Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Adds coverage (unit + optional live integration) for resolving infra.database trusted_sources rules of type=app from app name → UUID, and wires the Apps client into DatabaseDriver so apply-time resolution is supported.
Changes:
- Update
DatabaseDriverto optionally use an Apps client and resolvetrusted_sourcestype=appvalues from name → UUID during Create/Update. - Add unit tests covering name-resolution, UUID pass-through, and invalid
trusted_sourcesshapes. - Add a
//go:build integrationlive test plus a manual-only GitHub Actions workflow to run it.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
internal/drivers/database.go |
Wires Apps client into DatabaseDriver and adds name→UUID resolution + stricter trusted_sources validation. |
internal/drivers/database_test.go |
Adds unit tests for app-name resolution, UUID pass-through, and error cases. |
internal/drivers/database_trusted_sources_integration_test.go |
Adds a tagged live test that cross-checks UUID resolution against the live Apps API. |
.github/workflows/integration.yml |
Adds a workflow_dispatch-only job to run the live integration test. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@copilot review |
Addressed the two outstanding review items:
All tests pass, CodeQL scan clean. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Run trusted_sources live integration test | ||
| env: | ||
| DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }} | ||
| DO_TEST_APP_NAME: ${{ inputs.app_name }} | ||
| run: | |
There was a problem hiding this comment.
The workflow can succeed without actually running the live test when DIGITALOCEAN_TOKEN is missing, because the test uses t.Skip on empty token. Consider adding an explicit preflight check in the workflow step (or a separate step) that fails early if secrets.DIGITALOCEAN_TOKEN is not set, to avoid a false-green manual run.
|
@copilot review |
Both items flagged in this round were already addressed in commit
All tests pass. |
|
@copilot review |
All prior review findings are resolved — no new issues found:
Tests pass cleanly ( |
|
@copilot review |
No new issues found. All prior review findings remain resolved:
|
|
@copilot resolve the merge conflicts in this pull request |
…ources app name→UUID Adds a live integration test that calls resolveAppNamesMap against the real DO Apps API and cross-checks the returned UUID against an independent Apps.List call. Skips automatically when DIGITALOCEAN_TOKEN is not set. Wires a workflow_dispatch-only CI job so it never runs automatically on PRs. Invariant proof (revert → FAIL → restore → PASS): - With app.Spec.Name returned instead of app.ID, the AppNameResolved unit tests fail: rule.Value = "bmw-staging" instead of the expected UUID. - With fix restored, all tests pass. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…n test A network stall could hang a manual workflow_dispatch run indefinitely. context.WithTimeout(30s) bounds both the resolveAppNamesMap call and the independent Apps.List cross-check. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
CodeQL finding: workflow lacked a permissions block, leaving GITHUB_TOKEN with default (write-all) scope. This integration job only needs to check out code and run tests — no write-back required. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1. database.go: buildUpdateFirewallRules resolveAppNamesMap error path now returns (nil, true, err) — trusted_sources key IS present so bool must be true regardless of resolution failure. Completes the fix started in 3f3cee5 (which fixed the wrong-type path but missed this path). 2. integration.yml: add preflight step that hard-fails when DIGITALOCEAN_TOKEN secret is not configured, preventing a silent t.Skip that makes the workflow appear green without running any test. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Merge conflicts resolved in
Build, tests, and |
intel352
force-pushed
the
feat/trusted-sources-integration-test
branch
from
41a0b65 to
34f3f3b
Compare
|
@copilot review |
|
@copilot review |
Summary
internal/drivers/database_trusted_sources_integration_test.gowith//go:build integrationtagresolveAppNamesMapagainst the live DO Apps API and cross-checks the returned UUID against an independentApps.Listcallt.Skip) whenDIGITALOCEAN_TOKENorDO_TEST_APP_NAMEare not set — never fails CI on normal PRs.github/workflows/integration.yml— aworkflow_dispatch-only job; never auto-runs on push or PRInvariant proof
Temporarily returned
app.Spec.Nameinstead ofapp.IDinresolveAppNamesMap:TestDatabaseDriver_Create_WithTrustedSources_AppNameResolved→ FAIL (rule.Value = "bmw-staging", want UUID)TestDatabaseDriver_Update_WithTrustedSources_AppNameResolved→ FAIL (same)With fix restored: all tests pass.
Running the live test
Or dispatch via Actions → Integration Tests → Run workflow (requires
DIGITALOCEAN_TOKENsecret in repo settings).Test plan
DIGITALOCEAN_TOKEN(done locally)-tags integrationcompiles cleanly (done locally)DIGITALOCEAN_TOKENsecret is added to repo🤖 Generated with Claude Code