molecule-ai/molecule-core
52
0
Fork 2
Code Issues 182 Pull Requests 52 Actions Packages Projects Releases Wiki Activity

harden(ci): SEV-2499 drift-prevention guard for KI-013 container naming #2501

Merged
agent-reviewer merged 1 commits from harden/e2e-ki013-drift-guard into main 2026-06-10 03:16:27 +00:00
Conversation 4 Commits 1 Files Changed 2
+17 -10
2 changed files with 17 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/scripts/lint-e2e-ki013-container-names.sh
+9 -10
View File
@@ -2,35 +2,34 @@
# Drift-prevention guard: SEV #2499 class (KI-013 container/volume naming).
#
# KI-013 removed 12-char UUID truncation from container/volume names.
# E2E scripts must use FULL workspace IDs (ws-${WSID}) when referencing
# containers and volumes. Any ${VAR:0:12} truncation in a ws-* context
# is a regression risk.
# E2E scripts must use FULL workspace IDs when referencing containers
# and volumes. Any :0:12 substring-match truncation is a regression risk.
#
# Scans ALL .sh files under tests/e2e/ (including lib/ and subdirs).
# Run: bash .gitea/scripts/lint-e2e-ki013-container-names.sh
set -euo pipefail
PAT=':0:12([^0-9]|$)'
ERR=0
for f in tests/e2e/*.sh; do
# Allow :0:12 when it is NOT inside a ws-* container/volume reference.
# The grep looks for ws- followed anywhere on the same line by ${*:0:12.
# Use find to recurse into tests/e2e subdirs (lib/, cron/, etc.)
while IFS= read -r -d '' f; do
MATCHES=$(grep -nE "$PAT" "$f" 2>/dev/null || true)
if [ -n "$MATCHES" ]; then
echo "::error::SEV-2499 drift guard: truncated workspace ID in container/volume name"
echo "::error::SEV-2499 drift guard: truncated workspace ID (:0:12) in E2E script"
echo "::error::file=$f"
echo "$MATCHES" | while read -r line; do
echo "::error:: $line"
done
ERR=1
fi
done
done < <(find tests/e2e -type f -name '*.sh' -print0)
if [ "$ERR" -ne 0 ]; then
echo ""
echo "FAIL: E2E scripts reference containers/volumes with 12-char truncated IDs."
echo "FAIL: E2E scripts use 12-char truncated IDs (:0:12)."
echo " KI-013 requires FULL workspace IDs. Update the flagged lines."
exit 1
fi
echo "PASS: No truncated workspace IDs in E2E container/volume references."
echo "PASS: No truncated workspace IDs in E2E scripts."
.gitea/workflows/ci.yml
+8
View File
@@ -394,6 +394,14 @@ jobs:
# a revert of the zero-validated→RED logic goes red on every PR.
bash tests/e2e/test_require_live_priority_gate_unit.sh
- if: ${{ needs.changes.outputs.scripts == 'true' }}
name: Drift guard — KI-013 container/volume naming (SEV #2499)
# KI-013 removed 12-char UUID truncation from container/volume names.
# E2E scripts must use FULL workspace IDs. This fail-closed guard
# prevents regressions where a new/modified script reintroduces the
# old truncated-name pattern (the root cause of SEV #2499).
run: bash .gitea/scripts/lint-e2e-ki013-container-names.sh
- if: ${{ needs.changes.outputs.scripts == 'true' }}
name: Test ECR promote-tenant-image script (mock-driven, no live infra)
# Covers scripts/promote-tenant-image.sh — the codified