From 330a31b99703e32ca3a9b045df71aaa6d0daadc9 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Tue, 30 Jun 2026 12:50:10 -0400 Subject: [PATCH] fix(ci): treat renovate bot as trusted for e2e/functional test gates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit renovate-fullsend[bot] has author_association CONTRIBUTOR, so its PRs skip e2e and functional tests unless someone manually adds ok-to-test. This meant the openshell 0.0.63→0.0.71 upgrade merged without test coverage. Add a TRUSTED_BOT_LOGINS list to the authorization script so recognized bots are authorized without requiring a label or collaborator API fallback. Signed-off-by: Ralph Bean Assisted-by: Claude claude-opus-4-6 Signed-off-by: Ralph Bean --- scripts/check-e2e-authorization-test.sh | 14 ++++++++++++++ scripts/check-e2e-authorization.sh | 19 ++++++++++++++++--- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/scripts/check-e2e-authorization-test.sh b/scripts/check-e2e-authorization-test.sh index 9515104e6..3320a6e27 100755 --- a/scripts/check-e2e-authorization-test.sh +++ b/scripts/check-e2e-authorization-test.sh @@ -142,6 +142,20 @@ run_case "trusted collaborator author" "true" "trusted_author" "false" write_pr "CONTRIBUTOR" '[]' run_case "contributor author denied" "false" "unauthorized" "false" +# --- Trusted bot tests --- + +export PR_AUTHOR_ASSOCIATION="CONTRIBUTOR" +export PR_AUTHOR_LOGIN="renovate-fullsend[bot]" +echo "" >"${COLLAB_ROLE}" +write_pr "NONE" '[]' +run_case "renovate bot authorized as trusted bot" "true" "trusted_bot" "false" + +export PR_AUTHOR_LOGIN="some-other-bot[bot]" +write_pr "NONE" '[]' +run_case "unknown bot not authorized" "false" "unauthorized" "false" + +unset PR_AUTHOR_ASSOCIATION PR_AUTHOR_LOGIN + write_pr "MEMBER" '[{"name":"ok-to-test"}]' run_case "trusted member ignores stale ok-to-test label" "true" "trusted_author" "false" diff --git a/scripts/check-e2e-authorization.sh b/scripts/check-e2e-authorization.sh index a5c059dc6..da063fb83 100755 --- a/scripts/check-e2e-authorization.sh +++ b/scripts/check-e2e-authorization.sh @@ -1,9 +1,10 @@ #!/usr/bin/env bash # check-e2e-authorization.sh — Decide whether a PR may run e2e tests in CI. # -# Authorized when the PR author is OWNER/MEMBER/COLLABORATOR, or when the -# collaborator permission API confirms write+ access, or when a fresh -# ok-to-test label was applied after the latest push. +# Authorized when the PR author is OWNER/MEMBER/COLLABORATOR, when the author +# is a trusted bot (e.g. renovate-fullsend[bot]), when the collaborator +# permission API confirms write+ access, or when a fresh ok-to-test label was +# applied after the latest push. # # The author_association field from the event payload can misreport org members # whose membership visibility is private (returns CONTRIBUTOR/NONE instead of @@ -31,6 +32,7 @@ PR_NUMBER="${1:?PR number required}" REPOSITORY="${2:?repository (owner/repo) required}" TRUSTED_ASSOCIATIONS="OWNER MEMBER COLLABORATOR" +TRUSTED_BOT_LOGINS="renovate-fullsend[bot]" OK_TO_TEST_LABEL="ok-to-test" write_error_output() { @@ -55,6 +57,14 @@ is_trusted_author() { esac } +is_trusted_bot() { + local login="${1:-}" + case " ${TRUSTED_BOT_LOGINS} " in + *" ${login} "*) return 0 ;; + *) return 1 ;; + esac +} + # Fallback: check actor has write+ permission via the collaborator permission # API, which correctly resolves org membership regardless of visibility # (private vs public). Same approach as the dispatch workflow. @@ -89,6 +99,9 @@ fi if is_trusted_author "${author_association}"; then authorized=true reason="trusted_author" +elif is_trusted_bot "${PR_AUTHOR_LOGIN:-}"; then + authorized=true + reason="trusted_bot" elif has_write_permission "${PR_AUTHOR_LOGIN:-}" 2>/dev/null; then # author_association was wrong (e.g. private org membership); collaborator # permission API confirms write+ access.