103 lines
2.1 KiB
Python
Executable File
103 lines
2.1 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
from __future__ import annotations
|
|
|
|
import subprocess
|
|
import sys
|
|
from pathlib import Path
|
|
|
|
|
|
ROOT = Path(__file__).resolve().parents[2]
|
|
GUARD = ROOT / "ops/runner/guard-gitea-runner-pressure.py"
|
|
|
|
|
|
def write_workflow(root: Path, text: str) -> None:
|
|
workflow_dir = root / ".gitea/workflows"
|
|
workflow_dir.mkdir(parents=True, exist_ok=True)
|
|
(workflow_dir / "cd.yaml").write_text(text, encoding="utf-8")
|
|
|
|
|
|
def run_guard(root: Path) -> subprocess.CompletedProcess[str]:
|
|
return subprocess.run(
|
|
[sys.executable, str(GUARD), "--root", str(root)],
|
|
check=False,
|
|
text=True,
|
|
stdout=subprocess.PIPE,
|
|
stderr=subprocess.PIPE,
|
|
)
|
|
|
|
|
|
def test_manual_awoooi_host_is_allowed(tmp_path: Path) -> None:
|
|
write_workflow(
|
|
tmp_path,
|
|
"""
|
|
name: manual
|
|
on:
|
|
workflow_dispatch:
|
|
jobs:
|
|
deploy:
|
|
runs-on: awoooi-host
|
|
steps:
|
|
- run: true
|
|
""",
|
|
)
|
|
result = run_guard(tmp_path)
|
|
assert result.returncode == 0, result.stdout + result.stderr
|
|
|
|
|
|
def test_push_to_110_incident_label_is_blocked(tmp_path: Path) -> None:
|
|
write_workflow(
|
|
tmp_path,
|
|
"""
|
|
name: push
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
jobs:
|
|
deploy:
|
|
runs-on: awoooi-host
|
|
steps:
|
|
- run: true
|
|
""",
|
|
)
|
|
result = run_guard(tmp_path)
|
|
assert result.returncode == 1
|
|
assert "auto_branch_event_targets_110_incident_runner" in result.stdout
|
|
|
|
|
|
def test_generic_label_is_blocked_even_for_manual(tmp_path: Path) -> None:
|
|
write_workflow(
|
|
tmp_path,
|
|
"""
|
|
name: generic
|
|
on:
|
|
workflow_dispatch:
|
|
jobs:
|
|
deploy:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- run: true
|
|
""",
|
|
)
|
|
result = run_guard(tmp_path)
|
|
assert result.returncode == 1
|
|
assert "generic_runner_label_reintroduced" in result.stdout
|
|
|
|
|
|
def test_push_to_non110_dedicated_label_is_allowed(tmp_path: Path) -> None:
|
|
write_workflow(
|
|
tmp_path,
|
|
"""
|
|
name: push-non110
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
jobs:
|
|
deploy:
|
|
runs-on: awoooi-non110-host
|
|
steps:
|
|
- run: true
|
|
""",
|
|
)
|
|
result = run_guard(tmp_path)
|
|
assert result.returncode == 0, result.stdout + result.stderr
|