { t.Fatalf("open: %v", err) diff --git a/workspace-server/internal/handlers/integration_helper_test.go b/workspace-server/internal/handlers/integration_helper_test.go new file mode 100644 index 000000000..e3d99b858 --- /dev/null +++ b/workspace-server/internal/handlers/integration_helper_test.go @@ -0,0 +1,40 @@ +//go:build integration +// +build integration + +// integration_helper_test.go — shared preflight for handler Postgres +// integration tests. Extracted so the fail-open/skip logic is in ONE place +// and can be tightened without editing every integration test file. +// +// See delegation_ledger_integration_test.go for the docker-postgres setup +// incantation used by local devs. + +package handlers + +import ( + "os" + "testing" +) + +// requireIntegrationDBURL returns $INTEGRATION_DB_URL. +// +// In CI (CI, GITHUB_ACTIONS, or GITEA_ACTIONS env var is non-empty), an +// empty URL is a fatal error — it means the workflow failed to export the +// variable (postgres container did not start, bridge IP resolution failed, +// or a regression in the workflow YAML). t.Fatalf keeps the test red so the +// failure is visible; t.Skip would silently pass and mask the defect. +// +// Locally (none of the three CI markers set), an empty URL skips the test +// so devs can run `go test ./...` without booting a Postgres container. +func requireIntegrationDBURL(t *testing.T) string { + t.Helper() + url := os.Getenv("INTEGRATION_DB_URL") + if url == "" { + if os.Getenv("CI") != "" || + os.Getenv("GITHUB_ACTIONS") != "" || + os.Getenv("GITEA_ACTIONS") != "" { + t.Fatalf("INTEGRATION_DB_URL required in CI handler integration tests — check workflow env export") + } + t.Skip("INTEGRATION_DB_URL not set; skipping (local devs: see file header)") + } + return url +} diff --git a/workspace-server/internal/handlers/pending_uploads_integration_test.go b/workspace-server/internal/handlers/pending_uploads_integration_test.go index 0e0d74fcd..a16704596 100644 --- a/workspace-server/internal/handlers/pending_uploads_integration_test.go +++ b/workspace-server/internal/handlers/pending_uploads_integration_test.go @@ -43,7 +43,6 @@ package handlers import ( "context" "database/sql" - "os" "strings" "testing" "time" @@ -63,10 +62,7 @@ import ( // but kept separate so each table's wipe step is local to its tests. func integrationDB_PendingUploads(t *testing.T) *sql.DB { t.Helper() - url := os.Getenv("INTEGRATION_DB_URL") - if url == "" { - t.Skip("INTEGRATION_DB_URL not set; skipping (local devs: see file header)") - } + url := requireIntegrationDBURL(t) conn, err := sql.Open("postgres", url) if err != nil { t.Fatalf("open: %v", err) diff --git a/workspace-server/internal/handlers/workspace_create_name_integration_test.go b/workspace-server/internal/handlers/workspace_create_name_integration_test.go index f0cc8b289..77c94e312 100644 --- a/workspace-server/internal/handlers/workspace_create_name_integration_test.go +++ b/workspace-server/internal/handlers/workspace_create_name_integration_test.go @@ -41,7 +41,6 @@ import ( "context" "database/sql" "fmt" - "os" "testing" "github.com/google/uuid" @@ -59,10 +58,7 @@ import ( // only those. func integrationDB_WorkspaceCreateName(t *testing.T) *sql.DB { t.Helper() - url := os.Getenv("INTEGRATION_DB_URL") - if url == "" { - t.Skip("INTEGRATION_DB_URL not set; skipping (see file header)") - } + url := requireIntegrationDBURL(t) conn, err := sql.Open("postgres", url) if err != nil { t.Fatalf("open: %v", err) -- 2.52.0 From 46a0b2963fc395b9ba83df7324a46838246cc692 Mon Sep 17 00:00:00 2001 From: "Molecule AI Dev Engineer A (Kimi)" Date: Wed, 3 Jun 2026 19:41:06 +0000 Subject: [PATCH 2/2] fix(ci): remove credential leak in integration workflow preflight The ${INTEGRATION_DB_URL%%@*} pattern strips only the host portion, leaving the user:password prefix exposed in CI logs. Replace with a static confirmation string. Co-Authored-By: Claude Opus 4.7 --- .gitea/workflows/handlers-postgres-integration.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/handlers-postgres-integration.yml b/.gitea/workflows/handlers-postgres-integration.yml index 42e76e89d..a62b822f5 100644 --- a/.gitea/workflows/handlers-postgres-integration.yml +++ b/.gitea/workflows/handlers-postgres-integration.yml @@ -264,7 +264,7 @@ jobs: echo "::error::INTEGRATION_DB_URL is empty — postgres-start step did not export the connection string" exit 1 fi - echo "INTEGRATION_DB_URL is set (${INTEGRATION_DB_URL%%@*}@...)" + echo "INTEGRATION_DB_URL is set" - if: needs.detect-changes.outputs.handlers == 'true' name: Run integration tests -- 2.52.0