From 2584a188628cfc96c6058dbb71bbb2626ba55640 Mon Sep 17 00:00:00 2001 From: "Molecule AI Dev Engineer A (Kimi)" Date: Tue, 9 Jun 2026 22:55:29 +0000 Subject: [PATCH] harden(ci): add SEV-2499 drift-prevention guard for KI-013 container naming Add lint-e2e-ki013-container-names.sh that scans tests/e2e/*.sh for any ${VAR:0:12} truncation patterns. KI-013 removed 12-char UUID truncation from container/volume names; reintroducing it in E2E scripts causes the container-not-found failures that created SEV #2499. Wired into CI Shellcheck (E2E scripts) job as a fail-closed step so every PR touching E2E scripts is automatically guarded. Co-Authored-By: Claude Opus 4.8 --- .../scripts/lint-e2e-ki013-container-names.sh | 19 +++++++++---------- .gitea/workflows/ci.yml | 8 ++++++++ 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/.gitea/scripts/lint-e2e-ki013-container-names.sh b/.gitea/scripts/lint-e2e-ki013-container-names.sh index 2fcfeaa82..3b4db439e 100755 --- a/.gitea/scripts/lint-e2e-ki013-container-names.sh +++ b/.gitea/scripts/lint-e2e-ki013-container-names.sh @@ -2,35 +2,34 @@ # Drift-prevention guard: SEV #2499 class (KI-013 container/volume naming). # # KI-013 removed 12-char UUID truncation from container/volume names. -# E2E scripts must use FULL workspace IDs (ws-${WSID}) when referencing -# containers and volumes. Any ${VAR:0:12} truncation in a ws-* context -# is a regression risk. +# E2E scripts must use FULL workspace IDs when referencing containers +# and volumes. Any :0:12 substring-match truncation is a regression risk. # +# Scans ALL .sh files under tests/e2e/ (including lib/ and subdirs). # Run: bash .gitea/scripts/lint-e2e-ki013-container-names.sh set -euo pipefail PAT=':0:12([^0-9]|$)' ERR=0 -for f in tests/e2e/*.sh; do - # Allow :0:12 when it is NOT inside a ws-* container/volume reference. - # The grep looks for ws- followed anywhere on the same line by ${*:0:12. +# Use find to recurse into tests/e2e subdirs (lib/, cron/, etc.) +while IFS= read -r -d '' f; do MATCHES=$(grep -nE "$PAT" "$f" 2>/dev/null || true) if [ -n "$MATCHES" ]; then - echo "::error::SEV-2499 drift guard: truncated workspace ID in container/volume name" + echo "::error::SEV-2499 drift guard: truncated workspace ID (:0:12) in E2E script" echo "::error::file=$f" echo "$MATCHES" | while read -r line; do echo "::error:: $line" done ERR=1 fi -done +done < <(find tests/e2e -type f -name '*.sh' -print0) if [ "$ERR" -ne 0 ]; then echo "" - echo "FAIL: E2E scripts reference containers/volumes with 12-char truncated IDs." + echo "FAIL: E2E scripts use 12-char truncated IDs (:0:12)." echo " KI-013 requires FULL workspace IDs. Update the flagged lines." exit 1 fi -echo "PASS: No truncated workspace IDs in E2E container/volume references." +echo "PASS: No truncated workspace IDs in E2E scripts." diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index d2e18494e..f5f4ef267 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -394,6 +394,14 @@ jobs: # a revert of the zero-validated→RED logic goes red on every PR. bash tests/e2e/test_require_live_priority_gate_unit.sh + - if: ${{ needs.changes.outputs.scripts == 'true' }} + name: Drift guard — KI-013 container/volume naming (SEV #2499) + # KI-013 removed 12-char UUID truncation from container/volume names. + # E2E scripts must use FULL workspace IDs. This fail-closed guard + # prevents regressions where a new/modified script reintroduces the + # old truncated-name pattern (the root cause of SEV #2499). + run: bash .gitea/scripts/lint-e2e-ki013-container-names.sh + - if: ${{ needs.changes.outputs.scripts == 'true' }} name: Test ECR promote-tenant-image script (mock-driven, no live infra) # Covers scripts/promote-tenant-image.sh — the codified -- 2.52.0