426e9eeabd
Benchmark Bridge Tests / benchmark (bunx @biomejs/biome check packages/lifeops-bench/src, benchmark-lint) (push) Waiting to run
Benchmark Bridge Tests / benchmark (bunx vitest run --config packages/lifeops-bench/vitest.config.ts --root packages/lifeops-bench --passWithNoTests, benchmark-tests) (push) Waiting to run
Build Agent Image / build-and-push (push) Waiting to run
Chat shell gestures / Chat shell gesture + parity e2e (push) Waiting to run
Cloud Gateway Discord / Test (push) Waiting to run
Cloud Gateway Webhook / Test (push) Waiting to run
Cloud Tests / lint-and-types (push) Waiting to run
Cloud Tests / unit-tests (push) Waiting to run
Cloud Tests / integration-tests (push) Waiting to run
Cloud Tests / e2e-tests (push) Blocked by required conditions
CodeQL Advanced / Analyze (javascript-typescript) (push) Waiting to run
Deploy Apps Worker (Product 2) / Determine environment (push) Waiting to run
Deploy Apps Worker (Product 2) / Deploy apps worker to apps-control host (${{ needs.determine-env.outputs.environment }}) (push) Blocked by required conditions
Deploy Eliza Provisioning Worker / Determine environment (push) Waiting to run
Deploy Eliza Provisioning Worker / Deploy worker to Hetzner host (${{ needs.determine-env.outputs.environment }} @ ${{ needs.determine-env.outputs.deployment_sha }}) (push) Blocked by required conditions
Dev Smoke / Classify changed paths (push) Waiting to run
Dev Smoke / bun run dev onboarding chat (push) Blocked by required conditions
Dev Smoke / Vite HMR dependency-level smoke (push) Blocked by required conditions
Electrobun Submodule Guard / electrobun gitlink is fetchable (push) Waiting to run
Publish @elizaos/example-code / check_npm (push) Waiting to run
Publish @elizaos/example-code / publish_npm (push) Blocked by required conditions
Publish @elizaos/plugin-elizacloud / verify_version (push) Waiting to run
Publish @elizaos/plugin-elizacloud / publish_npm (push) Blocked by required conditions
Sandbox Live Smoke / Sandbox live smoke (push) Waiting to run
Snap Build & Test / Build Snap (amd64) (push) Waiting to run
Snap Build & Test / Build Snap (arm64) (push) Waiting to run
supply-chain / sbom (push) Waiting to run
supply-chain / vulnerability-scan (push) Waiting to run
Build, Push & Deploy to Phala Cloud / build-and-push (push) Waiting to run
Test Packaging / Validate Packaging Configs (push) Waiting to run
Test Packaging / PyPI on Python ${{ matrix.python }} (push) Waiting to run
Test Packaging / Pack & Test JS Tarballs (push) Waiting to run
Test Packaging / elizaos CLI global-install smoke (node + bun) (push) Waiting to run
UI Fixture E2E / ui-fixture-e2e (push) Waiting to run
UI Fixture E2E / fixture-e2e (push) Waiting to run
UI Story Gate / story-gate (push) Waiting to run
vault-ci / test (macos-latest) (push) Waiting to run
vault-ci / test (ubuntu-latest) (push) Waiting to run
vault-ci / test (windows-latest) (push) Waiting to run
vault-ci / app-core wiring tests (push) Waiting to run
verify-patches / verify patches/CHECKSUMS.sha256 (push) Waiting to run
Voice Benchmark Smoke / voice-emotion fixture smoke (push) Waiting to run
Voice Benchmark Smoke / voiceagentbench fixture smoke (push) Waiting to run
Voice Benchmark Smoke / voicebench-quality unit smoke (push) Waiting to run
Voice Benchmark Smoke / voicebench TypeScript unit (no audio) (push) Waiting to run
Voice Benchmark Smoke / voice bench smoke summary (push) Blocked by required conditions
Windows CI / windows ([bun run --cwd packages/app-core test bun run --cwd packages/elizaos test bun run --cwd packages/cloud/shared test], app-and-cli) (push) Waiting to run
Windows CI / windows ([bun run --cwd packages/scenario-runner test bun run --cwd packages/vault test bun run --cwd packages/security test bun run --cwd plugins/plugin-coding-tools test], framework-packages) (push) Waiting to run
Windows CI / windows ([bun run --cwd plugins/plugin-elizacloud test bun run --cwd plugins/plugin-discord test bun run --cwd plugins/plugin-anthropic test bun run --cwd plugins/plugin-openai test bun run --cwd plugins/plugin-app-control test bun run --cwd plugins/pl… (push) Waiting to run
Windows CI / windows ([node packages/scripts/run-turbo.mjs run build --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/agent --concurrency=4 node packages/scripts/run-bash-linux-only.mjs scripts/verify-riscv64-buildpaths.sh node packages/scripts/run… (push) Waiting to run
Windows CI / windows ([node packages/scripts/run-turbo.mjs run typecheck --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/cloud-shared --concurrency=4 bun run --cwd packages/core test bun run --cwd packages/shared test], core-runtime, 75) (push) Waiting to run
Test Packaging / Build & Test PyPI Package (push) Waiting to run
Voice Workbench / headless workbench (mocked backends) (push) Has been cancelled
Voice Workbench / real acoustic lane (nightly, provisioned only) (push) Has been cancelled
ci / test (push) Has been cancelled
ci / lint-and-format (push) Has been cancelled
ci / build (push) Has been cancelled
ci / dev-startup (push) Has been cancelled
gitleaks / gitleaks (push) Has been cancelled
Markdown Links / Relative Markdown Links (push) Has been cancelled
Quality (Extended) / Homepage Build (PR smoke) (push) Has been cancelled
Quality (Extended) / Comment-only diff guard (push) Has been cancelled
Quality (Extended) / Format + Type Safety Ratchet (push) Has been cancelled
Quality (Extended) / Develop Gate (secret scan + UI determinism) (push) Has been cancelled
Quality (Extended) / Develop Gate (lint) (push) Has been cancelled
245 lines
8.3 KiB
JavaScript
245 lines
8.3 KiB
JavaScript
/**
|
|
* Tests for the certification commit-drift check. Fixture repositories are
|
|
* real `git init` repos built in a temp dir per test — no mocked git — so the
|
|
* ancestor and diff semantics under test are exactly what CI runs.
|
|
*/
|
|
|
|
import assert from "node:assert/strict";
|
|
import { execFileSync } from "node:child_process";
|
|
import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
|
|
import { tmpdir } from "node:os";
|
|
import { dirname, join } from "node:path";
|
|
import { after, describe, it } from "node:test";
|
|
import {
|
|
evaluateCommitDrift,
|
|
isAllowedDriftPath,
|
|
readCertCommit,
|
|
} from "./check-commit-drift.mjs";
|
|
|
|
const roots = [];
|
|
after(() => {
|
|
for (const root of roots) rmSync(root, { recursive: true, force: true });
|
|
});
|
|
|
|
function git(repoDir, args) {
|
|
return execFileSync("git", args, {
|
|
cwd: repoDir,
|
|
encoding: "utf8",
|
|
stdio: ["ignore", "pipe", "pipe"],
|
|
}).trim();
|
|
}
|
|
|
|
function makeRepo() {
|
|
const repoDir = mkdtempSync(join(tmpdir(), "cert-drift-test-"));
|
|
roots.push(repoDir);
|
|
git(repoDir, ["init", "-b", "main"]);
|
|
git(repoDir, ["config", "user.email", "drift-test@example.invalid"]);
|
|
git(repoDir, ["config", "user.name", "drift test"]);
|
|
return repoDir;
|
|
}
|
|
|
|
function commitFiles(repoDir, message, files) {
|
|
for (const [relPath, content] of Object.entries(files)) {
|
|
const filePath = join(repoDir, ...relPath.split("/"));
|
|
mkdirSync(dirname(filePath), { recursive: true });
|
|
writeFileSync(filePath, content);
|
|
}
|
|
git(repoDir, ["add", "-A"]);
|
|
git(repoDir, ["commit", "-m", message]);
|
|
return git(repoDir, ["rev-parse", "HEAD"]);
|
|
}
|
|
|
|
describe("isAllowedDriftPath", () => {
|
|
const allowed = [
|
|
"docs/promotion-notes.md",
|
|
"docs/nested/deep/guide.txt",
|
|
"packages/docs/src/pages/index.tsx",
|
|
"README.md",
|
|
"packages/core/CHANGELOG.md",
|
|
".github/pull_request_template.md",
|
|
// The certification artifacts land after the signed commit by necessity;
|
|
// signature + bundleSha protect their content, not the drift rule.
|
|
"certification.json",
|
|
"evidence/bundle/manifest.json",
|
|
"evidence/bundle/lanes/e2e/result.json",
|
|
];
|
|
const disallowed = [
|
|
"packages/core/src/runtime.ts",
|
|
"scripts/run-anything.mjs",
|
|
".github/certification/certification-public-key.pem",
|
|
".github/certification/README.md",
|
|
".github/workflows/certification-verify.yml",
|
|
".github/workflows/ci.yaml",
|
|
".github/actions/setup/action.yml",
|
|
".github/CODEOWNERS",
|
|
".github/ISSUE_TEMPLATE/config.yml",
|
|
"scripts/certification/check-commit-drift.mjs",
|
|
"package.json",
|
|
"bun.lock",
|
|
"docsish/trap.ts",
|
|
"nested/certification.json",
|
|
"evidence/other/file.json",
|
|
];
|
|
for (const path of allowed) {
|
|
it(`allows ${path}`, () => assert.equal(isAllowedDriftPath(path), true));
|
|
}
|
|
for (const path of disallowed) {
|
|
it(`rejects ${path}`, () => assert.equal(isAllowedDriftPath(path), false));
|
|
}
|
|
});
|
|
|
|
describe("readCertCommit", () => {
|
|
it("extracts a full 40-hex commit", () => {
|
|
const dir = mkdtempSync(join(tmpdir(), "cert-drift-cert-"));
|
|
roots.push(dir);
|
|
const sha = "a".repeat(40);
|
|
const certPath = join(dir, "certification.json");
|
|
writeFileSync(certPath, JSON.stringify({ schema: 1, commit: sha }));
|
|
assert.deepEqual(readCertCommit(certPath), { commit: sha });
|
|
});
|
|
|
|
it("reports a missing file instead of throwing", () => {
|
|
const read = readCertCommit(join(tmpdir(), "does-not-exist-cert.json"));
|
|
assert.match(read.error, /certification unreadable/);
|
|
});
|
|
|
|
it("reports malformed JSON", () => {
|
|
const dir = mkdtempSync(join(tmpdir(), "cert-drift-cert-"));
|
|
roots.push(dir);
|
|
const certPath = join(dir, "certification.json");
|
|
writeFileSync(certPath, "{not json");
|
|
assert.match(readCertCommit(certPath).error, /not valid JSON/);
|
|
});
|
|
|
|
it("rejects short or missing commit fields", () => {
|
|
const dir = mkdtempSync(join(tmpdir(), "cert-drift-cert-"));
|
|
roots.push(dir);
|
|
const certPath = join(dir, "certification.json");
|
|
writeFileSync(certPath, JSON.stringify({ commit: "abc123" }));
|
|
assert.match(readCertCommit(certPath).error, /40-hex/);
|
|
writeFileSync(certPath, JSON.stringify({ schema: 1 }));
|
|
assert.match(readCertCommit(certPath).error, /40-hex/);
|
|
});
|
|
});
|
|
|
|
describe("evaluateCommitDrift", () => {
|
|
it("matches when the certification commit equals head", () => {
|
|
const repoDir = makeRepo();
|
|
const sha = commitFiles(repoDir, "base", {
|
|
"packages/core/src/index.ts": "export {};\n",
|
|
});
|
|
const outcome = evaluateCommitDrift({
|
|
certCommit: sha,
|
|
headCommit: sha,
|
|
repoDir,
|
|
});
|
|
assert.equal(outcome.result, "match");
|
|
assert.deepEqual(outcome.driftPaths, []);
|
|
});
|
|
|
|
it("allows docs-only drift after the certified commit", () => {
|
|
const repoDir = makeRepo();
|
|
const certSha = commitFiles(repoDir, "certified tree", {
|
|
"packages/core/src/index.ts": "export {};\n",
|
|
});
|
|
const headSha = commitFiles(repoDir, "docs drift", {
|
|
"docs/promotion-notes.md": "# notes\n",
|
|
"packages/docs/guide.mdx": "guide\n",
|
|
"README.md": "# readme\n",
|
|
".github/pull_request_template.md": "# template\n",
|
|
});
|
|
const outcome = evaluateCommitDrift({
|
|
certCommit: certSha,
|
|
headCommit: headSha,
|
|
repoDir,
|
|
});
|
|
assert.equal(outcome.result, "allowed-drift");
|
|
assert.equal(outcome.driftPaths.length, 4);
|
|
assert.deepEqual(outcome.disallowedPaths, []);
|
|
});
|
|
|
|
it("fails when drift touches source paths, listing the offenders", () => {
|
|
const repoDir = makeRepo();
|
|
const certSha = commitFiles(repoDir, "certified tree", {
|
|
"packages/core/src/index.ts": "export {};\n",
|
|
});
|
|
const headSha = commitFiles(repoDir, "mixed drift", {
|
|
"docs/ok.md": "fine\n",
|
|
"packages/core/src/runtime.ts": "export const x = 1;\n",
|
|
});
|
|
const outcome = evaluateCommitDrift({
|
|
certCommit: certSha,
|
|
headCommit: headSha,
|
|
repoDir,
|
|
});
|
|
assert.equal(outcome.result, "disallowed-drift");
|
|
assert.deepEqual(outcome.disallowedPaths, ["packages/core/src/runtime.ts"]);
|
|
});
|
|
|
|
it("fails when drift touches GitHub workflow or policy paths", () => {
|
|
const repoDir = makeRepo();
|
|
const certSha = commitFiles(repoDir, "certified tree", {
|
|
"packages/core/src/index.ts": "export {};\n",
|
|
});
|
|
const headSha = commitFiles(repoDir, "github policy drift", {
|
|
".github/workflows/ci.yaml": "name: ci\n",
|
|
".github/CODEOWNERS": "* @elizaOS/core\n",
|
|
});
|
|
const outcome = evaluateCommitDrift({
|
|
certCommit: certSha,
|
|
headCommit: headSha,
|
|
repoDir,
|
|
});
|
|
assert.equal(outcome.result, "disallowed-drift");
|
|
assert.deepEqual([...outcome.disallowedPaths].sort(), [
|
|
".github/CODEOWNERS",
|
|
".github/workflows/ci.yaml",
|
|
]);
|
|
});
|
|
|
|
it("fails when drift swaps the trusted public key (the attack the base-key rule exists for)", () => {
|
|
const repoDir = makeRepo();
|
|
const certSha = commitFiles(repoDir, "certified tree", {
|
|
"packages/core/src/index.ts": "export {};\n",
|
|
});
|
|
const headSha = commitFiles(repoDir, "key swap", {
|
|
".github/certification/certification-public-key.pem": "FAKE KEY\n",
|
|
});
|
|
const outcome = evaluateCommitDrift({
|
|
certCommit: certSha,
|
|
headCommit: headSha,
|
|
repoDir,
|
|
});
|
|
assert.equal(outcome.result, "disallowed-drift");
|
|
assert.deepEqual(outcome.disallowedPaths, [
|
|
".github/certification/certification-public-key.pem",
|
|
]);
|
|
});
|
|
|
|
it("fails when the certified commit is not an ancestor of head", () => {
|
|
const repoDir = makeRepo();
|
|
commitFiles(repoDir, "trunk base", { "a.txt": "a\n" });
|
|
git(repoDir, ["checkout", "-b", "side"]);
|
|
const sideSha = commitFiles(repoDir, "side work", { "side.txt": "s\n" });
|
|
git(repoDir, ["checkout", "main"]);
|
|
const headSha = commitFiles(repoDir, "trunk head", { "b.txt": "b\n" });
|
|
const outcome = evaluateCommitDrift({
|
|
certCommit: sideSha,
|
|
headCommit: headSha,
|
|
repoDir,
|
|
});
|
|
assert.equal(outcome.result, "not-ancestor");
|
|
});
|
|
|
|
it("fails when the certified commit does not exist in the repository", () => {
|
|
const repoDir = makeRepo();
|
|
const headSha = commitFiles(repoDir, "only commit", { "a.txt": "a\n" });
|
|
const outcome = evaluateCommitDrift({
|
|
certCommit: "f".repeat(40),
|
|
headCommit: headSha,
|
|
repoDir,
|
|
});
|
|
assert.equal(outcome.result, "cert-commit-unknown");
|
|
});
|
|
});
|