ci(preview): fix Cloudflare registry image deployment (#2124)

* ci(preview): fix Cloudflare registry image deployment Keep the preview workflow's secret-bearing deploy path on trusted tooling while rewriting Wrangler config through registry-shaped image refs for push and deploy. Centralize preview log redaction and extend resolver/security guard coverage for artifact identity conflicts. * ci(preview): keep failure diagnostics resilient * ci(preview): redact private key diagnostics
2026-06-04 10:19:03 +00:00 · 2026-06-02 15:11:36 -07:00
parent f7b66d40ff
commit 92fa73ef00
5 changed files with 347 additions and 51 deletions
--- a/test/javascript/preview_deploy/resolve_preview_request_test.cjs
+++ b/test/javascript/preview_deploy/resolve_preview_request_test.cjs
@@ -123,7 +123,7 @@ describe("selectPullRequestNumber", () => {
  const headSha = "4f1159e99c7785bc370f53510284c251fabdb75b";
  const context = contextFor({ id: 123, head_sha: headSha });

-  it("falls back to commit association when workflow_run has no PR payload", () => {
+  it("prefers the preview artifact when commit association matches", () => {
    const selected = selectPullRequestNumber({
      runPullRequest: undefined,
      artifacts: [previewArtifact(2017, headSha)],
@@ -134,7 +134,37 @@ describe("selectPullRequestNumber", () => {

    assert.deepEqual(selected, {
      prNumber: 2017,
-      source: "commit_association",
+      source: "artifact_name+commit_association",
+    });
+  });
+
+  it("records workflow_run as a corroborating source when it matches the preview artifact", () => {
+    const selected = selectPullRequestNumber({
+      runPullRequest: { number: 2017 },
+      artifacts: [previewArtifact(2017, headSha)],
+      associatedPullRequests: [],
+      context,
+      headSha,
+    });
+
+    assert.deepEqual(selected, {
+      prNumber: 2017,
+      source: "artifact_name+workflow_run",
+    });
+  });
+
+  it("records workflow_run and commit association when both match the preview artifact", () => {
+    const selected = selectPullRequestNumber({
+      runPullRequest: { number: 2017 },
+      artifacts: [previewArtifact(2017, headSha)],
+      associatedPullRequests: [openPullRequest(2017, headSha, "Rene0422/sure")],
+      context,
+      headSha,
+    });
+
+    assert.deepEqual(selected, {
+      prNumber: 2017,
+      source: "artifact_name+workflow_run+commit_association",
    });
  });

@@ -152,10 +182,38 @@ describe("selectPullRequestNumber", () => {

    assert.deepEqual(selected, {
      prNumber: 2060,
-      source: "artifact_and_commit_association",
+      source: "artifact_name+commit_association",
    });
  });

+  it("fails closed when workflow metadata disagrees with the preview artifact", () => {
+    const selected = selectPullRequestNumber({
+      runPullRequest: { number: 1985 },
+      artifacts: [previewArtifact(1798, headSha)],
+      associatedPullRequests: [openPullRequest(1798, headSha)],
+      context,
+      headSha,
+    });
+
+    assert.equal(selected.prNumber, undefined);
+    assert.equal(typeof selected.error, "string");
+    assert.match(selected.error, /conflicts with workflow_run PR 1985/);
+  });
+
+  it("fails closed when commit association disagrees with the preview artifact", () => {
+    const selected = selectPullRequestNumber({
+      runPullRequest: undefined,
+      artifacts: [previewArtifact(1798, headSha)],
+      associatedPullRequests: [openPullRequest(1985, headSha)],
+      context,
+      headSha,
+    });
+
+    assert.equal(selected.prNumber, undefined);
+    assert.equal(typeof selected.error, "string");
+    assert.match(selected.error, /conflicts with commit-associated PRs 1985/);
+  });
+
  it("refuses ambiguous associated PRs without a single matching artifact", () => {
    const selected = selectPullRequestNumber({
      runPullRequest: undefined,
@@ -197,6 +255,7 @@ describe("resolvePreviewRequest", () => {
    assert.equal(state.outputs.head_sha, headSha);
    assert.equal(state.outputs.artifact_name, `preview-image-pr-2017-${headSha}`);
    assert.equal(state.outputs.is_fork, "true");
+    assert.equal(state.outputs.resolution_source, "artifact_name+commit_association");
  });

  it("resolves PRs from artifact names when workflow and commit association metadata are unavailable", async () => {
@@ -216,6 +275,7 @@ describe("resolvePreviewRequest", () => {
    assert.equal(state.outputs.head_sha, headSha);
    assert.equal(state.outputs.artifact_name, `preview-image-pr-2017-${headSha}`);
    assert.equal(state.outputs.is_fork, "true");
+    assert.equal(state.outputs.resolution_source, "artifact_name");
    assert.match(state.messages.join("\n"), /Resolved PR 2017 from artifact_name; fork=true/);
  });