zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-05-18 23:03:06 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
caee7cf79c7440f37a2f71c9203e31f8fd21064c
everything-claude-code/tests/ci/validate-workflow-security.test.js
Jamkris 7bb3172041 test(ci): coverage for round-1 fixes (quoted write-all, dedup, lifecycle scope) 
Three test changes in response to the round-1 review:

1. **Add quoted-write-all coverage** (cubic P0 follow-up).
   Two new cases assert the regex now matches the double-quoted and
   single-quoted YAML forms of `permissions: "write-all"`:
     - `rejects double-quoted permissions: "write-all"`
     - `rejects single-quoted permissions: 'write-all'`
   Both fixtures trigger only the persist-credentials gate, so they
   exercise the WRITE_ALL_PATTERN OR-clause in isolation.

2. **Add expression+ref dedup coverage** (greptile P2 follow-up).
   `emits a single violation when both expressionPattern and refPattern
   match the same step` — uses `refs/pull/${{ … head.sha }}/merge` as
   the fixture (which matches both patterns) and counts ERROR lines for
   the `pull_request_target` rule, asserting exactly one. Re-introducing
   the duplicate-push bug would re-fail this test immediately.

3. **Drop the `npm ci without --ignore-scripts under write-all` test**
   (greptile P2). That test happened to pass under the previous
   `--ignore-scripts` regex, but `UNSAFE_INSTALL_PATTERNS` (added in
   `f7035b56`) fires unconditionally for every workflow regardless of
   permissions. So the test was exercising a pre-existing code path
   that has nothing to do with WRITE_ALL_PATTERN. Reviewer flagged this
   could mislead future contributors into thinking lifecycle-script
   enforcement is gated on write permissions.

   Replaced by the surrounding `rejects checkout credential persistence
   in workflows with permissions: write-all` test (already present) and
   the new quoted-form tests above, which all exercise the actual
   persist-credentials gate that the WRITE_ALL_PATTERN clause newly
   activates.

Test count: 22 → 24 (added 3 new, dropped 1). All green; `yarn lint`
clean.

The cohort comment above the write-all block was also tightened to
explicitly note that "the lifecycle-script gate already fires
unconditionally for every workflow" so the next reader sees the
distinction up front.
2026-05-17 21:19:29 -04:00

17 KiB
Raw Blame History

View Raw
Reference in New Issue View Git Blame Copy Permalink