test(matrix): deploy↔GitHub-link block integration tests (move exempt→mapped)#253
Merged
mastermanas805 merged 2 commits intoJun 4, 2026
Merged
Conversation
…→mapped) Close the D17 / matrix-W6 deploy↔GitHub-link routes in the done-bar route-coverage guard's routeCoverageExemptions with a real DB-backed handler-integration suite, moving the three /api/v1/deployments/:id/github rows exempt → routeTestMap. New suite (internal/handlers/github_deploy_block_integration_test.go, TestGitHubDeployBlock_*, 15 tests) drives each route through the production RequireAuth + PopulateTeamRole + RequireWritable chain (NewTestAppWithServices mirrors router.New) against a real Postgres: POST /api/v1/deployments/:id/github → Connect GET /api/v1/deployments/:id/github → Get DELETE /api/v1/deployments/:id/github → Disconnect Coverage: happy path (owner), member-same-team allowed (no false owner-only gate — these routes carry NO RequireRole), non-member cross-team 404 (never 403, no existence leak), unauth 401, tier gate (anonymous 402 / hobby-allowed 201), contract (webhook_url + secret-once-64char, already_connected 409, invalid_repo 400, idempotent disconnect, not-connected 200, encrypt-at-rest ciphertext persisted). The github-app integration rows (install/callback redirect, App-secret-HMAC webhooks) and the per-connection PUBLIC receive endpoint (/webhooks/github/:webhook_id, HMAC-auth'd, no session chain) stay exempt with sharpened justifications — they need a real GitHub App and have no RequireAuth chain to drive; the receiver's signature/branch/rate-limit/ idempotency internals are covered by the whitebox suites. Both done-bar guards stay GREEN (failing-then-passing verified: the guard reds without the covering tests). New gate-relevant tests pass; full ./... local reds only on pre-existing env-absence flakes (customer-DB:5434, NATS, GitHub-App config) — identical failure set with changes stashed, so this PR introduces zero regressions. CI authoritative. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Closes the D17 / matrix-W6 deploy↔GitHub-link routes in the done-bar route-coverage guard's
routeCoverageExemptionswith a real DB-backed handler-integration suite, moving the three/api/v1/deployments/:id/githubrows exempt →routeTestMap.Routes moved exempt → mapped
POST /api/v1/deployments/:id/githubTestGitHubDeployBlock_Connect_OwnerHappyPathGET /api/v1/deployments/:id/githubTestGitHubDeployBlock_Get_ConnectedShapeDELETE /api/v1/deployments/:id/githubTestGitHubDeployBlock_Disconnect_RemovesConnectionNew suite
internal/handlers/github_deploy_block_integration_test.go— 15TestGitHubDeployBlock_*tests driving each route through the productionRequireAuth + PopulateTeamRole + RequireWritablechain (NewTestAppWithServicesmirrorsrouter.New) against a real Postgres (SetupTestDB). Reuses existing helpers (MustCreateTeamDB,MustSignSessionJWT,seedInternalDeploy,CreateUser,UniqueEmail) — none redefined.Coverage:
RequireRole— ownership is team-scoped):github_requires_paid_tier; hobby 201 (lowest paid tier that can deploy)webhook_url+webhook_secretreturned once (64-char hex);already_connected409;invalid_repo400; idempotent disconnect (200deleted=false); not-connected 200connected=false; encrypt-at-rest (stored secret is ciphertext, not plaintext); cross-team rejection leaves the owner's row intact; default branch →main.Kept exempt (with sharpened justification)
The github-app integration rows (
GET /integrations/github/{install,callback},POST /webhooks/github,POST /webhooks/github/:webhook_id) stay exempt — they need a real GitHub App (OAuth install redirect, App-secret-HMAC callbacks/webhooks) and the per-connection receiver is HMAC-auth'd with no session chain to drive here; its signature/branch-match/rate-limit/idempotency internals are already covered by the whitebox suites (github_deploy_test.go,github_deploy_receive_arms_coverage_test.go).Verification
TestDoneBar_EveryRouteCovered,TestDoneBar_TestMapPointsAtRealTests) GREEN; reverse-drift clean.go build ./...+go vet ./...clean; touched files gofmt'd../...local reds only on pre-existing env-absence flakes (customer-DB:5434, NATS, GitHub-App config) — identical failure set with my changes stashed, so this PR introduces zero regressions. CI authoritative.🤖 Generated with Claude Code