Skip to content

test(mutate): add Extract round-trip test for filesystem object preservation#2283

Merged
Subserial merged 2 commits into
google:mainfrom
blackwell-systems:test-extract-roundtrip
Apr 30, 2026
Merged

test(mutate): add Extract round-trip test for filesystem object preservation#2283
Subserial merged 2 commits into
google:mainfrom
blackwell-systems:test-extract-roundtrip

Conversation

@blackwell-systems

@blackwell-systems blackwell-systems commented Apr 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds TestExtractRoundTrip, a comprehensive round-trip test for mutate.Extract that verifies all common filesystem object types survive extraction.

The test programmatically builds a single-layer image containing:

Object type Examples
Regular files Various permission modes (0644, 0755, 0600)
Directories Standard and restricted modes
Relative symlinks node_modules/.bin/acorn -> ../acorn/bin/acorn
Absolute symlinks /app/link-to-main -> /app/main.js
Directory symlinks app/modules -> node_modules
Hard links app/main-hardlink.js -> app/main.js

For each entry, the test verifies: type flag, link target, permission mode, and file contents.

Motivation

Addresses #2252. The regression in #2244 (where #2227 inadvertently dropped all symlinks during extraction) would have been caught by this test. The existing Extract tests cover whiteouts and overwritten files but don't verify that symlinks, hard links, and permission modes are preserved.

Testing

$ go test -run TestExtractRoundTrip -v ./pkg/v1/mutate/
=== RUN   TestExtractRoundTrip
--- PASS: TestExtractRoundTrip (0.00s)
PASS

Full pkg/v1/mutate/ test suite passes.

@codecov-commenter

codecov-commenter commented Apr 30, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.85%. Comparing base (5cfc2a4) to head (6b51dc1).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2283   +/-   ##
=======================================
  Coverage   56.85%   56.85%           
=======================================
  Files         166      166           
  Lines       11279    11279           
=======================================
  Hits         6413     6413           
  Misses       4100     4100           
  Partials      766      766

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@Subserial

Subserial commented Apr 30, 2026

Copy link
Copy Markdown
Contributor

Thanks for the test! Looks like the tar opener function is deprecated. Once that is fixed, I'd be happy to merge this PR.

@blackwell-systems
test(mutate): add Extract round-trip test for filesystem object prese…
0ccfcd3 
…rvation

Adds TestExtractRoundTrip which builds a single-layer image containing
every common filesystem object type and verifies that mutate.Extract
preserves all entries:

- Regular files with various permission modes (0644, 0755, 0600)
- Directories with different modes
- Relative symlinks (e.g. node_modules/.bin/acorn -> ../acorn/bin/acorn)
- Absolute symlinks (pointing within the image)
- Directory symlinks
- Hard links

For each entry, the test verifies the type flag, link target, permission
mode, and file contents survive the round trip.

This would have caught google#2244, where a security fix (google#2227) inadvertently
dropped all symlinks during extraction.

Addresses google#2252

Signed-off-by: Dayna Blackwell <dayna@blackwell-systems.com>
@Subserial Subserial merged commit f1eecab into google:main Apr 30, 2026
17 checks passed
Subserial pushed a commit to Subserial/go-containerregistry that referenced this pull request May 15, 2026
@blackwell-systems @Subserial
test(mutate): add Extract round-trip test for filesystem object prese…
5cd8f85 
…rvation (google#2283)

Adds TestExtractRoundTrip which builds a single-layer image containing
every common filesystem object type and verifies that mutate.Extract
preserves all entries:

- Regular files with various permission modes (0644, 0755, 0600)
- Directories with different modes
- Relative symlinks (e.g. node_modules/.bin/acorn -> ../acorn/bin/acorn)
- Absolute symlinks (pointing within the image)
- Directory symlinks
- Hard links

For each entry, the test verifies the type flag, link target, permission
mode, and file contents survive the round trip.

This would have caught google#2244, where a security fix (google#2227) inadvertently
dropped all symlinks during extraction.

Addresses google#2252
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Subserial Subserial Subserial approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@blackwell-systems @codecov-commenter @Subserial