370 lines
18 KiB
Ruby
370 lines
18 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require_relative "spec_helper"
|
|
|
|
# Verifies the GraphQL queries used by SnapshotCommand match Railway's
|
|
# public schema shape (as of 2026-05). The mocks here mirror real Railway
|
|
# responses; any drift between this file and the live schema means the
|
|
# tool will fail at runtime — which is exactly the bug this PR fixes.
|
|
class SnapshotGraphqlTest < Minitest::Test
|
|
# Fake GraphQL client that returns canned responses keyed by query name.
|
|
class FakeGQL
|
|
def initialize(responses)
|
|
@responses = responses
|
|
@calls = []
|
|
end
|
|
|
|
attr_reader :calls
|
|
|
|
def query(query_str, variables = {})
|
|
@calls << [query_str, variables]
|
|
# Match on the operation name (the line after `query `) so we can
|
|
# serve different mocks for SERVICES_LIST_QUERY,
|
|
# SERVICE_INSTANCE_QUERY, ENVIRONMENT_VARIABLES_QUERY.
|
|
op = query_str[/query\s+(\w+)/, 1]
|
|
response = @responses[op] || @responses[:default]
|
|
raise "no fake response for op=#{op.inspect}" unless response
|
|
response.respond_to?(:call) ? response.call(variables) : response
|
|
end
|
|
end
|
|
|
|
def services_list_response
|
|
{
|
|
"project" => {
|
|
"id" => Railway::PROJECT_ID,
|
|
"name" => "showcase",
|
|
"services" => {
|
|
"edges" => [
|
|
{ "node" => { "id" => "svc-aimock", "name" => "aimock" } },
|
|
{ "node" => { "id" => "svc-shell", "name" => "shell" } },
|
|
],
|
|
},
|
|
},
|
|
}
|
|
end
|
|
|
|
def env_vars_response_with_per_service_keys
|
|
{
|
|
"environment" => {
|
|
"id" => Railway::PRODUCTION_ENV_ID,
|
|
"name" => "production",
|
|
"variables" => {
|
|
"edges" => [
|
|
{ "node" => { "name" => "PORT", "serviceId" => "svc-aimock", "isSealed" => false } },
|
|
{ "node" => { "name" => "NODE_OPTIONS","serviceId" => "svc-aimock", "isSealed" => false } },
|
|
{ "node" => { "name" => "API_KEY", "serviceId" => "svc-shell", "isSealed" => true } },
|
|
],
|
|
},
|
|
},
|
|
}
|
|
end
|
|
|
|
def service_instance_response(image:, start_cmd: nil, domains: [],
|
|
healthcheck_path: nil, region: nil,
|
|
num_replicas: nil, restart_policy: nil)
|
|
{
|
|
"serviceInstance" => {
|
|
"id" => "inst-#{image[/sha256:[a-f0-9]+/] || 'tag'}",
|
|
"serviceId" => "svc-aimock",
|
|
"environmentId" => Railway::PRODUCTION_ENV_ID,
|
|
"startCommand" => start_cmd,
|
|
"healthcheckPath" => healthcheck_path,
|
|
"region" => region,
|
|
"numReplicas" => num_replicas,
|
|
"restartPolicyType" => restart_policy,
|
|
"source" => { "image" => image, "repo" => nil },
|
|
"latestDeployment" => { "id" => "dep-1", "status" => "SUCCESS" },
|
|
"domains" => {
|
|
"customDomains" => domains.map { |d| { "id" => "cd-#{d}", "domain" => d } },
|
|
"serviceDomains" => [],
|
|
},
|
|
},
|
|
}
|
|
end
|
|
|
|
def test_limit_override_warn_is_unimplementable_via_real_snapshot
|
|
# Regression guard for the DROPPED limitOverride WARN. A
|
|
# limitOverride (CPU/memory cap) divergence WARN was originally
|
|
# specified for check_resource_divergence, but it was dead code: it
|
|
# compared snapshot["limit_override"] values that build_snapshot never
|
|
# captures, because Railway's GraphQL ServiceInstance type exposes NO
|
|
# readable limit field (verified by introspection 2026-06 — the only
|
|
# related surface is the write-only serviceInstanceLimitsUpdate mutation
|
|
# taking ServiceInstanceLimitsUpdateInput{memoryGB,vCPUs}; the
|
|
# ServiceInstanceLimit type is an opaque scalar with no readable fields).
|
|
#
|
|
# This guard drives a divergence through the REAL capture path
|
|
# (build_snapshot) — even injecting a hypothetical limit into the fake
|
|
# serviceInstance response — and asserts: (a) build_snapshot drops it
|
|
# (no limit_override key survives), and (b) check_resource_divergence
|
|
# emits NO limitOverride WARN. If Railway ever adds a readable limit
|
|
# field and someone wires it through SERVICE_INSTANCE_QUERY + the
|
|
# snapshot hash, this guard flips and signals the WARN can be re-added.
|
|
build = lambda do |limit|
|
|
fake = FakeGQL.new(
|
|
"ProjectServices" => {
|
|
"project" => { "id" => Railway::PROJECT_ID, "name" => "showcase",
|
|
"services" => { "edges" => [{ "node" => { "id" => "svc-x", "name" => "x" } }] } },
|
|
},
|
|
"EnvVariables" => { "environment" => { "id" => "e", "name" => "n",
|
|
"variables" => { "edges" => [] } } },
|
|
"ServiceInstance" => service_instance_response(
|
|
image: "ghcr.io/copilotkit/x@sha256:cafef00d",
|
|
).tap { |r| r["serviceInstance"]["serviceLimitOverride"] = limit },
|
|
)
|
|
cmd = Railway::SnapshotCommand.new(["--env", "production", "--dry-run"])
|
|
cmd.instance_variable_set(:@gql, fake)
|
|
cmd.build_snapshot(Railway::PRODUCTION_ENV_ID)
|
|
end
|
|
staging = build.call("memoryGB" => 4.0, "vCPUs" => 2.0)
|
|
prod = build.call("memoryGB" => 1.0, "vCPUs" => 1.0)
|
|
|
|
# (a) the real snapshot path captures no limit field at all.
|
|
staging["services"].each { |s| assert_nil s["limit_override"] }
|
|
prod["services"].each { |s| assert_nil s["limit_override"] }
|
|
|
|
# (b) consequently the dropped WARN cannot (and does not) fire.
|
|
c = Railway::PromoteCommand.new(["--non-interactive", "--yes"])
|
|
c.parser.parse!(c.argv)
|
|
findings = c.check_resource_divergence(staging, prod)
|
|
assert(findings.none? { |f| f =~ /limitOverride/i },
|
|
"limitOverride WARN was dropped as unimplementable dead code; it must " \
|
|
"not reappear unless build_snapshot genuinely captures a limit field — " \
|
|
"got #{findings.inspect}")
|
|
end
|
|
|
|
def test_build_snapshot_uses_corrected_field_names_and_produces_pinned_entries
|
|
fake = FakeGQL.new(
|
|
"ProjectServices" => services_list_response,
|
|
"EnvVariables" => env_vars_response_with_per_service_keys,
|
|
"ServiceInstance" => lambda do |vars|
|
|
if vars[:serviceId] == "svc-aimock"
|
|
service_instance_response(
|
|
image: "ghcr.io/copilotkit/showcase-aimock@sha256:cafef00d",
|
|
start_cmd: "node /app/dist/cli.js",
|
|
domains: ["aimock.showcase.copilotkit.ai"],
|
|
)
|
|
else
|
|
service_instance_response(
|
|
image: "ghcr.io/copilotkit/showcase-shell@sha256:beef1234",
|
|
domains: [],
|
|
)
|
|
end
|
|
end,
|
|
)
|
|
|
|
cmd = Railway::SnapshotCommand.new(["--env", "production", "--dry-run"])
|
|
cmd.instance_variable_set(:@gql, fake)
|
|
|
|
snap = cmd.build_snapshot(Railway::PRODUCTION_ENV_ID)
|
|
|
|
assert_equal 2, snap["version"]
|
|
assert_equal 2, snap["services"].length
|
|
|
|
aimock = snap["services"].find { |s| s["name"] == "aimock" }
|
|
assert_equal "ghcr.io/copilotkit/showcase-aimock@sha256:cafef00d", aimock["image"]
|
|
assert_equal "sha256:cafef00d", aimock["digest"]
|
|
assert_equal "ghcr.io/copilotkit/showcase-aimock", aimock["image_tag"]
|
|
assert_equal "node /app/dist/cli.js", aimock["start_command"]
|
|
assert_equal ["aimock.showcase.copilotkit.ai"], aimock["custom_domains"]
|
|
assert_equal %w[NODE_OPTIONS PORT], aimock["env_keys"]
|
|
assert_equal "dep-1", aimock["latest_deployment_id"]
|
|
|
|
shell = snap["services"].find { |s| s["name"] == "shell" }
|
|
assert_equal ["API_KEY"], shell["env_keys"]
|
|
assert_equal [], shell["custom_domains"]
|
|
end
|
|
|
|
def test_lint_prod_marks_mutable_tag_when_image_is_unpinned
|
|
fake = FakeGQL.new(
|
|
"ProjectServices" => services_list_response,
|
|
"EnvVariables" => env_vars_response_with_per_service_keys,
|
|
"ServiceInstance" => lambda do |vars|
|
|
# Both return an unpinned :latest tag.
|
|
service_instance_response(
|
|
image: "ghcr.io/copilotkit/#{vars[:serviceId]}:latest",
|
|
)
|
|
end,
|
|
)
|
|
snap_cmd = Railway::SnapshotCommand.new(["--env", "production", "--dry-run"])
|
|
snap_cmd.instance_variable_set(:@gql, fake)
|
|
snap = snap_cmd.build_snapshot(Railway::PRODUCTION_ENV_ID)
|
|
|
|
# All services are mutable-tag because none have @sha256:.
|
|
snap["services"].each do |svc|
|
|
refute svc["image"].include?("@sha256:"), "expected mutable tag for #{svc['name']}"
|
|
assert_nil svc["digest"], "expected nil digest for #{svc['name']}"
|
|
end
|
|
end
|
|
|
|
def test_build_snapshot_queries_use_only_supported_fields
|
|
# Regression guard: the previous version of this tool referenced
|
|
# `Project.domains` and `Service.serviceInstances`, both of which do
|
|
# NOT exist in Railway's public GraphQL schema. Ensure those tokens
|
|
# never reappear in the query constants.
|
|
sources = [
|
|
Railway::SERVICES_LIST_QUERY,
|
|
Railway::SERVICE_INSTANCE_QUERY,
|
|
Railway::ENVIRONMENT_VARIABLES_QUERY,
|
|
]
|
|
sources.each do |q|
|
|
refute_match(/project\s*\([^)]*\)\s*\{[^}]*\bdomains\b/m, q,
|
|
"Project has no `domains` field — use serviceInstance.domains or the top-level domains query.")
|
|
refute_match(/\bserviceInstances\b/m, q,
|
|
"Service has no `serviceInstances` field — use serviceInstance(serviceId, environmentId) directly.")
|
|
end
|
|
end
|
|
|
|
def test_deploy_mutation_uses_serviceInstanceDeployV2_not_redeploy
|
|
# Bug #2: serviceInstanceRedeploy replays the EXISTING deployment's
|
|
# snapshot (its OLD image), so a freshly pinned source.image never
|
|
# reaches the running container. Pinning must go through
|
|
# serviceInstanceUpdate (source.image) + serviceInstanceDeployV2, which
|
|
# spawns a NEW deployment that PULLS the updated source.image.
|
|
#
|
|
# serviceInstanceDeployV2 has signature (serviceId, environmentId,
|
|
# commitSha?) and does NOT accept an `image` arg — the image is carried
|
|
# by the preceding serviceInstanceUpdate.
|
|
refute_match(/serviceInstanceDeployV2\s*\([^)]*\bimage\b/m,
|
|
Railway::RestoreCommand::DEPLOY_V2_MUTATION,
|
|
"DeployV2 must not be called with an image arg.")
|
|
assert_match(/serviceInstanceUpdate\s*\(/, Railway::RestoreCommand::UPDATE_IMAGE_MUTATION)
|
|
assert_match(/source:\s*\{\s*image:/, Railway::RestoreCommand::UPDATE_IMAGE_MUTATION)
|
|
assert_match(/serviceInstanceDeployV2\s*\(/, Railway::RestoreCommand::DEPLOY_V2_MUTATION)
|
|
# The bug-#2 trap: serviceInstanceRedeploy must NOT be the deploy path.
|
|
refute Railway::RestoreCommand.const_defined?(:REDEPLOY_MUTATION),
|
|
"serviceInstanceRedeploy must be removed — it replays the old image (bug #2)."
|
|
end
|
|
|
|
def test_snapshot_v2_captures_healthcheck_region_replicas_restart_policy
|
|
# P6 parity-matrix needs these four fields on every snapshot service.
|
|
# Snapshot schema is v2; SnapshotCommand#build_snapshot must map them
|
|
# from the new SERVICE_INSTANCE_QUERY selection set.
|
|
fake = FakeGQL.new(
|
|
"ProjectServices" => services_list_response,
|
|
"EnvVariables" => env_vars_response_with_per_service_keys,
|
|
"ServiceInstance" => lambda do |vars|
|
|
if vars[:serviceId] == "svc-aimock"
|
|
service_instance_response(
|
|
image: "ghcr.io/copilotkit/showcase-aimock@sha256:cafef00d",
|
|
start_cmd: "node /app/dist/cli.js",
|
|
domains: ["aimock.showcase.copilotkit.ai"],
|
|
healthcheck_path: "/healthz",
|
|
region: "us-west2",
|
|
num_replicas: 2,
|
|
restart_policy: "ON_FAILURE",
|
|
)
|
|
else
|
|
service_instance_response(
|
|
image: "ghcr.io/copilotkit/showcase-shell@sha256:beef1234",
|
|
healthcheck_path: "/health",
|
|
region: "us-east1",
|
|
num_replicas: 1,
|
|
restart_policy: "ALWAYS",
|
|
)
|
|
end
|
|
end,
|
|
)
|
|
|
|
cmd = Railway::SnapshotCommand.new(["--env", "production", "--dry-run"])
|
|
cmd.instance_variable_set(:@gql, fake)
|
|
snap = cmd.build_snapshot(Railway::PRODUCTION_ENV_ID)
|
|
|
|
aimock = snap["services"].find { |s| s["name"] == "aimock" }
|
|
assert_equal "/healthz", aimock["healthcheck_path"]
|
|
assert_equal "us-west2", aimock["region"]
|
|
assert_equal 2, aimock["replicas"]
|
|
assert_equal "ON_FAILURE", aimock["restart_policy"]
|
|
|
|
shell = snap["services"].find { |s| s["name"] == "shell" }
|
|
assert_equal "/health", shell["healthcheck_path"]
|
|
assert_equal "us-east1", shell["region"]
|
|
assert_equal 1, shell["replicas"]
|
|
assert_equal "ALWAYS", shell["restart_policy"]
|
|
end
|
|
|
|
def test_snapshot_io_read_accepts_v1_and_v2_snapshots
|
|
# rollback-commit replays historical snapshots from arbitrary git SHAs,
|
|
# so SnapshotIO.read MUST stay backwards-compat with v1 even though
|
|
# all NEW snapshots are written as v2.
|
|
require "tempfile"
|
|
[1, 2].each do |ver|
|
|
Tempfile.create(["snap-v#{ver}", ".yaml"]) do |f|
|
|
f.write(YAML.dump("version" => ver, "services" => []))
|
|
f.flush
|
|
snap = Railway::SnapshotIO.read(f.path)
|
|
assert_equal ver, snap["version"]
|
|
end
|
|
end
|
|
end
|
|
|
|
def test_deploymentRollback_mutation_has_no_selection_set_because_it_returns_boolean
|
|
# deploymentRollback's return type is Boolean (scalar). GraphQL
|
|
# forbids a selection set on scalar fields.
|
|
refute_match(/deploymentRollback\s*\([^)]*\)\s*\{/m,
|
|
Railway::RollbackCommand::ROLLBACK_MUTATION,
|
|
"deploymentRollback returns Boolean; no selection set allowed.")
|
|
end
|
|
|
|
def test_build_snapshot_skips_service_whose_instance_throws_not_found_instead_of_aborting
|
|
# Regression: run 27144525566. A single odd/half-deleted service in the
|
|
# project list threw `GraphQL: ServiceInstance not found` from the
|
|
# per-service serviceInstance query. The only guard was `next if
|
|
# inst.nil?` — it handled a NULL result but not a THROWN error, so the
|
|
# error bubbled to Railway.run's top-level `rescue GraphQL::Error` and
|
|
# aborted the ENTIRE promote (opaque exit 2) before any preflight ran.
|
|
#
|
|
# build_snapshot must tolerate a thrown per-service `ServiceInstance not
|
|
# found` the same way it tolerates nil: skip that one service and keep
|
|
# going, so the healthy services still produce a usable snapshot.
|
|
fake = FakeGQL.new(
|
|
"ProjectServices" => services_list_response,
|
|
"EnvVariables" => env_vars_response_with_per_service_keys,
|
|
"ServiceInstance" => lambda do |vars|
|
|
if vars[:serviceId] == "svc-aimock"
|
|
# Half-deleted / instance-less service: Railway throws this
|
|
# exact GraphQL error rather than returning null.
|
|
raise Railway::GraphQL::Error, "GraphQL: ServiceInstance not found"
|
|
else
|
|
service_instance_response(
|
|
image: "ghcr.io/copilotkit/showcase-shell@sha256:beef1234",
|
|
domains: [],
|
|
)
|
|
end
|
|
end,
|
|
)
|
|
|
|
cmd = Railway::SnapshotCommand.new(["--env", "production", "--dry-run"])
|
|
cmd.instance_variable_set(:@gql, fake)
|
|
|
|
snap = cmd.build_snapshot(Railway::PRODUCTION_ENV_ID)
|
|
|
|
# The thrown service is skipped; the healthy one survives.
|
|
names = snap["services"].map { |s| s["name"] }
|
|
assert_equal ["shell"], names, "the instance-less service must be skipped, not abort the snapshot"
|
|
shell = snap["services"].find { |s| s["name"] == "shell" }
|
|
assert_equal "ghcr.io/copilotkit/showcase-shell@sha256:beef1234", shell["image"]
|
|
end
|
|
|
|
def test_build_snapshot_does_not_swallow_unrelated_graphql_errors
|
|
# The per-service tolerance MUST be narrow: only a `ServiceInstance not
|
|
# found` error for an individual service is skippable. Any OTHER GraphQL
|
|
# failure (auth, rate-limit, schema drift, transient 5xx surfaced as a
|
|
# GraphQL error) must still propagate fail-loud — never silently hidden.
|
|
fake = FakeGQL.new(
|
|
"ProjectServices" => services_list_response,
|
|
"EnvVariables" => env_vars_response_with_per_service_keys,
|
|
"ServiceInstance" => lambda do |_vars|
|
|
raise Railway::GraphQL::Error, "GraphQL: Not Authorized"
|
|
end,
|
|
)
|
|
|
|
cmd = Railway::SnapshotCommand.new(["--env", "production", "--dry-run"])
|
|
cmd.instance_variable_set(:@gql, fake)
|
|
|
|
assert_raises(Railway::GraphQL::Error) do
|
|
cmd.build_snapshot(Railway::PRODUCTION_ENV_ID)
|
|
end
|
|
end
|
|
end
|