qwen-code/scripts/tests
易良 37d59e8b43
ci: add @qwen-code /resolve (#5779)
* ci: add qwen fix conflicts command

* ci: rename conflict command to resolve

* ci: handle resolve workflow failures

* ci: simplify resolve workflow reporting

* ci: fold resolve command into PR workflow

* ci: merge resolve command into PR workflow

* ci: keep PR review workflow name

* ci: reuse PR command authorization for resolve

* ci: narrow PR command authorization trigger

* ci(resolve): fix command injection, secret exposure, and edit-scope

Addresses the remaining /resolve review findings:

- Command injection (RCE): branch refs were inlined as ${{ }} into the
  verify / show-artifacts run blocks; a branch named with `$(...)` or
  backticks would execute on the runner that later holds CI_DEV_BOT_PAT.
  Pass refs via env: and reference only "$BASE_REF" / "$HEAD_REF".
- Secret exposure: the agent step (with OPENAI_API_KEY) could run
  PR-authored npm build/lint/test and exfiltrate the key. Drop
  build/lint/typecheck/vitest from the agent coreTools (the credential-free
  verification gate re-runs them) and install with `npm ci --ignore-scripts`
  plus explicit patch-package so PR lifecycle scripts do not run.
- Edit scope: the verification gate now fails when the agent changed any
  file the base branch did not, so a prompt-injected agent cannot smuggle
  edits outside the conflict set. Prompt tightened to match.

Also test only real workspaces (guard packages/channels/<name> against the
non-workspace packages/channels path).

* ci(resolve): address review feedback on /resolve command

- test: import vitest globals so the lint gate stops reporting no-undef
  in scripts/tests (this was the real CI-blocking lint failure)
- prepare: trap an unwritten decision and fail closed to "failed" so an
  early gh/git error still reports back instead of a silent red run
- report: make the post-push result comment best-effort so a failed
  comment POST can't leave the branch force-pushed with no explanation
- refresh: npm install instead of npm ci to tolerate lockfile drift
  after a package.json conflict resolution
- verify: scan only resolution-touched files for leftover conflict
  markers instead of git diff --check over the whole merged range, which
  spuriously failed on pre-existing base whitespace
- prompt/artifact: use ${{ env.WORKDIR }} instead of hardcoded
  /tmp/qwen-resolve
- authorize: drop the issue.state==open gate that also silenced /review
  on closed PRs (resolve-pr keeps its own open guard)
- coreTools: document that the specifiers are advisory, not a security
  boundary (sandbox + same-repo + no agent token are)
- test: assert the resolve-pr authorization/scope guards, that the agent
  step carries no GitHub token, and the dry-run/workflow_dispatch paths

* ci(resolve): fail the verify gate when post-merge package tests fail

The build/typecheck/lint checks use `if ! cmd; then echo outcome=failed;
exit 1; fi`, but the per-package test loop ran `npm run test` bare under
`set -euo pipefail`. A test failure aborted the step before `outcome=fixed`
was written, leaving OUTCOME empty so the report posted a generic "did not
complete successfully" with no mention of which package failed. Mirror the
other gates: record the failing package and set outcome=failed.

* ci(resolve): avoid splitting multi-byte chars when truncating report bodies

`head -c 2000` cuts at a byte boundary, which can split a multi-byte UTF-8
character and leave a broken tail in the posted comment. Pipe through
`iconv -f UTF-8 -t UTF-8 -c` to drop the incomplete trailing sequence.

* ci(resolve): report agent infrastructure failures distinctly in the verify gate

The verify gate runs under always(), so when the resolve_conflicts agent step
fails at the infrastructure level (API timeout, model quota, action crash) it
still executed with an unmodified branch — the merge-tree check then misreported
"branch still has merge conflicts". Short-circuit on a non-success agent
outcome and name the real cause instead.

* ci(resolve): trim verbose review-fix comments to house length

* ci(resolve): least-privilege GITHUB_TOKEN for resolve-pr job

Drop the resolve-pr job permissions to contents:read only and route every
write through an explicit PAT, so the implicit GITHUB_TOKEN that PR-controlled
build/lint/test see in this job carries no write scopes:

- job permissions: contents:read only (was +issues/pull-requests:write)
- Acknowledge reaction: use CI_DEV_BOT_PAT instead of GITHUB_TOKEN
- Verification gate: set GITHUB_TOKEN='' for the PR-controlled step

Defense-in-depth: persist-credentials:false already keeps the checkout token
off disk, so this is least-privilege hardening, not a reachable-leak fix.

* ci(resolve): fix skip-report gating, route to ECS with cleanup, harden tests

- Report skipped request: add always() so the prepare-step EXIT trap's
  decision=failed is reported instead of skipped on a crash.
- Report skipped request: make gh pr comment best-effort with a ::warning
  fallback, matching the Report result step.
- Route resolve-pr to the self-hosted ECS pool (matching review-pr) and add a
  cleanup step that wipes stale ${WORKDIR} artifacts; these runners reuse
  workspace and /tmp and the verification gate builds untrusted PR code.
- Tests: pin the four verification-gate failure strings against regression.

* test(resolve): pin verify-gate failure checks and skip-report always() gate

Address review feedback: the verification-gate test now also pins the
agent-infrastructure-failure, missing-address-summary, and unresolved-index
guards; and the failure-paths test asserts the Report-skipped-request step keeps
its always() gate so an EXIT-trap decision=failed actually reports on a prepare
crash. The best-effort skip-comment suggestion was already addressed in
03795302a.

* ci(resolve): ECS kill-switch fallback, safe HTML strip, prompt hardening, test pins

Address review feedback on resolve-pr:
- runs-on honors MAINTAINER_ECS_RUNNER_DISABLED and falls back to a hosted
  runner when ECS is toggled off, matching the review path (the verification
  gate runs fine on an ephemeral hosted runner — better isolation, no cleanup).
- append_safe_file strips only active-content HTML elements instead of every
  `<...>`, so TS generics (Map<string, number>) and JSX in the agent summary are
  no longer garbled in the posted comment (GitHub sanitizes comment HTML anyway).
- the agent prompt reads the base branch name from context.md instead of
  inlining ${{ base_ref }}, keeping a branch name out of the LLM prompt text.
- document that the scope guard's file-level granularity is intentional
  defense-in-depth (real containment = sandbox + same-repo + no agent token).
- test: pin persist-credentials:false, GITHUB_TOKEN:'', sandbox, and the
  --ignore-scripts install guards so a future edit can't silently drop them.

* ci(resolve): harden /resolve workflow against review findings

- prepare: arm the fail-closed EXIT trap before mkdir; reject CR/LF in
  write_output so an attacker-set PR title can't inject GITHUB_OUTPUT keys
- report: scrub the bot PAT from .git/config after push (self-hosted runner)
- verify: surface a failed dependency refresh instead of a stale build error
- scope guard: use -z/sort -zu like the conflict-marker check
- prompt: require a Conventional Commit so the default merge message passes
- tests: bound the resolve-pr slice; assert SHA-pinned lease + no-cancel guard

---------

Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
Co-authored-by: yiliang114 <effortyiliang@gmail.com>
2026-06-25 06:22:14 +00:00
..
check-i18n.test.ts fix(i18n): Correct zh-TW translations to match Traditional Chinese conventions (#4129) 2026-05-15 15:26:12 +08:00
dev.test.js feat(extensions): support archive install sources (#4909) 2026-06-22 13:36:13 +08:00
generate-changelog.test.js feat(ci): add auto-generated CHANGELOG.md synced from releases (#4872) (#4881) 2026-06-10 14:04:43 +08:00
get-release-version-python-sdk.test.js feat(sdk-python): add network timeouts to release version helper (#3833) 2026-05-05 19:25:00 +08:00
get-release-version.test.js 📦 Release qwen-code CLI as a Standalone Bundled Package (#866) 2025-10-24 17:08:59 +08:00
install-script.test.js ci: route in-repo PRs' Linux test to self-hosted runner (#5620) 2026-06-22 20:28:27 +08:00
no-ak-integration-ci.test.js ci: split platform test matrix into named jobs so PRs can enter the merge queue (#5833) 2026-06-24 15:58:15 +00:00
package-assets.test.js feat(voice): voice dictation with native capture, streaming, and biasing (#5502) 2026-06-22 14:33:36 +08:00
qwen-resolve-workflow.test.js ci: add @qwen-code /resolve (#5779) 2026-06-25 06:22:14 +00:00
qwen-triage-workflow.test.js fix(ci): harden tmux triage reporting (#5548) 2026-06-22 16:27:50 +08:00
release-helpers.test.js refactor: extract shared release helper utilities (#3834) 2026-05-05 10:15:17 +08:00
test-setup.ts feat(installer): add standalone archive installation (#3776) 2026-05-11 13:25:48 +08:00
upload-aliyun-oss-assets.test.js feat(installer): add standalone hosted install and uninstall flow (#3828) 2026-05-21 11:57:10 +08:00
vitest.config.ts refactor(auth): unify provider config in core, simplify /auth as "Connect a Provider" (#4287) 2026-05-20 23:48:52 +08:00
workspaces.test.js feat(desktop): Add desktop app package with Qwen ACP SDK integration (#3778) 2026-06-11 21:57:20 +08:00