ceee2d9af3
All checks were successful
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 17s
CD Pipeline / build-and-deploy (push) Successful in 4m53s
CD Pipeline / post-deploy-checks (push) Successful in 1m7s
210 lines
9.2 KiB
Python
210 lines
9.2 KiB
Python
#!/usr/bin/env python3
|
|
from __future__ import annotations
|
|
|
|
import re
|
|
from pathlib import Path
|
|
|
|
|
|
ROOT = Path(__file__).resolve().parents[2]
|
|
CD_WORKFLOW = ROOT / ".gitea" / "workflows" / "cd.yaml"
|
|
|
|
|
|
def _workflow_text() -> str:
|
|
return CD_WORKFLOW.read_text(encoding="utf-8")
|
|
|
|
|
|
def test_web_changes_stay_on_controlled_runtime_profile() -> None:
|
|
text = _workflow_text()
|
|
assert "apps/web/*)" in text
|
|
assert "UI-only changes are verified by the" in text
|
|
|
|
|
|
def test_product_manifest_changes_stay_on_controlled_runtime_profile() -> None:
|
|
text = _workflow_text()
|
|
assert "product.awoooi.yaml)" in text
|
|
assert "apps/api/Dockerfile)" in text
|
|
assert "docs/schemas/product_awoooi_manifest_v1.schema.json)" in text
|
|
assert "apps/api/src/services/product_awoooi_manifest_standard.py)" in text
|
|
assert "tests/test_product_awoooi_manifest_standard_api.py" in text
|
|
|
|
|
|
def test_deploy_marker_k8s_files_stay_on_controlled_runtime_profile() -> None:
|
|
text = _workflow_text()
|
|
assert "build-and-deploy writes only these GitOps" in text
|
|
assert "k8s/awoooi-prod/06-deployment-api.yaml)" in text
|
|
assert "k8s/awoooi-prod/kustomization.yaml)" in text
|
|
|
|
|
|
def test_credential_escrow_intake_stays_on_controlled_runtime_profile() -> None:
|
|
text = _workflow_text()
|
|
assert "apps/api/src/services/credential_escrow_evidence_intake_readiness.py)" in text
|
|
assert "src/services/credential_escrow_evidence_intake_readiness.py" in text
|
|
assert "tests/test_credential_escrow_evidence_intake_readiness_api.py" in text
|
|
|
|
|
|
def test_p0_onboarding_readiness_sources_stay_on_controlled_runtime_profile() -> None:
|
|
text = _workflow_text()
|
|
expected_sources = [
|
|
"awoooi_gitea_onboarding_warning_step_dashboard.py",
|
|
"awoooi_gitea_onboarding_warning_step_owner_package.py",
|
|
"awoooi_gitea_onboarding_warning_step_owner_response_preflight.py",
|
|
"awoooi_gitea_onboarding_warning_step_template_copy_apply_gate.py",
|
|
"awoooi_gitea_onboarding_warning_step_template_copy_execution_plan.py",
|
|
"awoooi_new_product_onboarding_page_model.py",
|
|
"awoooi_onboarding_reminder_contract.py",
|
|
"awoooi_onboarding_source_contracts.py",
|
|
"awoooi_product_onboarding_guard.py",
|
|
]
|
|
for source in expected_sources:
|
|
assert f"apps/api/src/services/{source})" in text
|
|
assert f"src/services/{source}" in text
|
|
|
|
|
|
def test_iwooos_security_operation_api_stays_on_controlled_runtime_profile() -> None:
|
|
text = _workflow_text()
|
|
expected_sources = [
|
|
"apps/api/src/api/v1/iwooos.py)",
|
|
"apps/api/src/services/iwooos_security_operating_system.py)",
|
|
"apps/api/tests/test_iwooos_security_operating_system.py)",
|
|
"src/api/v1/iwooos.py",
|
|
"src/services/iwooos_security_operating_system.py",
|
|
"tests/test_iwooos_security_operating_system.py",
|
|
]
|
|
for source in expected_sources:
|
|
assert source in text
|
|
|
|
|
|
def test_ai_autonomous_runtime_control_stays_on_controlled_runtime_profile() -> None:
|
|
text = _workflow_text()
|
|
expected_sources = [
|
|
"apps/api/src/services/ai_agent_autonomous_runtime_control.py)",
|
|
"apps/api/tests/test_ai_agent_autonomous_runtime_control.py)",
|
|
"src/services/ai_agent_autonomous_runtime_control.py",
|
|
"tests/test_ai_agent_autonomous_runtime_control.py",
|
|
]
|
|
for source in expected_sources:
|
|
assert source in text
|
|
|
|
|
|
def test_awooop_ansible_check_mode_stays_on_controlled_runtime_profile() -> None:
|
|
text = _workflow_text()
|
|
expected_sources = [
|
|
"apps/api/src/services/awooop_ansible_audit_service.py)",
|
|
"apps/api/src/services/awooop_ansible_check_mode_service.py)",
|
|
"apps/api/migrations/adr090e_ansible_learning_writeback_operation_type.sql)",
|
|
"apps/api/migrations/adr090e_ansible_learning_writeback_operation_type_down.sql)",
|
|
"src/services/awooop_ansible_audit_service.py",
|
|
"apps/api/tests/test_awooop_truth_chain_service.py)",
|
|
"src/services/awooop_ansible_check_mode_service.py",
|
|
"tests/test_awooop_truth_chain_service.py",
|
|
]
|
|
for source in expected_sources:
|
|
assert source in text
|
|
|
|
|
|
def test_dr_escrow_checklist_stays_on_controlled_runtime_profile() -> None:
|
|
text = _workflow_text()
|
|
expected_sources = [
|
|
"scripts/reboot-recovery/dr-escrow-evidence-checklist.py)",
|
|
"scripts/reboot-recovery/post-reboot-owner-response-preflight.py)",
|
|
"scripts/reboot-recovery/tests/test_dr_escrow_evidence_checklist.py)",
|
|
"../../scripts/reboot-recovery/dr-escrow-evidence-checklist.py",
|
|
"../../scripts/reboot-recovery/post-reboot-owner-response-preflight.py",
|
|
"../../scripts/reboot-recovery/tests/test_dr_escrow_evidence_checklist.py",
|
|
]
|
|
for source in expected_sources:
|
|
assert source in text
|
|
|
|
|
|
def test_gitea_private_inventory_scorecard_stays_on_controlled_runtime_profile() -> None:
|
|
text = _workflow_text()
|
|
expected_sources = [
|
|
"docs/operations/awoooi-gitea-private-inventory-p0-scorecard.snapshot.json)",
|
|
"apps/api/src/services/gitea_private_inventory_p0_scorecard.py)",
|
|
"apps/api/tests/test_gitea_private_inventory_p0_scorecard_api.py)",
|
|
"docs/operations/awoooi-gitea-authenticated-inventory-payload-validation.snapshot.json)",
|
|
"docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md)",
|
|
"docs/security/gitea-repo-inventory.snapshot.json)",
|
|
"scripts/security/gitea-private-inventory-p0-scorecard.py)",
|
|
"scripts/security/gitea-authenticated-inventory-payload-validator.py)",
|
|
"scripts/security/tests/test_gitea_private_inventory_p0_scorecard.py)",
|
|
"src/services/gitea_private_inventory_p0_scorecard.py",
|
|
"tests/test_gitea_private_inventory_p0_scorecard_api.py",
|
|
"scripts/security/tests/test_gitea_authenticated_inventory_payload_validator.py)",
|
|
"../../scripts/security/gitea-private-inventory-p0-scorecard.py",
|
|
"../../scripts/security/gitea-authenticated-inventory-payload-validator.py",
|
|
"../../scripts/security/tests/test_gitea_private_inventory_p0_scorecard.py",
|
|
"../../scripts/security/tests/test_gitea_authenticated_inventory_payload_validator.py",
|
|
]
|
|
for source in expected_sources:
|
|
assert source in text
|
|
|
|
|
|
def test_reboot_auto_recovery_slo_sources_stay_on_controlled_runtime_profile() -> None:
|
|
text = _workflow_text()
|
|
expected_sources = [
|
|
"docs/operations/awoooi-reboot-auto-recovery-slo-scorecard.snapshot.json)",
|
|
"scripts/reboot-recovery/awoooi-reboot-auto-recovery-slo.service)",
|
|
"scripts/reboot-recovery/awoooi-reboot-auto-recovery-slo.timer)",
|
|
"scripts/reboot-recovery/install-reboot-auto-recovery-slo-110.sh)",
|
|
"scripts/reboot-recovery/reboot-auto-recovery-host-probe.sh)",
|
|
"scripts/reboot-recovery/reboot-auto-recovery-slo-exporter.sh)",
|
|
"scripts/reboot-recovery/reboot-auto-recovery-slo-scorecard.py)",
|
|
"scripts/reboot-recovery/tests/test_reboot_auto_recovery_slo_installer.py)",
|
|
"scripts/reboot-recovery/tests/test_reboot_auto_recovery_slo_scorecard.py)",
|
|
"../../scripts/reboot-recovery/reboot-auto-recovery-slo-scorecard.py",
|
|
"../../scripts/reboot-recovery/tests/test_reboot_auto_recovery_slo_installer.py",
|
|
"../../scripts/reboot-recovery/tests/test_reboot_auto_recovery_slo_scorecard.py",
|
|
]
|
|
for source in expected_sources:
|
|
assert source in text
|
|
|
|
|
|
def test_post_start_recovery_verifiers_stay_on_controlled_runtime_profile() -> None:
|
|
text = _workflow_text()
|
|
expected_sources = [
|
|
"scripts/reboot-recovery/post-start-quick-check.sh)",
|
|
"scripts/reboot-recovery/188-host-hygiene-maintenance-checklist.sh)",
|
|
"scripts/reboot-recovery/tests/test_188_host_hygiene_checklist.py)",
|
|
"scripts/reboot-recovery/tests/test_post_start_quick_check_contract.py)",
|
|
"../../scripts/reboot-recovery/post-start-quick-check.sh",
|
|
"../../scripts/reboot-recovery/188-host-hygiene-maintenance-checklist.sh",
|
|
"../../scripts/reboot-recovery/tests/test_188_host_hygiene_checklist.py",
|
|
"../../scripts/reboot-recovery/tests/test_post_start_quick_check_contract.py",
|
|
]
|
|
for source in expected_sources:
|
|
assert source in text
|
|
|
|
|
|
def test_controlled_runtime_skips_b5_before_docker_socket_use() -> None:
|
|
text = _workflow_text()
|
|
b5_start = text.index("- name: Integration Tests (B5")
|
|
docker_socket = text.index("-v /var/run/docker.sock:/var/run/docker.sock", b5_start)
|
|
controlled_gate = text.index(
|
|
'if [ "${AWOOOI_CD_TEST_PROFILE:-full}" = "controlled-runtime" ]; then',
|
|
b5_start,
|
|
)
|
|
exit_zero = text.index("exit 0", controlled_gate)
|
|
assert controlled_gate < exit_zero < docker_socket
|
|
|
|
|
|
def test_controlled_runtime_pytest_paths_exist() -> None:
|
|
text = _workflow_text()
|
|
block = text.split("PYTHONFAULTHANDLER=1 python3.11 -m pytest", 1)[1]
|
|
block = block.split("-v --tb=short", 1)[0]
|
|
path_tokens = sorted(set(re.findall(
|
|
r"((?:\.\./\.\./)?(?:tests|ops|scripts)/[A-Za-z0-9_./-]+\.py)",
|
|
block,
|
|
)))
|
|
|
|
missing: list[str] = []
|
|
for token in path_tokens:
|
|
if token.startswith("tests/"):
|
|
path = ROOT / "apps/api" / token
|
|
else:
|
|
path = ROOT / token.removeprefix("../../")
|
|
if not path.exists():
|
|
missing.append(token)
|
|
|
|
assert missing == []
|