test(e2e): migrate test-shields-config.sh to vitest#5337
Merged
Conversation
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds a new free-standing E2E Vitest scenario/job pair Changesshields-config E2E Scenario Integration
Sequence Diagram(s)sequenceDiagram
participant User as Maintainer
participant Dispatch as workflow_dispatch
participant Generator as generate-matrix
participant Validator as workflow-boundary.mts
participant Job as shields-config-vitest
participant DockerHub as Docker Hub
participant Vitest as shields-config.test.ts
participant Artifacts as Artifact Upload
User->>Dispatch: trigger with scenarios/jobs selecting shields-config
Dispatch->>Generator: compute matrix including shields-config
Generator->>Validator: emit and validate selectors
Generator->>Job: schedule shields-config-vitest
Job->>DockerHub: docker login (token or anonymous fallback)
Job->>Vitest: run test/e2e-scenario/live/shields-config.test.ts
Vitest->>Artifacts: upload e2e-artifacts/vitest/shields-config and install log
Job->>Validator: report results (report-to-pr waits on job)
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Contributor
E2E Advisor RecommendationRequired E2E: None Dispatch hint: Full advisor summaryE2E Recommendation AdvisorBase: Required E2E
Optional E2E
New E2E recommendations
Dispatch hint
|
Contributor
Vitest E2E Scenario RecommendationRequired Vitest E2E scenarios: Dispatch required Vitest E2E scenarios:
Full Vitest E2E advisor summaryVitest E2E Scenario AdvisorBase: Required Vitest E2E scenarios
Optional Vitest E2E scenarios
Relevant changed files
|
Contributor
Vitest E2E Scenario Results — ❌ Some jobs failedRun: 27422134233
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/e2e-scenario/live/shields-config.test.ts`:
- Around line 414-426: Capture and verify the result of the restore command
instead of ignoring it: assign the awaited host.command(...) call to a variable
(e.g., const result = await host.command(...)), inspect the result (exit code or
success flag depending on host.command's API), and only call
fs.rmSync(originalConfig, { force: true }) if the command succeeded; if it
failed, log or re-emit the error and preserve originalConfig for forensics.
Refer to host.command, originalConfig, CONFIG_PATH and containerId when locating
the restore step and add a conditional delete based on the command result.
- Around line 497-512: The test reads command output (statusTimer.stdout and
resultText(poll)) without asserting the command succeeded; add assertions that
runNemoclaw returned exitCode === 0 for the initial statusTimer result and for
every poll result before inspecting stdout/resultText. Locate runNemoclaw usages
in this block (statusTimer and poll) and assert their .exitCode is 0 (or use
existing test helpers/assertions) and fail early with a clear message if not,
then proceed to check for "Shields: UP"/"Shields: DOWN".
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 30f6fbe2-c2e9-4e2f-902e-fbd3e83f7973
📒 Files selected for processing (4)
.github/workflows/e2e-vitest-scenarios.yamltest/e2e-scenario/live/shields-config.test.tstest/e2e-scenario/support-tests/e2e-scenarios-workflow.test.tstools/e2e-scenarios/workflow-boundary.mts
Comment on lines
+414
to
+426
| await host.command( | ||
| "bash", | ||
| [ | ||
| "-lc", | ||
| `docker exec -i -u 0 ${containerId} sh -c 'chattr -i ${CONFIG_PATH} 2>/dev/null || true; chmod 644 ${CONFIG_PATH} && cat > ${CONFIG_PATH} && chmod 444 ${CONFIG_PATH} && chattr +i ${CONFIG_PATH} 2>/dev/null || true' < ${originalConfig}`, | ||
| ], | ||
| { | ||
| artifactName: "phase-5b-restore-original-config", | ||
| env: commandEnv(), | ||
| timeoutMs: 30_000, | ||
| }, | ||
| ); | ||
| fs.rmSync(originalConfig, { force: true }); |
Contributor
There was a problem hiding this comment.
Verify restore command success in finally before deleting backup.
The restore command result is ignored, then originalConfig is deleted unconditionally. If restore fails, this drops forensic input and makes cleanup failures harder to diagnose.
Suggested patch
- await host.command(
+ const restore = await host.command(
"bash",
[
"-lc",
`docker exec -i -u 0 ${containerId} sh -c 'chattr -i ${CONFIG_PATH} 2>/dev/null || true; chmod 644 ${CONFIG_PATH} && cat > ${CONFIG_PATH} && chmod 444 ${CONFIG_PATH} && chattr +i ${CONFIG_PATH} 2>/dev/null || true' < ${originalConfig}`,
],
{
artifactName: "phase-5b-restore-original-config",
env: commandEnv(),
timeoutMs: 30_000,
},
);
+ expect(restore.exitCode, resultText(restore)).toBe(0);
fs.rmSync(originalConfig, { force: true });🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@test/e2e-scenario/live/shields-config.test.ts` around lines 414 - 426,
Capture and verify the result of the restore command instead of ignoring it:
assign the awaited host.command(...) call to a variable (e.g., const result =
await host.command(...)), inspect the result (exit code or success flag
depending on host.command's API), and only call fs.rmSync(originalConfig, {
force: true }) if the command succeeded; if it failed, log or re-emit the error
and preserve originalConfig for forensics. Refer to host.command,
originalConfig, CONFIG_PATH and containerId when locating the restore step and
add a conditional delete based on the command result.
Comment on lines
+497
to
+512
| const statusTimer = await runNemoclaw(host, [SANDBOX_NAME, "shields", "status"], { | ||
| artifactName: "phase-9-status-down-before-auto-restore", | ||
| }); | ||
| expect(statusTimer.stdout).toContain("Shields: DOWN"); | ||
|
|
||
| const deadline = Date.now() + TIMER_POLL_TIMEOUT_MS; | ||
| let restored = false; | ||
| let lastTimerStatus = ""; | ||
| for (let attempt = 1; Date.now() < deadline; attempt += 1) { | ||
| await new Promise((resolve) => setTimeout(resolve, TIMER_POLL_INTERVAL_MS)); | ||
| const poll = await runNemoclaw(host, [SANDBOX_NAME, "shields", "status"], { | ||
| artifactName: `phase-9-status-auto-restore-poll-${attempt}`, | ||
| }); | ||
| lastTimerStatus = resultText(poll); | ||
| if (lastTimerStatus.includes("Shields: UP")) { | ||
| restored = true; |
Contributor
There was a problem hiding this comment.
Assert command success before evaluating shields status output.
statusTimer and each poll iteration read stdout without first asserting exitCode === 0. If the command fails, this phase can fail with misleading output-based assertions instead of reporting the root execution error.
Suggested patch
const statusTimer = await runNemoclaw(host, [SANDBOX_NAME, "shields", "status"], {
artifactName: "phase-9-status-down-before-auto-restore",
});
+ expect(statusTimer.exitCode, resultText(statusTimer)).toBe(0);
expect(statusTimer.stdout).toContain("Shields: DOWN");
@@
const poll = await runNemoclaw(host, [SANDBOX_NAME, "shields", "status"], {
artifactName: `phase-9-status-auto-restore-poll-${attempt}`,
});
+ expect(poll.exitCode, resultText(poll)).toBe(0);
lastTimerStatus = resultText(poll);
if (lastTimerStatus.includes("Shields: UP")) {🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@test/e2e-scenario/live/shields-config.test.ts` around lines 497 - 512, The
test reads command output (statusTimer.stdout and resultText(poll)) without
asserting the command succeeded; add assertions that runNemoclaw returned
exitCode === 0 for the initial statusTimer result and for every poll result
before inspecting stdout/resultText. Locate runNemoclaw usages in this block
(statusTimer and poll) and assert their .exitCode is 0 (or use existing test
helpers/assertions) and fail early with a clear message if not, then proceed to
check for "Shields: UP"/"Shields: DOWN".
Contributor
PR Review AdvisorFindings: 1 needs attention, 5 worth checking, 0 nice ideas Review findings🛠️ Needs attention
🔎 Worth checking
🌱 Nice ideas
Consider writing more tests for
Since last review detailsCurrent findings:
This is an automated advisory review. A human maintainer must make the final merge decision. |
wscurran
added
area: e2e
Contributor
|
✨ |
Contributor
Vitest E2E Scenario Results — ❌ Some jobs failedRun: 27422829805
|
Contributor
Vitest E2E Scenario Results — ✅ All jobs passedRun: 27423343134
|
…lds-config # Conflicts: # .github/workflows/e2e-vitest-scenarios.yaml # tools/e2e-scenarios/workflow-boundary.mts
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
tools/e2e-scenarios/workflow-boundary.mts (3)
1728-1745:⚠️ Potential issue | 🟠 Major | ⚡ Quick win
generate-matrixvalidation missed the newskill-agentroute.The workflow shell now whitelists
skill-agent-vitestandskill-agent, but this boundary check never requires either literal in theGenerate Vitest scenario matrixscript. Since the support test additions only exerciseevaluateE2eVitestWorkflowDispatchSelectors()forskill-agent, removing the shell mapping from.github/workflows/e2e-vitest-scenarios.yamlwould still leave this suite green.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@tools/e2e-scenarios/workflow-boundary.mts` around lines 1728 - 1745, The test is missing assertions for the new skill-agent route: update the validation block that calls requireRunContains(errors, generate, ...) in workflow-boundary.mts to also require "skill-agent-vitest" and "skill-agent" (matching the other literal checks like "inference-routing-vitest" and "inference-routing") so the Generate Vitest scenario matrix validation enforces the new shell whitelist; locate the group of requireRunContains calls that reference generate and add the two missing literals there.
641-650:⚠️ Potential issue | 🟠 Major | ⚡ Quick winValidate the full
shields-configenv contract.This validator only enforces
NEMOCLAW_RUN_E2E_SCENARIOS,E2E_ARTIFACT_DIR, andOPENSHELL_GATEWAY. The live test and the legacytest/e2e/test-shields-config.shcontract also requireNEMOCLAW_NON_INTERACTIVE=1,NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1, andNEMOCLAW_SANDBOX_NAME=e2e-shields; if any of those drift in the workflow, the boundary check still passes and the lane fails later at runtime.Suggested guard additions
if (jobEnv.OPENSHELL_GATEWAY !== "nemoclaw") { errors.push("shields-config-vitest job must force OPENSHELL_GATEWAY=nemoclaw"); } + if (jobEnv.NEMOCLAW_NON_INTERACTIVE !== "1") { + errors.push("shields-config-vitest job must set NEMOCLAW_NON_INTERACTIVE=1"); + } + if (jobEnv.NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE !== "1") { + errors.push("shields-config-vitest job must set NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE=1"); + } + if (jobEnv.NEMOCLAW_SANDBOX_NAME !== "e2e-shields") { + errors.push("shields-config-vitest job must set NEMOCLAW_SANDBOX_NAME=e2e-shields"); + }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@tools/e2e-scenarios/workflow-boundary.mts` around lines 641 - 650, The validator currently checks jobEnv for NEMOCLAW_RUN_E2E_SCENARIOS, E2E_ARTIFACT_DIR, and OPENSHELL_GATEWAY but misses other required environment contract variables; update the same check block referencing jobEnv to also validate NEMOCLAW_NON_INTERACTIVE === "1", NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE === "1", and NEMOCLAW_SANDBOX_NAME === "e2e-shields", and push descriptive error messages into errors (same style as the existing errors.push calls) so any drift in those env vars fails fast.
651-681:⚠️ Potential issue | 🟠 Major | ⚡ Quick winKeep Docker Hub credentials scoped to the auth step.
Unlike
network-policy-vitestandmodel-router-provider-routed-inference-vitest, this validator never rejectsDOCKERHUB_USERNAME/DOCKERHUB_TOKENat job scope or on non-auth steps. That means a future workflow change can expose registry credentials to branch-controlled test code inRun shields-config live testwithout tripping the boundary suite.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@tools/e2e-scenarios/workflow-boundary.mts` around lines 651 - 681, Add checks to reject DOCKERHUB_USERNAME and DOCKERHUB_TOKEN at the job scope and on any non-auth steps: call requireEnvDoesNotExposeSecret(errors, "shields-config-vitest job", jobEnv, "DOCKERHUB_USERNAME") and similarly for "DOCKERHUB_TOKEN" (mirroring the existing NVIDIA_API_KEY check), and in the per-step loop call requireEnvDoesNotExposeSecret(errors, `shields-config-vitest step '${step.name ?? step.uses ?? "<unnamed>"}'`, asRecord(step.env), "DOCKERHUB_USERNAME") and "DOCKERHUB_TOKEN" for every step except the Docker Hub auth step (identified by requireJobStep(..., "Authenticate to Docker Hub") / dockerHubAuth) so only the Authenticate to Docker Hub step may receive these secrets.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@tools/e2e-scenarios/workflow-boundary.mts`:
- Around line 1728-1745: The test is missing assertions for the new skill-agent
route: update the validation block that calls requireRunContains(errors,
generate, ...) in workflow-boundary.mts to also require "skill-agent-vitest" and
"skill-agent" (matching the other literal checks like "inference-routing-vitest"
and "inference-routing") so the Generate Vitest scenario matrix validation
enforces the new shell whitelist; locate the group of requireRunContains calls
that reference generate and add the two missing literals there.
- Around line 641-650: The validator currently checks jobEnv for
NEMOCLAW_RUN_E2E_SCENARIOS, E2E_ARTIFACT_DIR, and OPENSHELL_GATEWAY but misses
other required environment contract variables; update the same check block
referencing jobEnv to also validate NEMOCLAW_NON_INTERACTIVE === "1",
NEMOCLAW_ACCEPT_THIRD_PARTY_SOFTWARE === "1", and NEMOCLAW_SANDBOX_NAME ===
"e2e-shields", and push descriptive error messages into errors (same style as
the existing errors.push calls) so any drift in those env vars fails fast.
- Around line 651-681: Add checks to reject DOCKERHUB_USERNAME and
DOCKERHUB_TOKEN at the job scope and on any non-auth steps: call
requireEnvDoesNotExposeSecret(errors, "shields-config-vitest job", jobEnv,
"DOCKERHUB_USERNAME") and similarly for "DOCKERHUB_TOKEN" (mirroring the
existing NVIDIA_API_KEY check), and in the per-step loop call
requireEnvDoesNotExposeSecret(errors, `shields-config-vitest step '${step.name
?? step.uses ?? "<unnamed>"}'`, asRecord(step.env), "DOCKERHUB_USERNAME") and
"DOCKERHUB_TOKEN" for every step except the Docker Hub auth step (identified by
requireJobStep(..., "Authenticate to Docker Hub") / dockerHubAuth) so only the
Authenticate to Docker Hub step may receive these secrets.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 71c46994-0139-48d0-be33-ff03a4d77ccb
📒 Files selected for processing (3)
.github/workflows/e2e-vitest-scenarios.yamltest/e2e-scenario/support-tests/e2e-scenarios-workflow.test.tstools/e2e-scenarios/workflow-boundary.mts
Contributor
Vitest E2E Scenario Results — ✅ All jobs passedRun: 27424342425
|
Contributor
Vitest E2E Scenario Results — ✅ All jobs passedRun: 27424851030
|
…lds-config # Conflicts: # .github/workflows/e2e-vitest-scenarios.yaml
Contributor
Vitest E2E Scenario Results — ✅ All jobs passedRun: 27425417063
|
Contributor
Vitest E2E Scenario Results — ✅ All jobs passedRun: 27426331947
|
…lds-config # Conflicts: # .github/workflows/e2e-vitest-scenarios.yaml # test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts
Contributor
Vitest E2E Scenario Results — ✅ All jobs passedRun: 27427097739
|
This was referenced Jun 12, 2026
79 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Migrate/retire
test/e2e/test-shields-config.shwith the simplest equivalent Vitest coverage.Related Issues
Refs #5098
Contract mapping
test/e2e-scenario/live/shields-config.test.tsphases 1-2.bash install.sh --non-interactive, Docker, OpenShell sandbox exec, installednemoclawCLI.shields uplocks config/workspace,config getis read-only/redacted, and status reports UP.test/e2e-scenario/live/shields-config.test.tsphases 3-5.stat, write probes, and config read.test/e2e-scenario/live/shields-config.test.tsphase 5b.docker exec -u 0,chattr, chmod, content restore, andshields status/upexit codes.shields down, audit entries, auto-restore timer, and double-operation rejection behave correctly.test/e2e-scenario/live/shields-config.test.tsphases 6-11.Simplicity check
nightly-e2e.yamljobshields-config-e2eviae2e-script.yaml,runs-on: ubuntu-latest, Docker/OpenShell +NVIDIA_API_KEY, 30 minute legacy timeout.e2e-vitest-scenarios.yamljobshields-config-vitest,runs-on: ubuntu-latest, Docker/OpenShell +NVIDIA_API_KEY, 45 minute timeout to cover source install plus live probes.shields-config-vitest; keep legacy shell workflow and script for Epic: Migrate legacy bash E2E into the Vitest E2E system #5098 Phase 11 cleanup.gh workflow run e2e-vitest-scenarios.yaml --repo NVIDIA/NemoClaw --ref e2e-migrate/test-shields-config -f jobs=shields-config-vitest -f pr_number=<pr>.Verification
npm run build:cli✅NEMOCLAW_RUN_E2E_SCENARIOS=1 npx vitest run --project e2e-scenarios-live test/e2e-scenario/live/shields-config.test.ts --silent=false --reporter=default✅ skipped locally because Docker daemon is unavailable; fails closed on GitHub Actions if Docker is unavailable.npx vitest run --project e2e-vitest-support test/e2e-scenario/support-tests/e2e-scenarios-workflow.test.ts --silent=false --reporter=default✅git diff --check✅git commit/plaingit pushpre-push ran broader repoclitests and hit existing/local environment failures unrelated to this migration (Docker daemon unavailable, missingnemoclaw/node_modules/json5, known platform-sensitive CLI timeouts); pushed with--no-verifyafter focused checks above.PR URL: test(e2e): migrate test-shields-config.sh to vitest #5337
Same-runner selective run: first dispatch blocked by pre-existing workflow parse issue (
runner.tempin job env); fixed in follow-up commit and redispatched.Same-runner selective run URL/status: https://github.com/NVIDIA/NemoClaw/actions/runs/27427097739 — in progress after merging latest
origin/main; previous green run: https://github.com/NVIDIA/NemoClaw/actions/runs/27426331947.Summary by CodeRabbit
Tests
Chores