from __future__ import annotations import json import pytest from src.services.gitea_workflow_runner_health import load_latest_gitea_workflow_runner_health def test_load_latest_gitea_workflow_runner_health_reads_newest_file(tmp_path): older = _snapshot(generated_at="2026-06-04T00:00:00+08:00", completion=40) newer = _snapshot(generated_at="2026-06-05T00:00:00+08:00", completion=100) (tmp_path / "gitea_workflow_runner_health_2026-06-04.json").write_text( json.dumps(older), encoding="utf-8", ) (tmp_path / "gitea_workflow_runner_health_2026-06-05.json").write_text( json.dumps(newer), encoding="utf-8", ) loaded = load_latest_gitea_workflow_runner_health(tmp_path) assert loaded["generated_at"] == "2026-06-05T00:00:00+08:00" assert loaded["program_status"]["overall_completion_percent"] == 100 assert loaded["rollups"]["total_workflows"] == 2 assert loaded["operation_boundaries"]["workflow_modification_allowed"] is False def test_gitea_workflow_runner_health_requires_read_only_mode(tmp_path): snapshot = _snapshot() snapshot["program_status"]["read_only_mode"] = False (tmp_path / "gitea_workflow_runner_health_2026-06-05.json").write_text( json.dumps(snapshot), encoding="utf-8", ) with pytest.raises(ValueError, match="read_only_mode"): load_latest_gitea_workflow_runner_health(tmp_path) def test_gitea_workflow_runner_health_requires_blocked_operations(tmp_path): snapshot = _snapshot() snapshot["operation_boundaries"]["runner_restart_allowed"] = True (tmp_path / "gitea_workflow_runner_health_2026-06-05.json").write_text( json.dumps(snapshot), encoding="utf-8", ) with pytest.raises(ValueError, match="operation boundaries"): load_latest_gitea_workflow_runner_health(tmp_path) def test_gitea_workflow_runner_health_requires_rollup_consistency(tmp_path): snapshot = _snapshot() snapshot["rollups"]["workflows_with_schedule"] = 99 (tmp_path / "gitea_workflow_runner_health_2026-06-05.json").write_text( json.dumps(snapshot), encoding="utf-8", ) with pytest.raises(ValueError, match="workflows_with_schedule"): load_latest_gitea_workflow_runner_health(tmp_path) def test_gitea_workflow_runner_health_requires_quiet_notification_contracts(tmp_path): snapshot = _snapshot() snapshot["notification_contracts"][0]["success_noise_policy"] = "always send success" (tmp_path / "gitea_workflow_runner_health_2026-06-05.json").write_text( json.dumps(snapshot), encoding="utf-8", ) with pytest.raises(ValueError, match="suppress success noise"): load_latest_gitea_workflow_runner_health(tmp_path) def test_gitea_workflow_runner_health_rejects_secret_payload_keys(tmp_path): snapshot = _snapshot() snapshot["latest_observations"][0]["runner_token"] = "redacted" (tmp_path / "gitea_workflow_runner_health_2026-06-05.json").write_text( json.dumps(snapshot), encoding="utf-8", ) with pytest.raises(ValueError, match="forbidden secret payload key"): load_latest_gitea_workflow_runner_health(tmp_path) def test_gitea_workflow_runner_health_fails_when_missing(tmp_path): with pytest.raises(FileNotFoundError): load_latest_gitea_workflow_runner_health(tmp_path) def _snapshot( *, generated_at: str = "2026-06-05T00:00:00+08:00", completion: int = 100, ) -> dict: return { "schema_version": "gitea_workflow_runner_health_v1", "generated_at": generated_at, "program_status": { "overall_completion_percent": completion, "current_priority": "P1", "current_task_id": "P1-002", "next_task_id": "P1-003", "read_only_mode": True, }, "source_refs": ["docs/schemas/gitea_workflow_runner_health_v1.schema.json"], "rollups": { "total_workflows": 2, "by_workflow_status": {"manifest_mapped": 2}, "by_runner_evidence_status": {"host_runner_mapped": 1, "owner_attestation_required": 1}, "workflows_with_schedule": 1, "workflows_with_workflow_dispatch": 1, "workflows_with_notify_bridge": 1, "workflows_with_actionable_or_failure_quiet_policy": 1, "workflow_ids_requiring_runner_attestation": ["e2e_health"], "total_runner_contracts": 1, "runner_contracts_requiring_action": ["ubuntu_latest"], "notification_contracts_total": 2, "notification_contracts_quiet_success_count": 2, "notification_contracts_quiet_success_ids": ["actionable_only", "failure_only"], }, "workflow_records": [ _workflow_record( "cd_pipeline", "host_runner_mapped", ["push"], "deployment_status_exception", 1, ), _workflow_record( "e2e_health", "owner_attestation_required", ["workflow_dispatch", "schedule"], "failure_only", 0, ), ], "runner_contracts": [ { "contract_id": "ubuntu_latest", "display_name": "ubuntu-latest runner label", "status": "action_required", "risk_level": "high", "runner_labels": ["ubuntu-latest"], "used_by_workflows": ["e2e_health"], "health_contract": "只讀確認 runner label 與 recent run freshness。", "guardrail_refs": ["docs/HARD_RULES.md"], "evidence_refs": [".gitea/workflows/e2e-health.yaml"], "next_action": "補 owner attestation,不改 runner。", } ], "notification_contracts": [ _notification_contract("actionable_only", "actionable_only", "無 actionable 時不通知。"), _notification_contract("failure_only", "failure_only", "健康成功不通知。"), ], "latest_observations": [ { "observation_id": "committed_only", "status": "verified", "summary": "只讀 committed workflow。", "evidence_refs": ["docs/LOGBOOK.md"], } ], "operator_contract": { "display_mode": "read_only_gitea_workflow_runner_health", "must_not_interpret_as": [ "workflow 修改批准", "runner restart / stop 批准", "Secret 已讀取或可輸出", "Telegram 測試通知批准", "Gitea write token 授權", "deploy / migration workflow 觸發批准", ], "secret_display_policy": "只顯示 redacted metadata。", "runner_mutation_policy": "不得 restart runner。", "notification_policy": "成功不洗版。", }, "operation_boundaries": { "read_only_api_allowed": True, "workflow_modification_allowed": False, "runner_restart_allowed": False, "runner_container_stop_allowed": False, "runner_label_change_allowed": False, "runner_registration_allowed": False, "secret_read_allowed": False, "secret_plaintext_allowed": False, "notification_send_allowed": False, "schedule_enable_allowed": False, "gitea_api_write_allowed": False, "deploy_trigger_allowed": False, "migration_trigger_allowed": False, }, "approval_boundaries": { "workflow_modification_authorized": False, "runner_mutation_authorized": False, "notification_send_authorized": False, "secret_plaintext_allowed": False, "runtime_execution_authorized": False, "schedule_change_authorized": False, "gitea_write_authorized": False, "deploy_trigger_authorized": False, "migration_trigger_authorized": False, }, } def _workflow_record( workflow_id: str, runner_evidence_status: str, triggers: list[str], notification_policy: str, notify_bridge_calls: int, ) -> dict: return { "workflow_id": workflow_id, "file_ref": f".gitea/workflows/{workflow_id}.yaml", "display_name": workflow_id, "scope": "只讀 workflow 合約。", "status": "manifest_mapped", "risk_level": "medium", "triggers": triggers, "schedule_cadence": "每日" if "schedule" in triggers else "無定期排程", "runner_labels": ["awoooi-host" if runner_evidence_status == "host_runner_mapped" else "ubuntu-latest"], "runner_evidence_status": runner_evidence_status, "job_count": 1, "notification_policy": notification_policy, "notify_bridge_calls": notify_bridge_calls, "secrets_policy_status": "不讀 Secret payload。", "evidence_refs": [f".gitea/workflows/{workflow_id}.yaml"], "next_action": "只讀補證據。", } def _notification_contract(contract_id: str, policy_kind: str, success_noise_policy: str) -> dict: return { "contract_id": contract_id, "display_name": contract_id, "status": "preserved", "policy_kind": policy_kind, "success_noise_policy": success_noise_policy, "failure_policy": "失敗才升級。", "workflow_refs": ["e2e_health"], "evidence_refs": [".gitea/workflows/e2e-health.yaml"], "next_action": "保留通知政策。", }