Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Paperclip
|
337c0e2733 |
@@ -156,32 +156,3 @@ jobs:
|
||||
${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
|
||||
cache-from: type=registry,ref=git.farh.net/groombook/cache:reset
|
||||
cache-to: type=registry,ref=git.farh.net/groombook/cache:reset,mode=max
|
||||
|
||||
- name: Smoke test seed image (blackhole npmjs.org)
|
||||
run: |
|
||||
set -euo pipefail
|
||||
IMAGE="git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}"
|
||||
docker pull "$IMAGE"
|
||||
# GRO-1985: pnpm must be a real binary, not a Corepack shim, and must
|
||||
# not try to reach registry.npmjs.org on invocation.
|
||||
docker run --rm \
|
||||
--add-host registry.npmjs.org:127.0.0.1 \
|
||||
--entrypoint="" \
|
||||
"$IMAGE" \
|
||||
sh -c 'set -e; test "$(which pnpm)" = "/usr/local/bin/pnpm"; pnpm --version'
|
||||
echo "seed image: pnpm resolves to /usr/local/bin/pnpm and runs offline ✓"
|
||||
|
||||
- name: Smoke test reset image (blackhole npmjs.org)
|
||||
run: |
|
||||
set -euo pipefail
|
||||
IMAGE="git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}"
|
||||
docker pull "$IMAGE"
|
||||
# GRO-1985: pnpm must be a real binary, not a Corepack shim, and must
|
||||
# not try to reach registry.npmjs.org on invocation. Validates the
|
||||
# hard requirement from the issue: reset runs offline.
|
||||
docker run --rm \
|
||||
--add-host registry.npmjs.org:127.0.0.1 \
|
||||
--entrypoint="" \
|
||||
"$IMAGE" \
|
||||
sh -c 'set -e; test "$(which pnpm)" = "/usr/local/bin/pnpm"; echo "HOME=$HOME"; pnpm --version'
|
||||
echo "reset image: pnpm resolves to /usr/local/bin/pnpm, HOME=/tmp, runs offline ✓"
|
||||
|
||||
+1
-13
@@ -3,12 +3,8 @@ FROM node:22-alpine AS base
|
||||
# invocations of `pnpm` work without DNS access to registry.npmjs.org.
|
||||
# The corepack shim delegates to corepack, which re-validates against
|
||||
# npmjs.org on first use — that fails in air-gapped UAT seed/migrate/reset
|
||||
# Jobs. GRO-1983 / GRO-1889 / GRO-1909 / GRO-1981 / GRO-1985.
|
||||
# Jobs. GRO-1983 / GRO-1889 / GRO-1909.
|
||||
RUN npm install -g pnpm@9.15.4
|
||||
# Belt-and-braces: disable Corepack's download fallback so that even if a
|
||||
# Corepack shim is somehow invoked at runtime, it will not try to fetch
|
||||
# pnpm from registry.npmjs.org. Belt for the real-binary trousers. GRO-1985.
|
||||
ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0
|
||||
WORKDIR /app
|
||||
|
||||
# Install deps
|
||||
@@ -30,8 +26,6 @@ RUN pnpm --filter @groombook/types build && \
|
||||
# Runtime
|
||||
FROM node:22-alpine AS runner
|
||||
RUN npm install -g pnpm@9.15.4
|
||||
# Same defence-in-depth as base: no Corepack fallback. GRO-1985.
|
||||
ENV COREPACK_ENABLE_DOWNLOAD_FALLBACK=0
|
||||
WORKDIR /app
|
||||
ENV NODE_ENV=production
|
||||
|
||||
@@ -52,18 +46,12 @@ CMD ["node", "dist/index.js"]
|
||||
|
||||
# Migrate stage — runs drizzle-kit migrate against the database
|
||||
FROM builder AS migrate
|
||||
# pnpm needs a writable HOME for any config/state it writes. With
|
||||
# readOnlyRootFilesystem: true and runAsUser: 1000, /home/node is read-only.
|
||||
# The job pods mount a writable emptyDir at /tmp; point HOME there. GRO-1985.
|
||||
ENV HOME=/tmp
|
||||
CMD ["pnpm", "--filter", "@groombook/db", "migrate"]
|
||||
|
||||
# Seed stage — populates the database with test data
|
||||
FROM builder AS seed
|
||||
ENV HOME=/tmp
|
||||
CMD ["pnpm", "--filter", "@groombook/db", "seed"]
|
||||
|
||||
# Reset stage — drops all tables, re-runs migrations, and re-seeds
|
||||
FROM builder AS reset
|
||||
ENV HOME=/tmp
|
||||
CMD ["pnpm", "--filter", "@groombook/db", "reset"]
|
||||
|
||||
@@ -19,6 +19,27 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
|
||||
- OIDC authentication provider configured
|
||||
- Seed data present (clients, pets, services, staff)
|
||||
|
||||
### Source of truth for UAT passwords (GRO-2000)
|
||||
|
||||
The `UAT_SUPER_PASSWORD` / `UAT_GROOMER_PASSWORD` / `UAT_TESTER_PASSWORD` / `UAT_CUSTOMER_PASSWORD` env vars the test orchestrator uses **must** be pulled from the live `seed-uat-passwords` Secret in the UAT cluster — never from a captured shell value, a previous run's `.env`, or a copy of the SealedSecret committed before the latest rotation.
|
||||
|
||||
**Canonical recipe** (works from any host with `kubectl` + cluster credentials):
|
||||
|
||||
```bash
|
||||
SUPER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
|
||||
-o jsonpath='{.data.super-password}' | base64 -d)
|
||||
GROOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
|
||||
-o jsonpath='{.data.groomer-password}' | base64 -d)
|
||||
TESTER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
|
||||
-o jsonpath='{.data.tester-password}' | base64 -d)
|
||||
CUSTOMER=$(kubectl get secret seed-uat-passwords -n groombook-uat \
|
||||
-o jsonpath='{.data.customer-password}' | base64 -d)
|
||||
```
|
||||
|
||||
**Why:** the Bitnami SealedSecret `apps/overlays/uat/ss-seed-uat-passwords.yaml` (in `groombook/infra`) is the single source of truth. The UAT `reset-demo-data` CronJob re-hashes these values into the `account` table on every run (idempotent — GRO-1977). A captured env var from a previous generation will not match the current hash, producing 401 `INVALID_EMAIL_OR_PASSWORD`. If the live login still 401s after pulling from the SealedSecret, the seed Job is stale — trigger `kubectl create job --from=cronjob/reset-demo-data -n groombook-uat manual-seed-$$` and retry.
|
||||
|
||||
**How to apply:** at the start of every UAT run that touches TC-API-1.4 / 1.5 / 1.6 / 1.7 / 3.18 / 3.21 / 3.23, refresh these four env vars from the cluster before issuing the sign-in request.
|
||||
|
||||
## Test Cases
|
||||
|
||||
### 4.0 Health Check
|
||||
|
||||
Reference in New Issue
Block a user