ENG-1643: Add end-to-end integration test for encrypted publish and install#3821
Open
mitchell-as wants to merge 7 commits into
Open
ENG-1643: Add end-to-end integration test for encrypted publish and install#3821mitchell-as wants to merge 7 commits into
mitchell-as wants to merge 7 commits into
Conversation
TestPublishBuildEncrypted drives the full private-ingredient round trip: `state publish --build` packs a pure-Python source tree into a wheel, encrypts it under the org key, and publishes it under a unique random name; `state install --ts=now` then resolves, downloads, and decrypts it. The test proves decryption by reading the decrypted wheel back out of the depot and finding a sentinel string that only the plaintext source contains. To avoid standing up an HTTPS key service, the org key is supplied to both the publish (encrypt) and install (decrypt) sides through a new environment variable carrying the key-service contract JSON. The orgkey provider reads it only after Configured() passes and validates it through the same path as a fetched contract, so org-binding, fingerprint, and key-length checks all still apply. The contract is stripped from child process environments. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
mitchell-as
changed the title
The CI failure surfaced no diagnostics because the assertion lived in an inner helper. Inline the check into the test body so a failure dumps the spawned command output and state logs. Also search the whole depot (any wheel or file) for the sentinel rather than a fixed install/*.whl glob, and log the depot's top two levels, since the on-disk layout depends on how the artifact is packaged on install. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
A --build publish now declares a dependency on builder/private-builder. Without a builder dependency the platform falls back to the noop-builder, which ingests the upload but produces an empty artifact, leaving nothing installable on the consume side. The wrapped tar.gz now carries only the encrypted payload; the private-builder generates the runtime.json on ingest, so we no longer write or wrap one. The build unit test is updated to match. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
mitchell-as
force-pushed
the
mitchell/eng-1643
branch
from
128e54a to
5b5f35d
Compare
…nd logs." This reverts commit 0a8e9bc.
The private-builder nests the encrypted payload under the artifact's install directory rather than leaving it at the top level, so the consume side never found it: the search only scanned top-level files, and even once found the decrypted archive was extracted to the artifact root instead of where the runtime.json points. The result was an installed-but-never-decrypted artifact. findEncryptedPayload now searches the artifact recursively, locating the payload by its conventional name and confirming the envelope magic, and the decrypted archive is extracted alongside the ciphertext so it lands under the install dir. The payload filename is now a single shared constant (artifactcrypto.PayloadFilename) used by both the publish (produce) and runtime (consume) sides, so it can no longer drift between them. The integration test's decryption check is factored into reusable suite helpers. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Collaborator
Author
|
The test failures are sporadic ones around the publish endpoint. The only test that matters is the new one, which passes: |
There was a problem hiding this comment.
Pull request overview
Adds coverage for the “private ingredient” encrypted publish/install workflow by introducing an end-to-end integration test and the necessary supporting production changes so encrypted payloads can be produced, located, decrypted, and installed correctly.
Changes:
- Add an integration test that publishes a locally-built encrypted Python ingredient, installs it, and verifies decrypted contents via a sentinel.
- Standardize encrypted payload discovery/placement: shared payload filename constant, recursive payload search on install, and extraction alongside the ciphertext path.
- Enable headless/dev testing by allowing org-key contracts to be supplied via an environment variable, and ensure
--buildpublishes depend on theprivate-builder.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| test/integration/publish_int_test.go | Adds E2E test for encrypted publish/install and depot sentinel verification helpers |
| pkg/runtime/setup.go | Updates encrypted payload discovery and ensures decrypted extraction lands where runtime layout expects |
| pkg/runtime/decrypt_test.go | Expands unit tests for recursive payload discovery and nested extraction behavior |
| internal/runners/publish/publish.go | Forces --build publishes to depend on private-builder to avoid empty artifacts |
| internal/runners/publish/build.go | Builds/wraps encrypted payload using a shared payload filename; removes cleartext runtime.json wrapping |
| internal/runners/publish/build_test.go | Updates expectations for wrapped artifact contents and payload layout |
| internal/runbits/orgkey/https.go | Allows reading/validating org-key contract directly from an env var (bypassing HTTPS service) |
| internal/runbits/orgkey/env.go | Ensures org-key contract env var is not leaked to child processes |
| internal/constants/constants.go | Introduces env var name constant for injecting an org-key contract |
| internal/artifactcrypto/artifactcrypto.go | Introduces shared PayloadFilename constant used by producer/consumer |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Stop walking the depot once the sentinel is found rather than scanning every remaining file, and skip a wheel zip entry whose read fails instead of testing partial bytes. Both are confined to the integration test's verification helpers. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Collaborator
Author
|
Note: "install" is misleading. State Tool installs the decrypted wheel by linking to it from the runtime for now. We only recently learned that we want to do a proper wheel install into the runtime, and that will be in its own ticket. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ENG-1643: Add end-to-end integration test for encrypted publish and install
The acceptance test for the private ingredient work (ENG-1563). It exercises the full encrypted round trip: build and publish a protected package from local source, then install it and confirm the decrypted content lands in the runtime.
TestPublishBuildEncryptedpublishes a tiny Python package (carrying a unique sentinel) withstate publish --build, installs it, then reads the decrypted wheel back out of the depot and checks for the sentinel — something only the plaintext could contain. The org key is handed to both sides through an environment variable, so the test needs no HTTPS key service.Getting the round trip to pass surfaced a few production fixes along the way:
state publish --buildnow depends on theprivate-builder(the default builder produced an empty artifact) and wraps only the encrypted payload, the consume side finds and decrypts that payload even when the builder nests it under the install directory, and the payload filename is now a single shared constant across the produce and consume sides.Base branch: targets
mitchell/eng-1634; GitHub will retarget it toversion/0-48-1-RC2once the upstream PRs land.🤖 Generated with Claude Code