CI: wire vitest into .woodpecker.yaml so #14's lib tests run on every PR #19

New issue

Open

opened 2026-05-03 15:56:09 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented 2026-05-03 15:56:09 +00:00

Owner

Copy link

Type

Feature

Lineage

Discovered scope from forgejo_admin/westside-admin#14 (PR #18 merge, 2026-05-03) and review-1134-2026-05-03-iter2 (QA recommended a CI gate before sub-tasks #15/#16 consume the lib).

Repo

forgejo_admin/westside-admin

User Story

story-westside-admin-admin-row-crud. The cookie-SSR auth gate is the funnel-auth safety constraint per feedback_funnel_requires_auth. Its 25 vitest cases are useless if CI doesn't run them — a future change could regress JWT verification or AES-GCM tamper handling and ship to main green.

Context

PR #18 added vitest as a devDependency and the npm test script; it ran tests locally before merge. .woodpecker.yaml (added in PR #11) doesn't yet have a test step. Until it does, the test suite only runs when a developer remembers — which is exactly the failure mode the gate is supposed to prevent.

File Targets

Update:

• .woodpecker.yaml — add a test step before the kaniko step. Use the same node-22-alpine base image as the build step. Run npm ci && npm test. Block the build step on test exit-0.

Do NOT touch:

• src/lib/server/keycloak.ts (frozen at merge of #14).
• Dockerfile (already has its own npm ci for build).

Acceptance Criteria

• Pushing a PR that introduces a failing vitest case causes the Woodpecker pipeline to fail before the kaniko build step runs.
• Pushing a PR with passing tests proceeds through the full pipeline.
• No flake from npm cache misses (use a workspace volume mount or npm ci with cache).

Test Expectations

• Manual: open a throwaway PR that breaks one vitest case (e.g. flip a constant in keycloak.ts), confirm Woodpecker fails. Revert.
• Run command: triggered by Woodpecker on push.

Constraints

• Do NOT add a kustomize or helm step here — westside-admin is a SvelteKit app, not a deployment artifact.
• Match the existing .woodpecker.yaml step style; do not introduce a different YAML format or step naming convention.
• Do NOT skip tests on main pushes — every commit including main-direct pushes must pass.

Checklist

• PR opened
• Manual failure-mode tested
• No unrelated changes
• Woodpecker pipeline visible in PR

Related

• project-westside-admin
• forgejo_admin/westside-admin#14 — the lib whose tests this PR will gate
• feedback_qa_ci_blockers — driving rule (tests that can't run in CI are blockers)
• feedback_woodpecker_quote_heavy_scripts — yaml authoring discipline

### Type Feature ### Lineage Discovered scope from `forgejo_admin/westside-admin#14` (PR #18 merge, 2026-05-03) and `review-1134-2026-05-03-iter2` (QA recommended a CI gate before sub-tasks #15/#16 consume the lib). ### Repo `forgejo_admin/westside-admin` ### User Story `story-westside-admin-admin-row-crud`. The cookie-SSR auth gate is the funnel-auth safety constraint per `feedback_funnel_requires_auth`. Its 25 vitest cases are useless if CI doesn't run them — a future change could regress JWT verification or AES-GCM tamper handling and ship to main green. ### Context PR #18 added vitest as a devDependency and the `npm test` script; it ran tests locally before merge. `.woodpecker.yaml` (added in PR #11) doesn't yet have a `test` step. Until it does, the test suite only runs when a developer remembers — which is exactly the failure mode the gate is supposed to prevent. ### File Targets Update: - `.woodpecker.yaml` — add a `test` step before the `kaniko` step. Use the same node-22-alpine base image as the build step. Run `npm ci && npm test`. Block the build step on test exit-0. Do NOT touch: - `src/lib/server/keycloak.ts` (frozen at merge of #14). - `Dockerfile` (already has its own `npm ci` for build). ### Acceptance Criteria - [ ] Pushing a PR that introduces a failing vitest case causes the Woodpecker pipeline to fail before the kaniko build step runs. - [ ] Pushing a PR with passing tests proceeds through the full pipeline. - [ ] No flake from npm cache misses (use a workspace volume mount or `npm ci` with cache). ### Test Expectations - Manual: open a throwaway PR that breaks one vitest case (e.g. flip a constant in keycloak.ts), confirm Woodpecker fails. Revert. - Run command: triggered by Woodpecker on push. ### Constraints - Do NOT add a `kustomize` or `helm` step here — westside-admin is a SvelteKit app, not a deployment artifact. - Match the existing `.woodpecker.yaml` step style; do not introduce a different YAML format or step naming convention. - Do NOT skip tests on `main` pushes — every commit including main-direct pushes must pass. ### Checklist - [ ] PR opened - [ ] Manual failure-mode tested - [ ] No unrelated changes - [ ] Woodpecker pipeline visible in PR ### Related - `project-westside-admin` - `forgejo_admin/westside-admin#14` — the lib whose tests this PR will gate - `feedback_qa_ci_blockers` — driving rule (tests that can't run in CI are blockers) - `feedback_woodpecker_quote_heavy_scripts` — yaml authoring discipline

forgejo_admin referenced this issue 2026-05-03 16:23:03 +00:00

feat(auth): hooks.server.ts admin role gate (closes #15) #20

forgejo_admin referenced this issue 2026-05-03 20:29:32 +00:00

Keycloak cookie SSR auth + admin role gate (hooks.server.ts) #2

forgejo_admin referenced this issue 2026-05-03 21:37:41 +00:00

fix(auth): accept azp claim for client identity (closes #26) #27

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/westside-admin#19

No description provided.