fix(gtea): embed git credentials in URL; fix double /api/v1 path; add git-lfs

- test_git_push.py + test_lfs_roundtrip.py: use cred_url (https://user:pass@host/...) instead of GIT_CONFIG_COUNT insteadOf rewriting, which silently failed to propagate credentials to the push step (repo remained empty after push exit 0). Also add GIT_SSL_NO_VERIFY=true and GIT_TERMINAL_PROMPT=0. - test_lfs_roundtrip.py: fix restart health-poll path /api/v1/version → /version (_api() already prepends /api/v1; double prefix produced 404 and a 120s timeout). - nix/hosts/cc-ci/configuration.nix: add git-lfs to systemPackages (required for the LFS capstone test on the lfs-plain-gitea PR branch). Adversary pre-M1 findings: Issue 1 (git-lfs absent) + Issue 2 (double path) both fixed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-15 20:01:31 +00:00
parent fd77b13f9d
commit 893a7b0eb4
3 changed files with 14 additions and 15 deletions
--- a/nix/hosts/cc-ci/configuration.nix
+++ b/nix/hosts/cc-ci/configuration.nix
@ -56,6 +56,7 @@
  environment.systemPackages = with pkgs; [
    curl
    git
+    git-lfs
    jq
    openssh
  ];
--- a/tests/gitea/custom/test_git_push.py
+++ b/tests/gitea/custom/test_git_push.py
@ -77,7 +77,9 @@ def test_git_push(live_app):
        user=user, password=password,
    )
    assert status == 201, f"repo create HTTP {status}: {body}"
-    clone_url = body.get("clone_url") or f"https://{live_app}/{user}/{repo_name}.git"
+    # Embed credentials directly in the URL so clone + push both work without
+    # a separate credential helper. Password is a 32-char hex string (URL-safe).
+    cred_url = f"https://{user}:{password}@{live_app}/{user}/{repo_name}.git"

    tmpdir = tempfile.mkdtemp(prefix="ccci-gitea-push-")
    try:
@ -86,14 +88,12 @@ def test_git_push(live_app):
            "GIT_AUTHOR_EMAIL": "ci@ci.local",
            "GIT_COMMITTER_NAME": "CI Test Bot",
            "GIT_COMMITTER_EMAIL": "ci@ci.local",
-            # Embed credentials so HTTPS push works without interactive prompt.
-            "GIT_CONFIG_COUNT": "1",
-            "GIT_CONFIG_KEY_0": f"url.https://{user}:{password}@{live_app}/.insteadOf",
-            "GIT_CONFIG_VALUE_0": f"https://{live_app}/",
+            "GIT_SSL_NO_VERIFY": "true",
+            "GIT_TERMINAL_PROMPT": "0",
        }

        # 2. Clone (empty repo)
-        _run_git(["clone", clone_url, tmpdir], cwd="/tmp", env=git_env)
+        _run_git(["clone", cred_url, tmpdir], cwd="/tmp", env=git_env)
        _run_git(["checkout", "-b", "main"], cwd=tmpdir, env=git_env)

        # 3. Commit a file
--- a/tests/gitea/custom/test_lfs_roundtrip.py
+++ b/tests/gitea/custom/test_lfs_roundtrip.py
@ -90,15 +90,14 @@ def test_lfs_roundtrip(live_app):

    user, password = admin_creds(live_app)
    repo_name = "ci-lfs-test"
+    # Embed credentials directly in the URL (password is 32-char hex, URL-safe).
+    cred_url = f"https://{user}:{password}@{live_app}/{user}/{repo_name}.git"
    git_env = {
        "GIT_AUTHOR_NAME": "CI LFS Bot",
        "GIT_AUTHOR_EMAIL": "ci@ci.local",
        "GIT_COMMITTER_NAME": "CI LFS Bot",
        "GIT_COMMITTER_EMAIL": "ci@ci.local",
-        "GIT_CONFIG_COUNT": "1",
-        "GIT_CONFIG_KEY_0": f"url.https://{user}:{password}@{live_app}/.insteadOf",
-        "GIT_CONFIG_VALUE_0": f"https://{live_app}/",
-        # Suppress interactive LFS credential prompts
+        "GIT_SSL_NO_VERIFY": "true",
        "GIT_TERMINAL_PROMPT": "0",
    }

@ -109,12 +108,11 @@ def test_lfs_roundtrip(live_app):
        user=user, password=password,
    )
    assert status in (201, 409), f"repo create HTTP {status}: {body}"
-    clone_url = f"https://{live_app}/{user}/{repo_name}.git"

    tmpdir = tempfile.mkdtemp(prefix="ccci-gitea-lfs-")
    try:
        # 2. Clone repo
-        _run_git(["clone", clone_url, tmpdir], cwd="/tmp", env=git_env)
+        _run_git(["clone", cred_url, tmpdir], cwd="/tmp", env=git_env)
        _run_git(["lfs", "install"], cwd=tmpdir, env=git_env)

        # 3. Track *.bin as LFS
@ -145,7 +143,7 @@ def test_lfs_roundtrip(live_app):
        # 6. Download in a FRESH clone (proves the LFS server stores and serves the object)
        fresh_dir = tempfile.mkdtemp(prefix="ccci-gitea-lfs-dl-")
        try:
-            _run_git(["clone", clone_url, fresh_dir], cwd="/tmp", env=git_env)
+            _run_git(["clone", cred_url, fresh_dir], cwd="/tmp", env=git_env)
            fetched_path = os.path.join(fresh_dir, "testblob.bin")
            assert os.path.exists(fetched_path), "testblob.bin not fetched in fresh clone"
            with open(fetched_path, "rb") as f:
@ -181,7 +179,7 @@ def test_lfs_roundtrip(live_app):
        import time
        deadline = time.time() + 120
        while time.time() < deadline:
-            status2, _ = _api(live_app, "/api/v1/version", user=user, password=password)
+            status2, _ = _api(live_app, "/version", user=user, password=password)
            if status2 == 200:
                break
            time.sleep(5)
@ -200,7 +198,7 @@ def test_lfs_roundtrip(live_app):
        # 8. Verify a fresh clone still works after restart (tokens still validate)
        post_restart_dir = tempfile.mkdtemp(prefix="ccci-gitea-lfs-restart-")
        try:
-            _run_git(["clone", clone_url, post_restart_dir], cwd="/tmp", env=git_env)
+            _run_git(["clone", cred_url, post_restart_dir], cwd="/tmp", env=git_env)
            pr_blob = os.path.join(post_restart_dir, "testblob.bin")
            assert os.path.exists(pr_blob), "testblob.bin not fetched in post-restart clone"
            with open(pr_blob, "rb") as f: