Merge remote-tracking branch 'origin/main' into codex/p0-obs-002-20260715

This commit is contained in:
ogt
2026-07-15 10:17:09 +08:00
17 changed files with 738 additions and 48 deletions

View File

@@ -123,13 +123,16 @@ class ExternalMcpArtifactControllerTest(unittest.TestCase):
self.assertNotIn("@latest", lowered)
self.assertNotIn(":latest", lowered)
self.assertNotIn("git push --force", lowered)
self.assertIn("cancel-in-progress: true", raw)
self.assertIn("runs-on: awoooi-non110-host", raw)
self.assertIn("docker login", raw)
self.assertIn("--password-stdin", raw)
self.assertIn("docker logout", raw)
self.assertIn("verify_external_mcp_artifact_receipt.py", raw)
self.assertIn("git merge --no-edit gitea/main", raw)
self.assertIn("git push gitea HEAD:main", raw)
self.assertIn("RECEIPT_BRANCH: mcp-artifact-receipts", raw)
self.assertIn('git merge --no-edit FETCH_HEAD', raw)
self.assertIn('HEAD:refs/heads/${RECEIPT_BRANCH}', raw)
self.assertNotIn("git push gitea HEAD:main", raw)
self.assertIn('cron: "13 2 * * 3"', raw)
def test_dependency_closure_rejects_drift(self) -> None:

View File

@@ -81,7 +81,7 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase):
self.assertEqual(policy.work_item_id, "AIA-P0-006-02A")
self.assertEqual(policy.risk_level, "high")
self.assertEqual(len(policy.images), 17)
self.assertEqual(len(policy.images), 18)
self.assertNotIn("github.com", raw)
self.assertNotIn("ghcr.io", raw)
self.assertIn('"external_pull_allowed": false', raw)
@@ -106,7 +106,7 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase):
)
)
container_kinds = [image.workload.container_kind for image in policy.images]
self.assertEqual(container_kinds.count("container"), 14)
self.assertEqual(container_kinds.count("container"), 15)
self.assertEqual(container_kinds.count("init_container"), 3)
vpa = next(
@@ -176,6 +176,31 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase):
),
)
sealed_secrets = next(
image
for image in policy.images
if image.asset_id == "runtime-image:sealed-secrets-controller"
)
self.assertEqual(
sealed_secrets.target_registry_digest,
"sha256:2692460ed95f213760550cb508c881e1490a2f0ce4affbed31a0bf900ebba363",
)
self.assertEqual(sealed_secrets.workload.namespace, "kube-system")
self.assertEqual(sealed_secrets.workload.name, "sealed-secrets-controller")
self.assertEqual(
sealed_secrets.workload.container, "sealed-secrets-controller"
)
self.assertEqual(
sealed_secrets.availability_guard,
controller.AvailabilityGuard(
minimum_ready_replicas=1,
maximum_effective_unavailable=0,
minimum_effective_surge=1,
enforced_max_unavailable=0,
enforced_max_surge=1,
),
)
def test_policy_loads_and_validates_init_container_kind(self) -> None:
image = self._image_with_container_kind("init_container")