Skip to content

Commit da27088

Browse files
ericksoaericksoa
committed
ci(e2e): gate live messaging secrets
1 parent bfbe606 commit da27088

4 files changed

Lines changed: 43 additions & 11 deletions

File tree

.github/workflows/e2e-script.yaml

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,11 @@ on:
5757
required: false
5858
type: boolean
5959
default: false
60+
messaging_live_secrets:
61+
description: Pass optional live messaging provider secrets to the script.
62+
required: false
63+
type: boolean
64+
default: false
6065
secrets:
6166
NVIDIA_API_KEY:
6267
required: false
@@ -189,10 +194,10 @@ jobs:
189194
BRAVE_API_KEY: ${{ inputs.brave_api_key && secrets.BRAVE_API_KEY || '' }}
190195
GITHUB_TOKEN: ${{ inputs.github_token && github.token || '' }}
191196
NVIDIA_API_KEY: ${{ inputs.nvidia_api_key && secrets.NVIDIA_API_KEY || '' }}
192-
TELEGRAM_BOT_TOKEN_REAL: ${{ secrets.TELEGRAM_BOT_TOKEN_REAL }}
193-
TELEGRAM_CHAT_ID_E2E: ${{ secrets.TELEGRAM_CHAT_ID_E2E }}
194-
DISCORD_BOT_TOKEN_REAL: ${{ secrets.DISCORD_BOT_TOKEN_REAL }}
195-
DISCORD_CHANNEL_ID_E2E: ${{ secrets.DISCORD_CHANNEL_ID_E2E }}
196-
SLACK_BOT_TOKEN_REAL: ${{ secrets.SLACK_BOT_TOKEN_REAL }}
197-
SLACK_APP_TOKEN_REAL: ${{ secrets.SLACK_APP_TOKEN_REAL }}
198-
SLACK_CHANNEL_ID_E2E: ${{ secrets.SLACK_CHANNEL_ID_E2E }}
197+
TELEGRAM_BOT_TOKEN_REAL: ${{ inputs.messaging_live_secrets && secrets.TELEGRAM_BOT_TOKEN_REAL || '' }}
198+
TELEGRAM_CHAT_ID_E2E: ${{ inputs.messaging_live_secrets && secrets.TELEGRAM_CHAT_ID_E2E || '' }}
199+
DISCORD_BOT_TOKEN_REAL: ${{ inputs.messaging_live_secrets && secrets.DISCORD_BOT_TOKEN_REAL || '' }}
200+
DISCORD_CHANNEL_ID_E2E: ${{ inputs.messaging_live_secrets && secrets.DISCORD_CHANNEL_ID_E2E || '' }}
201+
SLACK_BOT_TOKEN_REAL: ${{ inputs.messaging_live_secrets && secrets.SLACK_BOT_TOKEN_REAL || '' }}
202+
SLACK_APP_TOKEN_REAL: ${{ inputs.messaging_live_secrets && secrets.SLACK_APP_TOKEN_REAL || '' }}
203+
SLACK_CHANNEL_ID_E2E: ${{ inputs.messaging_live_secrets && secrets.SLACK_CHANNEL_ID_E2E || '' }}

.github/workflows/nightly-e2e.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -338,6 +338,7 @@ jobs:
338338
env_json: '{"DISCORD_BOT_TOKEN":"test-fake-discord-token-e2e","NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE":"1","NEMOCLAW_NON_INTERACTIVE":"1","NEMOCLAW_POLICY_TIER":"open","NEMOCLAW_SANDBOX_NAME":"e2e-msg-provider","SLACK_APP_TOKEN":"xapp-fake-slack-app-token-e2e","SLACK_BOT_TOKEN":"xoxb-fake-slack-token-e2e","TELEGRAM_BOT_TOKEN":"test-fake-telegram-token-e2e"}'
339339
nvidia_api_key: true
340340
github_token: true
341+
messaging_live_secrets: true
341342
secrets:
342343
NVIDIA_API_KEY: ${{ secrets.NVIDIA_API_KEY }}
343344
BRAVE_API_KEY: ${{ secrets.BRAVE_API_KEY }}

test/e2e-script-workflow.test.ts

Lines changed: 25 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -54,14 +54,36 @@ describe("E2E reusable workflow contract", () => {
5454

5555
expect(reusableJobs.length).toBeGreaterThan(20);
5656
for (const [name, job] of reusableJobs) {
57+
const expectsLiveMessaging = name === "messaging-providers-e2e";
5758
const expectedSecrets =
58-
name === "messaging-providers-e2e"
59-
? { ...defaultSecrets, ...messagingLiveSecrets }
60-
: defaultSecrets;
59+
expectsLiveMessaging ? { ...defaultSecrets, ...messagingLiveSecrets } : defaultSecrets;
6160
expect(job.secrets, name).toEqual(expectedSecrets);
61+
expect(job.with?.messaging_live_secrets ?? false, name).toBe(expectsLiveMessaging);
6262
}
6363
});
6464

65+
it("requires an explicit opt-in before exposing live messaging secrets to scripts", () => {
66+
const callInputs =
67+
runnerWorkflow.on?.workflow_call?.inputs ??
68+
runnerWorkflow.true?.workflow_call?.inputs ??
69+
{};
70+
const runStep = runnerWorkflow.jobs.run.steps.find((step) => step.name === "Run E2E script");
71+
72+
expect(callInputs.messaging_live_secrets?.default).toBe(false);
73+
expect(runStep?.env?.TELEGRAM_BOT_TOKEN_REAL).toBe(
74+
"${{ inputs.messaging_live_secrets && secrets.TELEGRAM_BOT_TOKEN_REAL || '' }}",
75+
);
76+
expect(runStep?.env?.DISCORD_BOT_TOKEN_REAL).toBe(
77+
"${{ inputs.messaging_live_secrets && secrets.DISCORD_BOT_TOKEN_REAL || '' }}",
78+
);
79+
expect(runStep?.env?.SLACK_BOT_TOKEN_REAL).toBe(
80+
"${{ inputs.messaging_live_secrets && secrets.SLACK_BOT_TOKEN_REAL || '' }}",
81+
);
82+
expect(runStep?.env?.SLACK_APP_TOKEN_REAL).toBe(
83+
"${{ inputs.messaging_live_secrets && secrets.SLACK_APP_TOKEN_REAL || '' }}",
84+
);
85+
});
86+
6587
it("authenticates Docker Hub pulls without exposing credentials to target-ref dispatches", () => {
6688
const authStep = runnerWorkflow.jobs.run.steps.find(
6789
(step) => step.name === "Authenticate to Docker Hub",

test/validate-e2e-coverage.test.ts

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -305,12 +305,16 @@ describe("nightly E2E workflow validation", () => {
305305
}
306306
const messagingSecrets =
307307
(messagingJob?.secrets as Record<string, unknown> | undefined) ?? {};
308+
const messagingWith = (messagingJob?.with as Record<string, unknown> | undefined) ?? {};
309+
if (messagingWith.messaging_live_secrets !== true) {
310+
missing.push("nightly messaging-providers-e2e with.messaging_live_secrets");
311+
}
308312

309313
for (const name of expectedSecretNames) {
310314
if (!reusableSecretDefs[name]) {
311315
missing.push(`workflow_call.secrets.${name}`);
312316
}
313-
if (runStepEnv[name] !== `\${{ secrets.${name} }}`) {
317+
if (runStepEnv[name] !== `\${{ inputs.messaging_live_secrets && secrets.${name} || '' }}`) {
314318
missing.push(`e2e-script Run E2E script env.${name}`);
315319
}
316320
if (messagingSecrets[name] !== `\${{ secrets.${name} }}`) {

0 commit comments

Comments
 (0)