diff --git a/apps/api/tests/test_asset_inventory_integrity_migration.py b/apps/api/tests/test_asset_inventory_integrity_migration.py index 36fb403f3..de60a0e26 100644 --- a/apps/api/tests/test_asset_inventory_integrity_migration.py +++ b/apps/api/tests/test_asset_inventory_integrity_migration.py @@ -12,6 +12,12 @@ MIGRATION = ( CD_WORKFLOW = ROOT / ".gitea" / "workflows" / "cd.yaml" +def _workflow_step(workflow: str, name: str) -> str: + return workflow.split(f"- name: {name}", 1)[1].split( + "\n - name:", 1 + )[0] + + def test_migration_quarantines_duplicates_without_deleting_history() -> None: sql = MIGRATION.read_text(encoding="utf-8") upper = sql.upper() @@ -38,9 +44,7 @@ def test_migration_quarantines_duplicates_without_deleting_history() -> None: def test_cd_runs_bounded_integrity_repair_and_independent_verifier() -> None: workflow = CD_WORKFLOW.read_text(encoding="utf-8") - step = workflow.split( - "- name: Repair Asset Inventory Canonical Integrity", 1 - )[1].split("# 2026-03-31 ogt: 移除中間通知", 1)[0] + step = _workflow_step(workflow, "Repair Asset Inventory Canonical Integrity") script = step.split("run: |", 1)[1] assert "MIGRATION_DATABASE_URL: ${{ secrets.MIGRATION_DATABASE_URL }}" in step @@ -63,9 +67,7 @@ def test_cd_runs_bounded_integrity_repair_and_independent_verifier() -> None: def test_cd_embedded_integrity_migration_python_compiles() -> None: workflow = CD_WORKFLOW.read_text(encoding="utf-8") - step = workflow.split( - "- name: Repair Asset Inventory Canonical Integrity", 1 - )[1] + step = _workflow_step(workflow, "Repair Asset Inventory Canonical Integrity") source = step.split("python - <<'PY'", 1)[1].split(" PY", 1)[0] compile(textwrap.dedent(source), "", "exec") diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 2cc48e858..baa19e66d 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -9,6 +9,7 @@ - CD probe 改為先檢查 connection budget、保留 4 條安全餘量、最多 4 workers、單輪、每 request 5 秒;新增 workers/reserve/skip reason machine-readable receipt fields。 - `backup-signoz.sh` 在 stop 前先 arm restore,加入 `EXIT/HUP/INT/TERM` trap、防重入 cleanup 與首次 restart 失敗後的有界 EXIT retry。 - `110-devops.yml --tags backup_jobs` 納入 `backup-signoz.sh`,確保 source guard 有可驗證的 `/backup/scripts/backup-signoz.sh` 部署路徑,不再只停留在 repo。 +- `#5128` 在 `1518 passed` 後被 asset-integrity workflow shape 測試的過時注解邊界擋下;測試改以下一個 YAML `- name:` 截取單一 step,仍保留 shell body 不得出現 `${{ secrets.* }}` 的安全斷言,不放寬 secret transport policy。 - 新增 `ops/signoz/p0-obs-002-post-closure-regression.yaml`,分離 API probe starvation、collector backup interruption、controlled recovery、source candidate 與 scope boundary。 **仍維持**: