recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
17c8d29a8fb975025781fa24ca855aee925ecf72
cc-ci/runner/harness/manifest.py
autonomic-bot 858e0f582f
All checks were successful
continuous-integration/drone/push Build is passing
Details
fix(harness): redact secret-named meta values in the customization manifest (rcust) 
Adversary heads-up (inbox 2026-06-10T19:06Z): meta values are repo-public by construction, but
the manifest lands on the dashboard — a field literally named SECRET_KEY_BASE showing a value
(plausible's committed CI dummy) is needless secret-scan noise. Mask values whose key NAME is
secret-shaped (SECRET|PASSWORD|TOKEN|CREDENTIAL|word-segment KEY), top-level and nested dict
keys; the key name stays visible. Unit test pins redacted vs passthrough (KEYCLOAK_URL).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 19:09:09 +00:00

154 lines
5.7 KiB
Python
Raw Blame History

"""Customization manifest (rcust P5; spec §8 R4 mitigation).
One block at run start answering "what does this recipe customize?" across ALL the surfaces
(recipe_meta keys, hook files, file-presence, run-time env overrides) — printed to the run log and
embedded verbatim in results.json under "customization". PURE PRESENTATION: building or printing
the manifest must never influence any verdict (R7-class invariant).
"""
from __future__ import annotations
import os
import re
from . import discovery, lifecycle
from . import meta as meta_mod
_PRE_OP_RE = re.compile(r"^def (pre_[a-z]+)\(", re.MULTILINE)
# Meta values are repo-public by construction (recipe_meta.py is committed; real secrets are
# class-B generated, never meta), but the manifest lands on the dashboard — mask values whose
# key NAME is secret-shaped so a field literally called SECRET_KEY_BASE never shows a value
# (defense in depth + keeps dashboard secret-scans quiet). `KEY` matches only as a word segment
# (API_KEY yes, KEYCLOAK_URL no).
_SENSITIVE_NAME_RE = re.compile(r"SECRET|PASSWORD|TOKEN|CREDENTIAL|(^|_)KEY(_|$)", re.IGNORECASE)
def _jsonable(v, name=""):
"""Manifest values must be JSON-serializable + deterministic: hooks render as '<hook>',
tuples become lists, secret-named entries (by key name, incl. nested dict keys) as
'<redacted>'."""
if callable(v):
return "<hook>"
if name and _SENSITIVE_NAME_RE.search(name):
return "<redacted>"
if isinstance(v, tuple):
return list(v)
if isinstance(v, dict):
return {k: _jsonable(x, name=str(k)) for k, x in v.items()}
return v
def _pre_ops(path: str) -> list[str]:
"""The pre_<op> hook names an ops.py defines (cheap source scan, same approach as
discovery._module_defines — no import)."""
try:
with open(path) as fh:
return sorted(set(_PRE_OP_RE.findall(fh.read())))
except OSError:
return []
def _custom_counts(recipe: str, repo_local: str | None) -> dict[str, dict[str, int]]:
out: dict[str, dict[str, int]] = {}
for source, path in discovery.custom_tests(recipe, repo_local):
sub = os.path.basename(os.path.dirname(path)) # functional | playwright
out.setdefault(source, {}).setdefault(sub, 0)
out[source][sub] += 1
return out
def build(recipe: str, meta, repo_local: str | None) -> dict:
"""Collect the run's resolved customization into one deterministic, JSON-serializable dict.
Keys: meta_non_default (explicitly-customized recipe_meta keys), hooks (ops.py pre-ops +
install_steps.sh + compose.ccci.yml with their source), overlays (lifecycle overlay files by
op + source), custom_tests (counts per source/subdir), env_overrides (active
CCCI_SKIP_GENERIC* — the dev-only escape hatch, flagged when riding a CI run)."""
hooks: dict = {}
pre_ops: dict[str, list[str]] = {}
for source, d in (
("cc-ci", discovery.cc_ci_dir(recipe)),
("repo-local", discovery._gated(recipe, repo_local)), # noqa: SLF001 — same HC2 gate
):
if not d:
continue
p = os.path.join(d, "ops.py")
if os.path.isfile(p):
ops = _pre_ops(p)
if ops:
pre_ops[source] = ops
if pre_ops:
hooks["ops.py"] = pre_ops
ist = discovery.install_steps(recipe, repo_local)
if ist:
hooks["install_steps.sh"] = ist[0]
if lifecycle.has_ccci_overlay(recipe):
hooks["compose.ccci.yml"] = "cc-ci"
overlays = {}
for op in discovery.LIFECYCLE_OPS:
ov = discovery.resolve_overlay_op(recipe, op, repo_local)
if ov:
overlays[op] = ov[0]
env_overrides = sorted(
k
for k in os.environ
if k.startswith("CCCI_SKIP_GENERIC")
and str(os.environ.get(k) or "").strip().lower() in ("1", "true", "yes", "on")
)
return {
"meta_non_default": {
k: _jsonable(v, name=k) for k, v in sorted(meta_mod.non_default(meta).items())
},
"hooks": hooks,
"overlays": overlays,
"custom_tests": _custom_counts(recipe, repo_local),
"env_overrides": env_overrides,
}
def render(recipe: str, manifest: dict) -> str:
"""The human block printed at run start (same content as the results.json key)."""
lines = [f"===== customization manifest: {recipe} ====="]
nd = manifest["meta_non_default"]
lines.append(
"meta (non-default): "
+ (" ".join(f"{k}={v!r}" for k, v in nd.items()) if nd else "(none — zero-config floor)")
)
hk = manifest["hooks"]
parts = []
for source, ops in hk.get("ops.py", {}).items():
parts.append(f"ops.py[{','.join(ops)}]({source})")
if "install_steps.sh" in hk:
parts.append(f"install_steps.sh({hk['install_steps.sh']})")
if "compose.ccci.yml" in hk:
parts.append(f"compose.ccci.yml({hk['compose.ccci.yml']})")
lines.append("hooks: " + (" ".join(parts) if parts else "(none)"))
ov = manifest["overlays"]
lines.append(
"overlays: "
+ (" ".join(f"test_{op}.py({src})" for op, src in ov.items()) if ov else "(none)")
)
ct = manifest["custom_tests"]
lines.append(
"custom tests: "
+ (
" ".join(
" ".join(f"{sub}/={n}" for sub, n in sorted(counts.items())) + f" ({source})"
for source, counts in sorted(ct.items())
)
if ct
else "(none)"
)
)
eo = manifest["env_overrides"]
if eo:
suffix = " !! dev-only override active in CI" if os.environ.get("DRONE") else ""
lines.append("env overrides: " + " ".join(f"{k}=1" for k in eo) + suffix)
else:
lines.append("env overrides: (none)")
return "\n".join(lines)
Reference in New Issue View Git Blame Copy Permalink