From 893a7b0eb4584f2e7e1f89ad5b0e5f8a2071dd98 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Mon, 15 Jun 2026 20:01:31 +0000 Subject: [PATCH] fix(gtea): embed git credentials in URL; fix double /api/v1 path; add git-lfs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - test_git_push.py + test_lfs_roundtrip.py: use cred_url (https://user:pass@host/...) instead of GIT_CONFIG_COUNT insteadOf rewriting, which silently failed to propagate credentials to the push step (repo remained empty after push exit 0). Also add GIT_SSL_NO_VERIFY=true and GIT_TERMINAL_PROMPT=0. - test_lfs_roundtrip.py: fix restart health-poll path /api/v1/version → /version (_api() already prepends /api/v1; double prefix produced 404 and a 120s timeout). - nix/hosts/cc-ci/configuration.nix: add git-lfs to systemPackages (required for the LFS capstone test on the lfs-plain-gitea PR branch). Adversary pre-M1 findings: Issue 1 (git-lfs absent) + Issue 2 (double path) both fixed. Co-Authored-By: Claude Sonnet 4.6 --- nix/hosts/cc-ci/configuration.nix | 1 + tests/gitea/custom/test_git_push.py | 12 ++++++------ tests/gitea/custom/test_lfs_roundtrip.py | 16 +++++++--------- 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/nix/hosts/cc-ci/configuration.nix b/nix/hosts/cc-ci/configuration.nix index 90eeb44..47e445e 100644 --- a/nix/hosts/cc-ci/configuration.nix +++ b/nix/hosts/cc-ci/configuration.nix @@ -56,6 +56,7 @@ environment.systemPackages = with pkgs; [ curl git + git-lfs jq openssh ]; diff --git a/tests/gitea/custom/test_git_push.py b/tests/gitea/custom/test_git_push.py index fb41191..87548e3 100644 --- a/tests/gitea/custom/test_git_push.py +++ b/tests/gitea/custom/test_git_push.py @@ -77,7 +77,9 @@ def test_git_push(live_app): user=user, password=password, ) assert status == 201, f"repo create HTTP {status}: {body}" - clone_url = body.get("clone_url") or f"https://{live_app}/{user}/{repo_name}.git" + # Embed credentials directly in the URL so clone + push both work without + # a separate credential helper. Password is a 32-char hex string (URL-safe). + cred_url = f"https://{user}:{password}@{live_app}/{user}/{repo_name}.git" tmpdir = tempfile.mkdtemp(prefix="ccci-gitea-push-") try: @@ -86,14 +88,12 @@ def test_git_push(live_app): "GIT_AUTHOR_EMAIL": "ci@ci.local", "GIT_COMMITTER_NAME": "CI Test Bot", "GIT_COMMITTER_EMAIL": "ci@ci.local", - # Embed credentials so HTTPS push works without interactive prompt. - "GIT_CONFIG_COUNT": "1", - "GIT_CONFIG_KEY_0": f"url.https://{user}:{password}@{live_app}/.insteadOf", - "GIT_CONFIG_VALUE_0": f"https://{live_app}/", + "GIT_SSL_NO_VERIFY": "true", + "GIT_TERMINAL_PROMPT": "0", } # 2. Clone (empty repo) - _run_git(["clone", clone_url, tmpdir], cwd="/tmp", env=git_env) + _run_git(["clone", cred_url, tmpdir], cwd="/tmp", env=git_env) _run_git(["checkout", "-b", "main"], cwd=tmpdir, env=git_env) # 3. Commit a file diff --git a/tests/gitea/custom/test_lfs_roundtrip.py b/tests/gitea/custom/test_lfs_roundtrip.py index 718bc96..959764c 100644 --- a/tests/gitea/custom/test_lfs_roundtrip.py +++ b/tests/gitea/custom/test_lfs_roundtrip.py @@ -90,15 +90,14 @@ def test_lfs_roundtrip(live_app): user, password = admin_creds(live_app) repo_name = "ci-lfs-test" + # Embed credentials directly in the URL (password is 32-char hex, URL-safe). + cred_url = f"https://{user}:{password}@{live_app}/{user}/{repo_name}.git" git_env = { "GIT_AUTHOR_NAME": "CI LFS Bot", "GIT_AUTHOR_EMAIL": "ci@ci.local", "GIT_COMMITTER_NAME": "CI LFS Bot", "GIT_COMMITTER_EMAIL": "ci@ci.local", - "GIT_CONFIG_COUNT": "1", - "GIT_CONFIG_KEY_0": f"url.https://{user}:{password}@{live_app}/.insteadOf", - "GIT_CONFIG_VALUE_0": f"https://{live_app}/", - # Suppress interactive LFS credential prompts + "GIT_SSL_NO_VERIFY": "true", "GIT_TERMINAL_PROMPT": "0", } @@ -109,12 +108,11 @@ def test_lfs_roundtrip(live_app): user=user, password=password, ) assert status in (201, 409), f"repo create HTTP {status}: {body}" - clone_url = f"https://{live_app}/{user}/{repo_name}.git" tmpdir = tempfile.mkdtemp(prefix="ccci-gitea-lfs-") try: # 2. Clone repo - _run_git(["clone", clone_url, tmpdir], cwd="/tmp", env=git_env) + _run_git(["clone", cred_url, tmpdir], cwd="/tmp", env=git_env) _run_git(["lfs", "install"], cwd=tmpdir, env=git_env) # 3. Track *.bin as LFS @@ -145,7 +143,7 @@ def test_lfs_roundtrip(live_app): # 6. Download in a FRESH clone (proves the LFS server stores and serves the object) fresh_dir = tempfile.mkdtemp(prefix="ccci-gitea-lfs-dl-") try: - _run_git(["clone", clone_url, fresh_dir], cwd="/tmp", env=git_env) + _run_git(["clone", cred_url, fresh_dir], cwd="/tmp", env=git_env) fetched_path = os.path.join(fresh_dir, "testblob.bin") assert os.path.exists(fetched_path), "testblob.bin not fetched in fresh clone" with open(fetched_path, "rb") as f: @@ -181,7 +179,7 @@ def test_lfs_roundtrip(live_app): import time deadline = time.time() + 120 while time.time() < deadline: - status2, _ = _api(live_app, "/api/v1/version", user=user, password=password) + status2, _ = _api(live_app, "/version", user=user, password=password) if status2 == 200: break time.sleep(5) @@ -200,7 +198,7 @@ def test_lfs_roundtrip(live_app): # 8. Verify a fresh clone still works after restart (tokens still validate) post_restart_dir = tempfile.mkdtemp(prefix="ccci-gitea-lfs-restart-") try: - _run_git(["clone", clone_url, post_restart_dir], cwd="/tmp", env=git_env) + _run_git(["clone", cred_url, post_restart_dir], cwd="/tmp", env=git_env) pr_blob = os.path.join(post_restart_dir, "testblob.bin") assert os.path.exists(pr_blob), "testblob.bin not fetched in post-restart clone" with open(pr_blob, "rb") as f: