Skip to content

fix(deploy-preview): fail loud on render failures and anchor the raw-secret match#62

Merged
jorisjonkers-dev-agents[bot] merged 2 commits into
mainfrom
fix/deploy-preview-render-failed-named
Jul 10, 2026
Merged

fix(deploy-preview): fail loud on render failures and anchor the raw-secret match#62
jorisjonkers-dev-agents[bot] merged 2 commits into
mainfrom
fix/deploy-preview-render-failed-named

Conversation

@jorisjonkers-dev-agents

Copy link
Copy Markdown
Contributor

Follow-up to #60 (issue #59): cross-review of the merged change surfaced two remaining defects.

Problem

  1. Render failures no longer failed the action. fix(deploy-preview): scorecard gate misjudges not_applicable, no_raw_secrets, and npm_signatures_verified #60 correctly removed the block that misattributed fragment render failures to no_raw_secrets, but that block was the only failure signal for broken renders. A preview whose fragment renders all failed could exit 0 with a green scorecard as long as emit-contract succeeded.
  2. Raw-secret scan matched unrelated kinds. The scan grepped for any line containing kind: Secret, so kind: SecretStore and kind: ClusterSecretStore resources (and comments containing the text) produced false no_raw_secrets failures.

Fix

  • Fragment render failures now fail the action explicitly with E_RENDER_FAILED: fragment renders failed: <env/fragment,...>, naming each concrete failed fragment. The gate summary carries the same list in its reason (render-failed:<list>); per-fragment diagnostics remain as ::warning annotations. Scorecard checks are never overridden.
  • The raw-secret match is anchored to the exact kind value (^kind:[[:space:]]*Secret[[:space:]]*$).

Tests

  • test_no_raw_secrets_pass_for_secretstore_kinds: SecretStore/ClusterSecretStore manifests do not trip the check
  • test_render_failures_fail_action_with_named_fragments: the script fails via E_RENDER_FAILED with a render-failed: gate reason and never sets no_raw_secrets from render state

…secret match

Review follow-ups to #60:

- Fragment render failures previously only warned once the misattributed
  no_raw_secrets override was removed, so a preview with broken renders
  could pass the gate. The action now fails with E_RENDER_FAILED naming
  the failed env/fragment pairs, and the gate summary reason carries
  render-failed:<list>.
- The raw-secret scan matched any line containing 'kind: Secret', so
  SecretStore and ClusterSecretStore resources produced false failures.
  The match is now anchored to the exact kind value.
@jorisjonkers-dev-agents jorisjonkers-dev-agents Bot added the type: bug Something is broken or behaving incorrectly. label Jul 10, 2026
Review follow-ups: when both fragment renders and emit-contract fail,
the E_EMIT_CONTRACT_FAILED message now also names the failed fragments
so neither cause is hidden. Add an executable end-to-end test that runs
main() with stubbed tooling (oras, npm, deploy-config-schema) forcing
render failures, asserting the E_RENDER_FAILED exit path is reachable,
names the env/fragment pairs, and the gate summary reason carries
render-failed:<list>.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type: bug Something is broken or behaving incorrectly.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant