Allow Codecov to fail in CI without failing the pipeline.

[AlexSkrypnyk]

Summary by CodeRabbit

• Chores

  • CI resilience: coverage uploads no longer block job completion when they fail across workflows.
  • Environment defaults updated to reference a specific demo DB release and a concrete example image tag.

• New Features

  • Added a CLI tool to rebuild and publish test/demo assets and images with mode and tag options.

• Tests

  • Test suite updated to pin demo/test database image tags to the specified release.

• Documentation

  • Maintenance docs consolidated to describe the new CLI, modes, tagging, requirements, caveats, and examples.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds resilient Codecov upload handling across multiple GitHub workflows; introduces a new executable CLI .vortex/tests/update-test-assets to automate rebuilding and publishing demo/test assets; updates maintenance docs and pins demo/test DB image tags and related test fixtures.

Changes

Cohort / File(s)	Summary
CI workflows .github/workflows/build-test-deploy.yml, .github/workflows/vortex-test-common.yml, .github/workflows/vortex-test-docs.yml, .github/workflows/vortex-test-installer.yml	Added continue-on-error: true to Codecov upload steps so coverage upload failures no longer fail jobs; preserved existing action inputs (e.g., fail_ci_if_error).
Test assets CLI script .vortex/tests/update-test-assets	New executable PHP CLI entrypoint implementing mode-driven rebuild/publish flows (modes: demo-*, test-*, destination-images, all), argument parsing (mode, --tag), tool validation, DB dump normalization, image build/tag/push, and exit-on-command-failure behavior.
Docs: maintenance template .vortex/docs/content/contributing/maintenance/template.mdx	Replaced manual demo/test asset update instructions with documentation for the new CLI, including modes, defaults, --tag usage, requirements, caveats, and example invocations.
Environment and tests .env, .vortex/tests/bats/unit/provision.bats, .vortex/tests/phpunit/Functional/AhoyWorkflowTest.php, .vortex/tests/phpunit/Traits/SutTrait.php	Pinned demo/test DB image tags to :1.38.0-rc1 (replacing :latest), updated demo DB download URL and commented example image tag in .env, and adjusted tests/assertions and test constants to match the pinned tag(s).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant User
  participant CLI as ".vortex/tests/update-test-assets"
  participant FS as "Filesystem"
  participant Drush
  participant Docker as "Docker Engine"
  participant Registry as "Docker Registry"

  User->>CLI: invoke with mode [--tag]
  CLI->>FS: validate tools & prepare workspace
  CLI->>Drush: run provisioning / seed / export commands
  Drush-->>CLI: produce SQL dumps
  CLI->>FS: normalize SQL collations and write dumps
  CLI->>Docker: build and tag images
  Docker->>Registry: push image(s) to destination tags
  Registry-->>CLI: return push status
  CLI-->>User: report results and next steps

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• [#1560] Moved vortex update test to PHPUnit. #2035 — Modifies PHPUnit tests and test trait constants touched by this change.
• Ported recent shell script changes to PHP tooling package. #2415 — Related changes to provisioning/fallback behavior and tests; overlaps with added debug/assertions in workflow tests.
• Split workflow tests. #2017 — Restructures workflow test helpers (download DB steps) and touches functional tests similar to these edits.

Poem

🐇 I hopped through YAML, SQL, and seed,

Built stacks, tagged images at great speed.
When Codecov slips, the run stays bright—
Dumps smoothed, images pushed into night,
A rabbit's hop for CI delight.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: making Codecov failures non-blocking in CI pipelines.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/optional-codecov

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.51%. Comparing base (e5a43dc) to head (eb9d511).
⚠️ Report is 9 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2476      +/-   ##
==========================================
- Coverage   79.97%   79.51%   -0.46%     
==========================================
  Files         129      122       -7     
  Lines        6895     6736     -159     
  Branches       47        3      -44     
==========================================
- Hits         5514     5356     -158     
+ Misses       1381     1380       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.vortex/tests/update-test-assets:
- Line 87: mode_destination_images currently assumes the source image tag is
":latest", ignoring the CLI --tag option; update mode_destination_images (and
the other affected mappings at 139-147) to accept and use the resolved tag
parameter (or read the shared tag variable) when constructing image references
so images are built/pushed and referenced as "<image>:<tag>" instead of always
":latest"; locate mode_destination_images and any call sites that register
'destination-images' and change the signature/usage to propagate the tag value
through and interpolate it into the source image name.
- Around line 186-193: The code does not check the results of mkdir() or
file_put_contents(), so failures will surface later; after computing $seed_dir
and before writing, validate mkdir($seed_dir, 0755, TRUE) and handle a false
return (e.g., log and exit/throw), then call build_seed_script($title, $body)
and write with file_put_contents($seed_dir . '/seed-test-asset.php', $script)
but check its return value as well and fail fast with a descriptive error if it
returns false; update the block that creates $seed_dir and writes the seed file
to perform these checks and error handling.
- Around line 218-224: The test currently downloads and executes seed.sh from
SEED_URL (which points at /releases/latest/) creating an unreproducible
supply-chain risk; change SEED_URL to a pinned release URL (non-latest) and add
an integrity check using a stored expected SHA256 before executing: after
run(sprintf('curl -fsSL -o seed.sh %s', escapeshellarg(SEED_URL)), $cwd) compute
and verify the file's SHA256 against a new constant like SEED_SHA256 (or fetch a
.sha256 from the same pinned release) and fail the test (do not run
chmod/chroot/./seed.sh) if the checksum does not match; update references to
seed.sh, SEED_URL and add SEED_SHA256 so the test fails fast on mismatch and
uses a fixed, audited script version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: fc264a7b-722b-453c-b31c-5d0335da7fd8

📥 Commits

Reviewing files that changed from the base of the PR and between 6697088 and e2f5e76.

📒 Files selected for processing (2)

• .vortex/docs/content/contributing/maintenance/template.mdx
• .vortex/tests/update-test-assets

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fail fast when seed script file creation fails.

mkdir() and file_put_contents() results are not validated. A write failure will surface later as a less-actionable command error.

Suggested fix

   $seed_dir = $cwd . '/.data';
-  if (!is_dir($seed_dir)) {
-    mkdir($seed_dir, 0755, TRUE);
+  if (!is_dir($seed_dir) && !mkdir($seed_dir, 0755, TRUE) && !is_dir($seed_dir)) {
+    fwrite(STDERR, sprintf("Error: failed to create directory %s.\n", $seed_dir));
+    exit(1);
   }
 
   $script = build_seed_script($title, $body);
-  file_put_contents($seed_dir . '/seed-test-asset.php', $script);
+  $seed_script = $seed_dir . '/seed-test-asset.php';
+  if (file_put_contents($seed_script, $script) === FALSE) {
+    fwrite(STDERR, sprintf("Error: failed to write %s.\n", $seed_script));
+    exit(1);
+  }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	$seed_dir = $cwd . '/.data';
	if (!is_dir($seed_dir)) {
	mkdir($seed_dir, 0755, TRUE);
	}
	$script = build_seed_script($title, $body);
	file_put_contents($seed_dir . '/seed-test-asset.php', $script);
	$seed_dir = $cwd . '/.data';
	if (!is_dir($seed_dir) && !mkdir($seed_dir, 0755, TRUE) && !is_dir($seed_dir)) {
	fwrite(STDERR, sprintf("Error: failed to create directory %s.\n", $seed_dir));
	exit(1);
	}
	$script = build_seed_script($title, $body);
	$seed_script = $seed_dir . '/seed-test-asset.php';
	if (file_put_contents($seed_script, $script) === FALSE) {
	fwrite(STDERR, sprintf("Error: failed to write %s.\n", $seed_script));
	exit(1);
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.vortex/tests/update-test-assets around lines 186 - 193, The code does not
check the results of mkdir() or file_put_contents(), so failures will surface
later; after computing $seed_dir and before writing, validate mkdir($seed_dir,
0755, TRUE) and handle a false return (e.g., log and exit/throw), then call
build_seed_script($title, $body) and write with file_put_contents($seed_dir .
'/seed-test-asset.php', $script) but check its return value as well and fail
fast with a descriptive error if it returns false; update the block that creates
$seed_dir and writes the seed file to perform these checks and error handling.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

find . -name "update-test-assets" -type f

Repository: drevops/vortex

Length of output: 93

---

🏁 Script executed:

cat -n ./.vortex/tests/update-test-assets | head -250 | tail -100

Repository: drevops/vortex

Length of output: 4181

---

🏁 Script executed:

grep -n "SEED_URL" ./.vortex/tests/update-test-assets

Repository: drevops/vortex

Length of output: 241

---

🏁 Script executed:

grep -n "hash\|SEED_SHA\|integrity\|checksum" ./.vortex/tests/update-test-assets

Repository: drevops/vortex

Length of output: 40

---

Pin the remote script version and add SHA256 integrity verification.

The code downloads seed.sh from https://github.com/drevops/mariadb-drupal-data/releases/latest/download/seed.sh and executes it directly without pinning the version or verifying its integrity. Using /releases/latest/ is a supply-chain risk that breaks reproducibility and makes the script vulnerable to unexpected changes in the release.

Suggested hardening

-const SEED_URL = 'https://github.com/drevops/mariadb-drupal-data/releases/latest/download/seed.sh';
+const SEED_URL = 'https://github.com/drevops/mariadb-drupal-data/releases/download/vX.Y.Z/seed.sh';
+const SEED_SHA256 = 'REPLACE_WITH_RELEASE_SHA256';
@@
 function seed_image(string $cwd, string $filename, string $image): void {
   step('Download seed.sh');
   run(sprintf('curl -fsSL -o seed.sh %s', escapeshellarg(SEED_URL)), $cwd);
+  $actual = hash_file('sha256', $cwd . '/seed.sh');
+  if ($actual !== SEED_SHA256) {
+    fwrite(STDERR, sprintf("Error: seed.sh checksum mismatch (expected %s, got %s).\n", SEED_SHA256, (string) $actual));
+    exit(1);
+  }
   run('chmod +x seed.sh', $cwd);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.vortex/tests/update-test-assets around lines 218 - 224, The test currently
downloads and executes seed.sh from SEED_URL (which points at /releases/latest/)
creating an unreproducible supply-chain risk; change SEED_URL to a pinned
release URL (non-latest) and add an integrity check using a stored expected
SHA256 before executing: after run(sprintf('curl -fsSL -o seed.sh %s',
escapeshellarg(SEED_URL)), $cwd) compute and verify the file's SHA256 against a
new constant like SEED_SHA256 (or fetch a .sha256 from the same pinned release)
and fail the test (do not run chmod/chroot/./seed.sh) if the checksum does not
match; update references to seed.sh, SEED_URL and add SEED_SHA256 so the test
fails fast on mismatch and uses a fixed, audited script version.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

.vortex/tests/update-test-assets (1)

43-43: ⚠️ Potential issue | 🔴 Critical

Pin and verify seed.sh before executing it.

The script still downloads seed.sh from /releases/latest/ and executes it unchecked. That makes the asset build non-reproducible and turns an upstream release change into code execution on the maintainer machine.

Suggested fix

-const SEED_URL = 'https://github.com/drevops/mariadb-drupal-data/releases/latest/download/seed.sh';
+const SEED_URL = 'https://github.com/drevops/mariadb-drupal-data/releases/download/vX.Y.Z/seed.sh';
+const SEED_SHA256 = 'REPLACE_WITH_RELEASE_SHA256';
@@
 function seed_image(string $cwd, string $filename, string $image): void {
   step('Download seed.sh');
   run(sprintf('curl -fsSL -o seed.sh %s', escapeshellarg(SEED_URL)), $cwd);
+  $actual = hash_file('sha256', $cwd . '/seed.sh');
+  if ($actual !== SEED_SHA256) {
+    fwrite(STDERR, sprintf("Error: seed.sh checksum mismatch (expected %s, got %s).\n", SEED_SHA256, (string) $actual));
+    exit(1);
+  }
   run('chmod +x seed.sh', $cwd);

Also applies to: 306-312

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.vortex/tests/update-test-assets at line 43, The code defines SEED_URL and
downloads/executes seed.sh directly which is unsafe and unreproducible; change
SEED_URL to point to a pinned release artifact (specific tag or commit) and add
verification before execution: fetch a published checksum or signature for that
exact artifact and verify it (e.g., compare SHA256 or verify GPG) prior to
running, and fail the build if verification fails; update the
download-and-execute logic (the code that uses SEED_URL) to perform the
checksum/signature retrieval and verification step and only then execute the
local file.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.vortex/docs/content/contributing/maintenance/template.mdx:
- Around line 271-275: Update the stale bullet about "destination-images":
replace the statement that it "expects ... to already exist locally" with a note
that `.vortex/tests/update-test-assets` now pulls the source demo image before
tagging, so `destination-images` only requires the requested tag to exist in the
registry (it no longer requires a local image or that `demo-image`/`all` were
run in the same session); edit the bullet referencing `destination-images`
accordingly.

In @.vortex/tests/update-test-assets:
- Around line 331-343: The parsing of the --tag option must reject empty or
whitespace-only values in both forms; update the handling around the $tag
assignment (both the $arg === '--tag' branch and the str_starts_with($arg,
'--tag=') branch) to trim the candidate value (use trim($args[$i + 1]) and
trim(substr(...))) and if the trimmed string === '' call usage_error($script,
$valid_modes, "Option '--tag' requires a value."); ensure $i is still advanced
appropriately in the first branch only after validating the trimmed tag.
- Around line 256-257: The test currently swallows any real front-end build
errors by using run('ahoy fe || true', $cwd) in the step('Build front-end assets
(skipped if theme not configured)') block; change this so failures are not
ignored: detect whether the theme is actually configured (e.g., check the theme
directory or config flag) and only skip the command when absent, otherwise run
'ahoy fe' without the '|| true' fallback so a non-zero exit will fail the
test/run; update the conditional logic around the run(...) call accordingly.

---

Duplicate comments:
In @.vortex/tests/update-test-assets:
- Line 43: The code defines SEED_URL and downloads/executes seed.sh directly
which is unsafe and unreproducible; change SEED_URL to point to a pinned release
artifact (specific tag or commit) and add verification before execution: fetch a
published checksum or signature for that exact artifact and verify it (e.g.,
compare SHA256 or verify GPG) prior to running, and fail the build if
verification fails; update the download-and-execute logic (the code that uses
SEED_URL) to perform the checksum/signature retrieval and verification step and
only then execute the local file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: d74d7029-a122-4e78-b1a1-362551cfb4ff

📥 Commits

Reviewing files that changed from the base of the PR and between e2f5e76 and edc0c83.

⛔ Files ignored due to path filters (19)

• .vortex/installer/tests/Fixtures/handler_process/_baseline/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/db_download_source_acquia/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/db_download_source_container_registry/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/db_download_source_ftp/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/db_download_source_lagoon/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/db_download_source_s3/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/hosting_acquia/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/hosting_lagoon/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/hosting_project_name___acquia/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/hosting_project_name___lagoon/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/migration_disabled_lagoon/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/migration_download_source_url/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/migration_enabled/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/migration_enabled_circleci/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/provision_database_lagoon/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/provision_profile/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/starter_drupal_cms_profile/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/starter_drupal_profile/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/theme_custom_non_vortex/.env is excluded by !.vortex/installer/tests/Fixtures/**

📒 Files selected for processing (6)

• .env
• .vortex/docs/content/contributing/maintenance/template.mdx
• .vortex/tests/bats/unit/provision.bats
• .vortex/tests/phpunit/Functional/AhoyWorkflowTest.php
• .vortex/tests/phpunit/Traits/SutTrait.php
• .vortex/tests/update-test-assets

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Do not swallow real front-end build failures.

Line 257 turns every ahoy fe failure into success. That can publish refreshed dumps/images with broken or stale built assets. Skip this step only when the theme is genuinely absent; otherwise let the failure stop the run.

Suggested fix

-  step('Build front-end assets (skipped if theme not configured)');
-  run('ahoy fe || true', $cwd);
+  $theme_packages = glob($cwd . '/web/themes/custom/*/package.json') ?: [];
+  if ($theme_packages !== []) {
+    step('Build front-end assets');
+    run('ahoy fe', $cwd);
+  }
+  else {
+    step('Skip front-end asset build (theme not configured)');
+  }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.vortex/tests/update-test-assets around lines 256 - 257, The test currently
swallows any real front-end build errors by using run('ahoy fe || true', $cwd)
in the step('Build front-end assets (skipped if theme not configured)') block;
change this so failures are not ignored: detect whether the theme is actually
configured (e.g., check the theme directory or config flag) and only skip the
command when absent, otherwise run 'ahoy fe' without the '|| true' fallback so a
non-zero exit will fail the test/run; update the conditional logic around the
run(...) call accordingly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Reject blank --tag values in both syntaxes.

--tag "" currently passes the --tag <tag> branch, and whitespace-only values pass both branches. The first failure then happens later in Docker with an invalid image reference instead of a clear usage error.

Suggested fix

     if ($arg === '--tag') {
-      if (!isset($args[$i + 1])) {
+      if (!isset($args[$i + 1]) || trim($args[$i + 1]) === '') {
         usage_error($script, $valid_modes, "Option '--tag' requires a value.");
       }
       $tag = $args[$i + 1];
@@
     if (str_starts_with($arg, '--tag=')) {
       $tag = substr($arg, strlen('--tag='));
-      if ($tag === '') {
+      if (trim($tag) === '') {
         usage_error($script, $valid_modes, "Option '--tag' requires a value.");
       }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if ($arg === '--tag') {
	if (!isset($args[$i + 1])) {
	usage_error($script, $valid_modes, "Option '--tag' requires a value.");
	}
	$tag = $args[$i + 1];
	$i += 2;
	continue;
	}
	if (str_starts_with($arg, '--tag=')) {
	$tag = substr($arg, strlen('--tag='));
	if ($tag === '') {
	usage_error($script, $valid_modes, "Option '--tag' requires a value.");
	if ($arg === '--tag') {
	if (!isset($args[$i + 1]) || trim($args[$i + 1]) === '') {
	usage_error($script, $valid_modes, "Option '--tag' requires a value.");
	}
	$tag = $args[$i + 1];
	$i += 2;
	continue;
	}
	if (str_starts_with($arg, '--tag=')) {
	$tag = substr($arg, strlen('--tag='));
	if (trim($tag) === '') {
	usage_error($script, $valid_modes, "Option '--tag' requires a value.");
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.vortex/tests/update-test-assets around lines 331 - 343, The parsing of the
--tag option must reject empty or whitespace-only values in both forms; update
the handling around the $tag assignment (both the $arg === '--tag' branch and
the str_starts_with($arg, '--tag=') branch) to trim the candidate value (use
trim($args[$i + 1]) and trim(substr(...))) and if the trimmed string === '' call
usage_error($script, $valid_modes, "Option '--tag' requires a value."); ensure
$i is still advanced appropriately in the first branch only after validating the
trimmed tag.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (4)

.vortex/docs/content/contributing/maintenance/template.mdx (1)

274-275: ⚠️ Potential issue | 🟡 Minor

The destination-images caveat is stale.

The script now pulls the source demo image before tagging (see mode_destination_images at lines 139-140 in .vortex/tests/update-test-assets), so destination-images no longer requires the image to already exist locally.

,

📝 Suggested documentation update

-- `destination-images` expects `drevops/vortex-dev-mariadb-drupal-data-demo-11.x:1.38.0-rc1`
-  to already exist locally - run `demo-image` (or `all`) first.
+- `destination-images` pulls the source demo image from the registry before
+  tagging, so the image only needs to exist in the registry (not locally).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.vortex/docs/content/contributing/maintenance/template.mdx around lines 274
- 275, Update the stale caveat about `destination-images`: change the sentence
that claims `destination-images` expects
`drevops/vortex-dev-mariadb-drupal-data-demo-11.x:1.38.0-rc1` to already exist
locally to reflect that the script now pulls the source image before tagging
(see the `mode_destination_images` logic), so remove the requirement or reword
the note to state the script will pull the source demo image automatically prior
to tagging; ensure the reference to `destination-images` and
`mode_destination_images` is used so reviewers can locate and verify the change.

.vortex/tests/update-test-assets (3)

407-422: ⚠️ Potential issue | 🟡 Minor

Reject whitespace-only --tag values.

The validation checks for empty string but not whitespace-only values like --tag " ". This would result in a confusing Docker error later rather than a clear usage message.

,

🔧 Suggested fix

     if ($arg === '--tag') {
-      if (!isset($args[$i + 1])) {
+      if (!isset($args[$i + 1]) || trim($args[$i + 1]) === '') {
         usage_error($script, $valid_modes, "Option '--tag' requires a value.");
       }
-      $tag = $args[$i + 1];
+      $tag = trim($args[$i + 1]);
       $i += 2;
       continue;
     }

     if (str_starts_with($arg, '--tag=')) {
       $tag = substr($arg, strlen('--tag='));
-      if ($tag === '') {
+      if (trim($tag) === '') {
         usage_error($script, $valid_modes, "Option '--tag' requires a value.");
       }
+      $tag = trim($tag);
       $i += 1;
       continue;
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.vortex/tests/update-test-assets around lines 407 - 422, The code accepts a
tag value that may be whitespace-only (e.g. --tag " "), so update both parsing
branches to reject values that are empty after trimming: when setting $tag from
$args[$i + 1] (in the '--tag' branch) and when setting $tag from substr(...) (in
the '--tag=' branch), validate with trim($tag) and call usage_error($script,
$valid_modes, "Option '--tag' requires a value.") if trim($tag) === '' to ensure
whitespace-only tags are treated as missing.

---

43-43: ⚠️ Potential issue | 🟠 Major

Pin the remote seed script version and add integrity verification.

Downloading seed.sh from /releases/latest/ and executing it directly is a supply-chain risk that breaks reproducibility. A malicious or buggy update to the upstream release could affect all future runs without warning.

,

🔒 Suggested hardening

-const SEED_URL = 'https://github.com/drevops/mariadb-drupal-data/releases/latest/download/seed.sh';
+const SEED_URL = 'https://github.com/drevops/mariadb-drupal-data/releases/download/v1.0.0/seed.sh';
+const SEED_SHA256 = 'REPLACE_WITH_ACTUAL_SHA256_HASH';

Then in seed_image():

function seed_image(string $cwd, string $filename, string $image): void {
  step('Download seed.sh');
  run(sprintf('curl -fsSL -o seed.sh %s', escapeshellarg(SEED_URL)), $cwd);
  
  // Verify integrity before execution.
  $actual = hash_file('sha256', $cwd . '/seed.sh');
  if ($actual !== SEED_SHA256) {
    fwrite(STDERR, sprintf("Error: seed.sh checksum mismatch (expected %s, got %s).\n", SEED_SHA256, (string) $actual));
    exit(1);
  }
  
  run('chmod +x seed.sh', $cwd);
  // ...
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.vortex/tests/update-test-assets at line 43, Replace the floating release
URL in SEED_URL with a pinned release URL and add a corresponding SEED_SHA256
constant, then update the seed_image() flow (function seed_image) to verify the
downloaded seed.sh before execution: download using the pinned SEED_URL, compute
hash_file('sha256') of the downloaded file and compare against SEED_SHA256, and
abort with a clear error and non-zero exit if the checksum mismatches, only then
chmod +x and run the script. Ensure the constants SEED_URL and SEED_SHA256 are
adjacent and documented so future updates require changing both.

---

275-276: ⚠️ Potential issue | 🟠 Major

Do not swallow real front-end build failures.

Using || true masks genuine build errors, potentially publishing assets with broken or stale front-end artifacts. The step comment acknowledges the theme may not be configured, but the failure mode should be more precise.

,

🔧 Suggested fix

-  step('Build front-end assets (skipped if theme not configured)');
-  run('ahoy fe || true', $cwd);
+  $theme_packages = glob($cwd . '/web/themes/custom/*/package.json') ?: [];
+  if ($theme_packages !== []) {
+    step('Build front-end assets');
+    run('ahoy fe', $cwd);
+  }
+  else {
+    step('Skip front-end asset build (no theme package.json found)');
+  }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.vortex/tests/update-test-assets around lines 275 - 276, The test is
swallowing real front-end build failures by using the tolerant command run('ahoy
fe || true', $cwd) inside the step('Build front-end assets (skipped if theme not
configured)'); remove the "|| true" and instead make the step explicitly
conditional: check the theme/config presence (or a specific env/test flag)
before calling run('ahoy fe', $cwd), and if the theme is absent skip the step
gracefully; if the theme is present run the command and allow failures to
surface (i.e., fail the test on non‑zero exit) so real build errors are not
masked.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.vortex/tests/update-test-assets:
- Around line 228-240: The reset_sut function currently shells out to 'mkdir -p'
without checking for failure; replace that shell call with PHP's mkdir(SUT_DIR,
0777, true) (or at least check the return of mkdir) and handle errors: if mkdir
returns false (or is_dir(SUT_DIR) is still false), log or throw a clear error
and exit so later docker run doesn't fail with a less actionable message; update
references in reset_sut and keep using run(...) for the docker cleanup step
unchanged.

---

Duplicate comments:
In @.vortex/docs/content/contributing/maintenance/template.mdx:
- Around line 274-275: Update the stale caveat about `destination-images`:
change the sentence that claims `destination-images` expects
`drevops/vortex-dev-mariadb-drupal-data-demo-11.x:1.38.0-rc1` to already exist
locally to reflect that the script now pulls the source image before tagging
(see the `mode_destination_images` logic), so remove the requirement or reword
the note to state the script will pull the source demo image automatically prior
to tagging; ensure the reference to `destination-images` and
`mode_destination_images` is used so reviewers can locate and verify the change.

In @.vortex/tests/update-test-assets:
- Around line 407-422: The code accepts a tag value that may be whitespace-only
(e.g. --tag " "), so update both parsing branches to reject values that are
empty after trimming: when setting $tag from $args[$i + 1] (in the '--tag'
branch) and when setting $tag from substr(...) (in the '--tag=' branch),
validate with trim($tag) and call usage_error($script, $valid_modes, "Option
'--tag' requires a value.") if trim($tag) === '' to ensure whitespace-only tags
are treated as missing.
- Line 43: Replace the floating release URL in SEED_URL with a pinned release
URL and add a corresponding SEED_SHA256 constant, then update the seed_image()
flow (function seed_image) to verify the downloaded seed.sh before execution:
download using the pinned SEED_URL, compute hash_file('sha256') of the
downloaded file and compare against SEED_SHA256, and abort with a clear error
and non-zero exit if the checksum mismatches, only then chmod +x and run the
script. Ensure the constants SEED_URL and SEED_SHA256 are adjacent and
documented so future updates require changing both.
- Around line 275-276: The test is swallowing real front-end build failures by
using the tolerant command run('ahoy fe || true', $cwd) inside the step('Build
front-end assets (skipped if theme not configured)'); remove the "|| true" and
instead make the step explicitly conditional: check the theme/config presence
(or a specific env/test flag) before calling run('ahoy fe', $cwd), and if the
theme is absent skip the step gracefully; if the theme is present run the
command and allow failures to surface (i.e., fail the test on non‑zero exit) so
real build errors are not masked.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: ed79ada3-1a68-4c55-89a7-0635e2705b96

📥 Commits

Reviewing files that changed from the base of the PR and between edc0c83 and 64a7da4.

⛔ Files ignored due to path filters (19)

• .vortex/installer/tests/Fixtures/handler_process/_baseline/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/db_download_source_acquia/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/db_download_source_container_registry/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/db_download_source_ftp/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/db_download_source_lagoon/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/db_download_source_s3/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/hosting_acquia/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/hosting_lagoon/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/hosting_project_name___acquia/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/hosting_project_name___lagoon/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/migration_disabled_lagoon/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/migration_download_source_url/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/migration_enabled/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/migration_enabled_circleci/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/provision_database_lagoon/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/provision_profile/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/starter_drupal_cms_profile/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/starter_drupal_profile/.env is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/theme_custom_non_vortex/.env is excluded by !.vortex/installer/tests/Fixtures/**

📒 Files selected for processing (6)

• .env
• .vortex/docs/content/contributing/maintenance/template.mdx
• .vortex/tests/bats/unit/provision.bats
• .vortex/tests/phpunit/Functional/AhoyWorkflowTest.php
• .vortex/tests/phpunit/Traits/SutTrait.php
• .vortex/tests/update-test-assets

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add error handling for directory creation failure.

The mkdir call at line 236 does not verify success. If the directory cannot be created (permissions, disk full), the failure surfaces later with a less actionable error.

🔧 Suggested fix

   step(sprintf('Reset SUT directory %s', SUT_DIR));

-  run(sprintf('mkdir -p %s', escapeshellarg(SUT_DIR)));
+  if (!is_dir(SUT_DIR) && !mkdir(SUT_DIR, 0755, TRUE) && !is_dir(SUT_DIR)) {
+    fwrite(STDERR, sprintf("Error: failed to create directory %s.\n", SUT_DIR));
+    exit(1);
+  }
   run(sprintf(

Note: Using PHP's mkdir() with error handling is more robust than shelling out to mkdir -p.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.vortex/tests/update-test-assets around lines 228 - 240, The reset_sut
function currently shells out to 'mkdir -p' without checking for failure;
replace that shell call with PHP's mkdir(SUT_DIR, 0777, true) (or at least check
the return of mkdir) and handle errors: if mkdir returns false (or
is_dir(SUT_DIR) is still false), log or throw a clear error and exit so later
docker run doesn't fail with a less actionable message; update references in
reset_sut and keep using run(...) for the docker cleanup step unchanged.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.vortex/tests/phpunit/Functional/AhoyWorkflowTest.php:
- Around line 565-567: The test currently prints partial secret material by
calling logSubstep then executing cmd with an ahoy drush php:eval that outputs
"hash_salt=" and part of Settings::get("hash_salt"); change this to avoid
exposing secret bytes: modify the cmd(...) PHP snippet so it only emits
non-secret metadata (e.g. presence, boolean or masked length) for
Settings::get("hash_salt") and continue to print deployment_identifier as before
(or print its presence similarly); keep references to the same call site (the
logSubstep and the cmd('ahoy drush php:eval ...') invocation) so the test still
verifies existence without logging secret content.
- Around line 533-579: The debug probe calls currently call $this->cmd(...)
directly which makes them fatal on transient failures; wrap each debug probe
invocation in a try/catch that catches \Throwable (or \Exception) and logs the
failure with $this->logSubstep so the test continues (e.g. try {
$this->cmd(...); } catch (\Throwable $e) { $this->logSubstep('DEBUG: probe
failed: ' . $e->getMessage()); }). Apply this to every probe invocation that
currently calls $this->cmd(...) in the diagnostic block (the sequence of
$this->logSubstep(...) followed by $this->cmd(...)), ensuring any shell commands
remain unchanged but are protected by the try/catch to make them
best-effort/non-fatal.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: a55dc723-2596-4628-95ed-b67f94deb6d2

📥 Commits

Reviewing files that changed from the base of the PR and between 64a7da4 and 02c9384.

⛔ Files ignored due to path filters (1)

• .vortex/installer/tests/Fixtures/handler_process/migration_enabled_lagoon/.env is excluded by !.vortex/installer/tests/Fixtures/**

📒 Files selected for processing (1)

• .vortex/tests/phpunit/Functional/AhoyWorkflowTest.php

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid logging hash_salt material in CI output.

Line 566 prints part of hash_salt. Even partial secret disclosure should be avoided in logs; log only presence/metadata.

Proposed fix (log presence only, not secret bytes)

-    $this->cmd('ahoy drush php:eval "print \"hash_salt=\" . substr(\Drupal\Core\Site\Settings::get(\"hash_salt\"), 0, 12) . PHP_EOL . \"deployment_identifier=\" . (\Drupal\Core\Site\Settings::get(\"deployment_identifier\") ?? \"(null)\") . PHP_EOL;"');
+    $this->cmd('ahoy drush php:eval "print \"hash_salt_set=\" . (\Drupal\Core\Site\Settings::get(\"hash_salt\") ? \"1\" : \"0\") . PHP_EOL . \"deployment_identifier_set=\" . (\Drupal\Core\Site\Settings::get(\"deployment_identifier\") ? \"1\" : \"0\") . PHP_EOL;"');

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	$this->logSubstep('DEBUG: hash_salt and deployment_identifier');
	$this->cmd('ahoy drush php:eval "print \"hash_salt=\" . substr(\Drupal\Core\Site\Settings::get(\"hash_salt\"), 0, 12) . PHP_EOL . \"deployment_identifier=\" . (\Drupal\Core\Site\Settings::get(\"deployment_identifier\") ?? \"(null)\") . PHP_EOL;"');
	$this->logSubstep('DEBUG: hash_salt and deployment_identifier');
	$this->cmd('ahoy drush php:eval "print \"hash_salt_set=\" . (\Drupal\Core\Site\Settings::get(\"hash_salt\") ? \"1\" : \"0\") . PHP_EOL . \"deployment_identifier_set=\" . (\Drupal\Core\Site\Settings::get(\"deployment_identifier\") ? \"1\" : \"0\") . PHP_EOL;"');

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.vortex/tests/phpunit/Functional/AhoyWorkflowTest.php around lines 565 -
567, The test currently prints partial secret material by calling logSubstep
then executing cmd with an ahoy drush php:eval that outputs "hash_salt=" and
part of Settings::get("hash_salt"); change this to avoid exposing secret bytes:
modify the cmd(...) PHP snippet so it only emits non-secret metadata (e.g.
presence, boolean or masked length) for Settings::get("hash_salt") and continue
to print deployment_identifier as before (or print its presence similarly); keep
references to the same call site (the logSubstep and the cmd('ahoy drush
php:eval ...') invocation) so the test still verifies existence without logging
secret content.

[github-actions]

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   98.53% (201/204)

Per-class coverage

Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)

[AlexSkrypnyk]

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   98.53% (201/204)

Per-class coverage

Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)