Problem
The OIDC mint migration (#503) breaks E2E tests. The admin install E2E flow now provisions real GCP infrastructure (WIF pool/provider, Secret Manager secrets, Cloud Function), but the test suite uses a fake e2eDispatcher{} that doesn't create any of this.
The triage dispatch smoke test (line ~592 in e2e/admin/admin_test.go) triggers a real GitHub Actions workflow run. That workflow calls google-github-actions/auth@v3 to exchange a GitHub OIDC token for GCP credentials via the mint Cloud Function. Without a real WIF provider and deployed mint function, the token exchange fails and the workflow errors out.
What's faked vs what's real
| Component |
Current E2E |
Needed |
| GitHub App creation |
Real (Playwright manifest flow) |
No change |
| App PEM storage |
Skipped by fake dispatcher |
Real Secret Manager secrets |
| WIF pool/provider |
Skipped by fake dispatcher |
Real WIF with GitHub OIDC |
| Cloud Function (mint) |
Skipped by fake dispatcher |
Real deployed function |
FULLSEND_MINT_URL org var |
Set to placeholder by fake |
Must point to real function URL |
| Workflow dispatch |
Real (gh workflow run) |
No change |
| OIDC token exchange |
Fails — no WIF/mint exists |
Must succeed against real mint |
Key code references
e2e/admin/admin_test.go:835 — buildTestLayerStack passes &e2eDispatcher{} to NewOIDCDispatchLayere2e/admin/admin_test.go:452 — verifyInstalled checks FULLSEND_MINT_URL org variable existse2e/admin/admin_test.go:592 — triage dispatch smoke test triggers real workflow
Required GCP resources
A dedicated GCP project for E2E testing needs:
-
Workload Identity Federation
- WIF pool (e.g.,
fullsend-e2e-pool)
- WIF provider with GitHub OIDC issuer,
attributeCondition scoped to E2E org
- Allowed audiences: custom audience + IAM-format URI
-
Secret Manager
- Org-scoped PEM secrets:
fullsend-{org}--{role}-app-pem for each agent role
- Service account must have
secretmanager.versions.access
-
Cloud Functions (2nd gen)
- Deployed mint function with env vars:
ALLOWED_ORGS, ROLE_APP_IDS, WIF_POOL_NAME, WIF_PROVIDER_NAME, OIDC_AUDIENCE, GCP_PROJECT_NUMBER
-
Service Account
- With roles:
roles/cloudfunctions.admin, roles/iam.workloadIdentityPoolAdmin, roles/secretmanager.admin, roles/iam.serviceAccountUser
- JSON key stored as GitHub Actions secret
New CI environment variables / secrets
| Name |
Type |
Description |
E2E_GCP_PROJECT_ID |
Secret |
GCP project ID for E2E mint infrastructure |
E2E_GCP_PROJECT_NUMBER |
Secret |
GCP project number (for WIF audience) |
E2E_GCP_SA_KEY |
Secret |
Service account JSON key for provisioning |
E2E_WIF_POOL_NAME |
Var |
WIF pool name (e.g., fullsend-e2e-pool) |
E2E_WIF_PROVIDER_NAME |
Var |
WIF provider name (e.g., github-oidc) |
Options
Option A: Real GCP project in CI (recommended)
Stand up a dedicated GCP project for E2E. The provisioner already handles idempotent creation (409 = exists). Each E2E run would:
- Use real
GCFProvisioner instead of e2eDispatcher{}
- Provision WIF + secrets + function (idempotent, fast on repeat runs)
- Run the full admin install flow including triage dispatch
- Tear down is optional — resources are scoped to E2E org
Pros: Tests the real path end-to-end. Catches issues like the WIF audience mismatch that unit tests miss.
Cons: Requires GCP project setup, costs (minimal — Cloud Functions free tier), CI secret management.
Option B: Enhanced fake dispatcher
Keep e2eDispatcher{} but make it smarter — deploy a mock HTTP endpoint that returns valid-looking tokens without real GCP. Skip the OIDC exchange in the workflow.
Pros: No GCP dependency.
Cons: Doesn't test the actual token exchange path. Misses real integration issues.
Related
Problem
The OIDC mint migration (#503) breaks E2E tests. The admin install E2E flow now provisions real GCP infrastructure (WIF pool/provider, Secret Manager secrets, Cloud Function), but the test suite uses a fake
e2eDispatcher{}that doesn't create any of this.The triage dispatch smoke test (line ~592 in
e2e/admin/admin_test.go) triggers a real GitHub Actions workflow run. That workflow callsgoogle-github-actions/auth@v3to exchange a GitHub OIDC token for GCP credentials via the mint Cloud Function. Without a real WIF provider and deployed mint function, the token exchange fails and the workflow errors out.What's faked vs what's real
FULLSEND_MINT_URLorg vargh workflow run)Key code references
e2e/admin/admin_test.go:835—buildTestLayerStackpasses&e2eDispatcher{}toNewOIDCDispatchLayere2e/admin/admin_test.go:452—verifyInstalledchecksFULLSEND_MINT_URLorg variable existse2e/admin/admin_test.go:592— triage dispatch smoke test triggers real workflowRequired GCP resources
A dedicated GCP project for E2E testing needs:
Workload Identity Federation
fullsend-e2e-pool)attributeConditionscoped to E2E orgSecret Manager
fullsend-{org}--{role}-app-pemfor each agent rolesecretmanager.versions.accessCloud Functions (2nd gen)
ALLOWED_ORGS,ROLE_APP_IDS,WIF_POOL_NAME,WIF_PROVIDER_NAME,OIDC_AUDIENCE,GCP_PROJECT_NUMBERService Account
roles/cloudfunctions.admin,roles/iam.workloadIdentityPoolAdmin,roles/secretmanager.admin,roles/iam.serviceAccountUserNew CI environment variables / secrets
E2E_GCP_PROJECT_IDE2E_GCP_PROJECT_NUMBERE2E_GCP_SA_KEYE2E_WIF_POOL_NAMEfullsend-e2e-pool)E2E_WIF_PROVIDER_NAMEgithub-oidc)Options
Option A: Real GCP project in CI (recommended)
Stand up a dedicated GCP project for E2E. The provisioner already handles idempotent creation (409 = exists). Each E2E run would:
GCFProvisionerinstead ofe2eDispatcher{}Pros: Tests the real path end-to-end. Catches issues like the WIF audience mismatch that unit tests miss.
Cons: Requires GCP project setup, costs (minimal — Cloud Functions free tier), CI secret management.
Option B: Enhanced fake dispatcher
Keep
e2eDispatcher{}but make it smarter — deploy a mock HTTP endpoint that returns valid-looking tokens without real GCP. Skip the OIDC exchange in the workflow.Pros: No GCP dependency.
Cons: Doesn't test the actual token exchange path. Misses real integration issues.
Related