@redwoodjs/agent-ci 0.7.0 → 0.8.0

package/dist/runner/result-builder.js

@@ -189,6 +189,18 @@ export function resolveJobOutputs(outputDefs, stepOutputs) {
     }
     return result;
 }
+// ─── Job success determination ────────────────────────────────────────────────
+/**
+ * Determine whether a job succeeded based on container exit state and
+ * whether the runner ever contacted the DTU.
+ *
+ * `isBooting` stays `true` when the runner never sent any timeline entries —
+ * it started but couldn't reach the DTU or crashed before executing any steps.
+ * That must be treated as a failure regardless of exit code.
+ */
+export function isJobSuccessful(opts) {
+    return opts.lastFailedStep === null && opts.containerExitCode === 0 && !opts.isBooting;
+}
 /**
  * Build the structured `JobResult` from container exit state and timeline data.
  */
@@ -218,7 +230,8 @@ export function buildJobResult(opts) {
             result.lastOutputLines = failure.tailLines ?? [];
         }
         else {
-            result.lastOutputLines = [];
+            // Boot failure — no timeline, so fall back to debug.log for error context
+            result.lastOutputLines = tailLogFile(debugLogPath);
         }
     }
     // Attach raw step outputs (will be resolved to job outputs by cli.ts)

package/dist/runner/result-builder.test.js

@@ -113,6 +113,27 @@ describe("extractFailureDetails", () => {
         expect(details).toEqual({});
     });
 });
+// ── isJobSuccessful ──────────────────────────────────────────────────────────
+describe("isJobSuccessful", () => {
+    it("succeeds when no failed step, exit code 0, and not booting", async () => {
+        const { isJobSuccessful } = await import("./result-builder.js");
+        expect(isJobSuccessful({ lastFailedStep: null, containerExitCode: 0, isBooting: false })).toBe(true);
+    });
+    it("fails when a step failed", async () => {
+        const { isJobSuccessful } = await import("./result-builder.js");
+        expect(isJobSuccessful({ lastFailedStep: "Build", containerExitCode: 0, isBooting: false })).toBe(false);
+    });
+    it("fails when container exit code is non-zero", async () => {
+        const { isJobSuccessful } = await import("./result-builder.js");
+        expect(isJobSuccessful({ lastFailedStep: null, containerExitCode: 1, isBooting: false })).toBe(false);
+    });
+    it("fails when runner never contacted DTU (isBooting=true)", async () => {
+        const { isJobSuccessful } = await import("./result-builder.js");
+        // This is the bug from #102: container exits 0 with no failed steps,
+        // but the runner never sent any timeline entries (isBooting stayed true).
+        expect(isJobSuccessful({ lastFailedStep: null, containerExitCode: 0, isBooting: true })).toBe(false);
+    });
+});
 // ── buildJobResult ────────────────────────────────────────────────────────────
 describe("buildJobResult", () => {
     let tmpDir;

package/dist/runner/workspace.js

@@ -1,7 +1,6 @@
 import { execSync } from "child_process";
 import { copyWorkspace } from "../output/cleanup.js";
 import { findRepoRoot } from "./metadata.js";
-import { config } from "../config.js";
 /**
  * Copy source files into the workspace directory, then initialise a fake
  * git repo so `actions/checkout` finds a valid workspace.
@@ -31,7 +30,9 @@ export function prepareWorkspace(opts) {
         // On macOS: per-file APFS CoW clones. On Linux: rsync. Fallback: fs.cpSync.
         copyWorkspace(repoRoot, workspaceDir);
     }
-    initFakeGitRepo(workspaceDir, githubRepo || config.GITHUB_REPO);
+    if (githubRepo) {
+        initFakeGitRepo(workspaceDir, githubRepo);
+    }
 }
 // ─── Fake git init ────────────────────────────────────────────────────────────
 /**

package/dist/workflow/remote-workflow-fetch.js

@@ -0,0 +1,131 @@
+import fs from "node:fs";
+import path from "node:path";
+import { execSync } from "node:child_process";
+import { parse as parseYaml } from "yaml";
+/**
+ * Parse a remote reusable workflow ref string.
+ * Format: owner/repo/path/to/file.yml@ref
+ */
+export function parseRemoteRef(uses) {
+    const atIdx = uses.lastIndexOf("@");
+    if (atIdx < 0) {
+        return null;
+    }
+    const pathPart = uses.slice(0, atIdx);
+    const ref = uses.slice(atIdx + 1);
+    if (!ref) {
+        return null;
+    }
+    const segments = pathPart.split("/");
+    if (segments.length < 3) {
+        return null;
+    }
+    return {
+        owner: segments[0],
+        repo: segments[1],
+        path: segments.slice(2).join("/"),
+        ref,
+        raw: uses,
+    };
+}
+/** Returns true for 40-character hex SHA refs (immutable, safe to cache forever). */
+export function isShaRef(ref) {
+    return /^[0-9a-f]{40}$/i.test(ref);
+}
+/** Build the local cache path for a remote workflow file. */
+export function remoteCachePath(cacheDir, ref) {
+    const sanitizedRef = ref.ref.replace(/[^a-zA-Z0-9._-]/g, "-");
+    return path.join(cacheDir, `${ref.owner}__${ref.repo}@${sanitizedRef}`, ref.path);
+}
+/**
+ * Resolve a GitHub token for API access.
+ * Tries `gh auth token` first (real user credentials), then falls back to
+ * GITHUB_TOKEN env var. This ordering matters because agent-ci injects a
+ * fake token as GITHUB_TOKEN for the runner context.
+ */
+function resolveGitHubToken() {
+    try {
+        const token = execSync("gh auth token", {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+        }).trim();
+        if (token) {
+            return token;
+        }
+    }
+    catch {
+        // gh not installed or not authenticated
+    }
+    return process.env.GITHUB_TOKEN || null;
+}
+/**
+ * Scan a workflow YAML and prefetch all remote reusable workflow refs.
+ * Downloaded files are written to cacheDir.
+ *
+ * - SHA refs: cached forever (immutable)
+ * - Tag/branch refs: always re-fetched (mutable)
+ *
+ * Throws on fetch failures (404, auth errors, network errors).
+ */
+export async function prefetchRemoteWorkflows(workflowPath, cacheDir) {
+    const resolved = new Map();
+    const raw = parseYaml(fs.readFileSync(workflowPath, "utf-8"));
+    const jobs = raw?.jobs ?? {};
+    const remoteRefs = [];
+    for (const [, jobDef] of Object.entries(jobs)) {
+        const uses = jobDef?.uses;
+        if (typeof uses === "string" && !uses.startsWith("./")) {
+            const ref = parseRemoteRef(uses);
+            if (ref) {
+                remoteRefs.push(ref);
+            }
+        }
+    }
+    if (remoteRefs.length === 0) {
+        return resolved;
+    }
+    const token = resolveGitHubToken();
+    const errors = [];
+    await Promise.all(remoteRefs.map(async (ref) => {
+        const dest = remoteCachePath(cacheDir, ref);
+        // Cache hit for SHA refs (immutable — safe to skip)
+        if (isShaRef(ref.ref) && fs.existsSync(dest)) {
+            resolved.set(ref.raw, dest);
+            return;
+        }
+        try {
+            const url = `https://api.github.com/repos/${ref.owner}/${ref.repo}/contents/${ref.path}?ref=${ref.ref}`;
+            const headers = {
+                Accept: "application/vnd.github.v3+json",
+                "User-Agent": "agent-ci/1.0",
+            };
+            if (token) {
+                headers["Authorization"] = `token ${token}`;
+            }
+            const response = await fetch(url, { headers });
+            if (!response.ok) {
+                const hint = response.status === 401 || response.status === 403
+                    ? " Ensure GITHUB_TOKEN is set or run `gh auth login`."
+                    : "";
+                errors.push(`Failed to fetch remote workflow ${ref.raw} (HTTP ${response.status}).${hint}`);
+                return;
+            }
+            const data = (await response.json());
+            if (!data.content || data.encoding !== "base64") {
+                errors.push(`Unexpected response format for remote workflow ${ref.raw}`);
+                return;
+            }
+            const content = Buffer.from(data.content, "base64").toString("utf-8");
+            fs.mkdirSync(path.dirname(dest), { recursive: true });
+            fs.writeFileSync(dest, content, "utf-8");
+            resolved.set(ref.raw, dest);
+        }
+        catch (err) {
+            errors.push(`Error fetching remote workflow ${ref.raw}: ${err.message}`);
+        }
+    }));
+    if (errors.length > 0) {
+        throw new Error(`[Agent CI] Remote workflow fetch failed:\n  ${errors.join("\n  ")}`);
+    }
+    return resolved;
+}

package/dist/workflow/remote-workflow-fetch.test.js

@@ -0,0 +1,233 @@
+import { describe, it, expect, vi, afterEach, beforeEach } from "vitest";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { parseRemoteRef, isShaRef, remoteCachePath, prefetchRemoteWorkflows, } from "./remote-workflow-fetch.js";
+describe("parseRemoteRef", () => {
+    it("parses owner/repo/path@ref", () => {
+        const ref = parseRemoteRef("redwoodjs/actions/.github/workflows/lint.yml@main");
+        expect(ref).toEqual({
+            owner: "redwoodjs",
+            repo: "actions",
+            path: ".github/workflows/lint.yml",
+            ref: "main",
+            raw: "redwoodjs/actions/.github/workflows/lint.yml@main",
+        });
+    });
+    it("parses SHA refs", () => {
+        const ref = parseRemoteRef("org/repo/.github/workflows/ci.yml@abc123def456abc123def456abc123def456abc1");
+        expect(ref).not.toBeNull();
+        expect(ref.ref).toBe("abc123def456abc123def456abc123def456abc1");
+    });
+    it("parses deeply nested paths", () => {
+        const ref = parseRemoteRef("org/repo/some/deep/path/workflow.yml@v1");
+        expect(ref).not.toBeNull();
+        expect(ref.path).toBe("some/deep/path/workflow.yml");
+    });
+    it("returns null for local refs", () => {
+        expect(parseRemoteRef("./.github/workflows/lint.yml")).toBeNull();
+    });
+    it("returns null for missing @ref", () => {
+        expect(parseRemoteRef("org/repo/.github/workflows/lint.yml")).toBeNull();
+    });
+    it("returns null for owner/repo@ref (no path)", () => {
+        expect(parseRemoteRef("org/repo@v1")).toBeNull();
+    });
+    it("returns null for empty ref after @", () => {
+        expect(parseRemoteRef("org/repo/path@")).toBeNull();
+    });
+});
+describe("isShaRef", () => {
+    it("returns true for 40-char hex", () => {
+        expect(isShaRef("abc123def456abc123def456abc123def456abc1")).toBe(true);
+    });
+    it("returns true for uppercase hex", () => {
+        expect(isShaRef("ABC123DEF456ABC123DEF456ABC123DEF456ABC1")).toBe(true);
+    });
+    it("returns false for short strings", () => {
+        expect(isShaRef("abc123")).toBe(false);
+    });
+    it("returns false for tags", () => {
+        expect(isShaRef("v1.0.0")).toBe(false);
+    });
+    it("returns false for branch names", () => {
+        expect(isShaRef("main")).toBe(false);
+    });
+});
+describe("remoteCachePath", () => {
+    it("builds expected path", () => {
+        const ref = parseRemoteRef("org/repo/.github/workflows/lint.yml@v1");
+        const result = remoteCachePath("/cache", ref);
+        expect(result).toBe("/cache/org__repo@v1/.github/workflows/lint.yml");
+    });
+    it("sanitizes special characters in ref", () => {
+        const ref = parseRemoteRef("org/repo/.github/workflows/ci.yml@refs/heads/main");
+        const result = remoteCachePath("/cache", ref);
+        expect(result).toContain("org__repo@refs-heads-main");
+    });
+});
+describe("prefetchRemoteWorkflows", () => {
+    let tmpDir;
+    let cacheDir;
+    const originalFetch = globalThis.fetch;
+    beforeEach(() => {
+        tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "remote-wf-test-"));
+        cacheDir = path.join(tmpDir, "cache");
+        fs.mkdirSync(cacheDir, { recursive: true });
+    });
+    afterEach(() => {
+        globalThis.fetch = originalFetch;
+        vi.restoreAllMocks();
+        if (tmpDir) {
+            fs.rmSync(tmpDir, { recursive: true, force: true });
+        }
+    });
+    function writeWorkflow(content) {
+        const wf = path.join(tmpDir, "workflow.yml");
+        fs.writeFileSync(wf, content);
+        return wf;
+    }
+    function mockFetchSuccess(yamlContent) {
+        const base64Content = Buffer.from(yamlContent).toString("base64");
+        globalThis.fetch = vi.fn().mockResolvedValue({
+            ok: true,
+            json: () => Promise.resolve({ content: base64Content, encoding: "base64" }),
+        });
+    }
+    it("returns empty map when no remote refs", async () => {
+        const wf = writeWorkflow(`
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo build
+`);
+        const result = await prefetchRemoteWorkflows(wf, cacheDir);
+        expect(result.size).toBe(0);
+    });
+    it("fetches remote workflow and writes to cache", async () => {
+        const remoteYaml = `
+on: workflow_call
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo lint
+`;
+        mockFetchSuccess(remoteYaml);
+        const wf = writeWorkflow(`
+jobs:
+  lint:
+    uses: org/repo/.github/workflows/lint.yml@v1
+`);
+        const result = await prefetchRemoteWorkflows(wf, cacheDir);
+        expect(result.size).toBe(1);
+        expect(result.has("org/repo/.github/workflows/lint.yml@v1")).toBe(true);
+        // Verify cached file was written
+        const cachedPath = result.get("org/repo/.github/workflows/lint.yml@v1");
+        expect(fs.existsSync(cachedPath)).toBe(true);
+        expect(fs.readFileSync(cachedPath, "utf-8")).toBe(remoteYaml);
+    });
+    it("uses cache for SHA refs on subsequent calls", async () => {
+        const sha = "abc123def456abc123def456abc123def456abc1";
+        const remoteYaml = `
+on: workflow_call
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo lint
+`;
+        mockFetchSuccess(remoteYaml);
+        const wf = writeWorkflow(`
+jobs:
+  lint:
+    uses: org/repo/.github/workflows/lint.yml@${sha}
+`);
+        // First call fetches
+        await prefetchRemoteWorkflows(wf, cacheDir);
+        expect(globalThis.fetch).toHaveBeenCalledTimes(1);
+        // Second call uses cache (SHA ref is immutable)
+        const result = await prefetchRemoteWorkflows(wf, cacheDir);
+        expect(globalThis.fetch).toHaveBeenCalledTimes(1); // not called again
+        expect(result.size).toBe(1);
+    });
+    it("re-fetches for tag/branch refs even when cached", async () => {
+        const remoteYaml = `
+on: workflow_call
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo lint
+`;
+        mockFetchSuccess(remoteYaml);
+        const wf = writeWorkflow(`
+jobs:
+  lint:
+    uses: org/repo/.github/workflows/lint.yml@main
+`);
+        // First call fetches
+        await prefetchRemoteWorkflows(wf, cacheDir);
+        expect(globalThis.fetch).toHaveBeenCalledTimes(1);
+        // Second call also fetches (branch ref is mutable)
+        await prefetchRemoteWorkflows(wf, cacheDir);
+        expect(globalThis.fetch).toHaveBeenCalledTimes(2);
+    });
+    it("throws on 404 response", async () => {
+        globalThis.fetch = vi.fn().mockResolvedValue({
+            ok: false,
+            status: 404,
+        });
+        const wf = writeWorkflow(`
+jobs:
+  lint:
+    uses: org/repo/.github/workflows/nonexistent.yml@v1
+`);
+        await expect(prefetchRemoteWorkflows(wf, cacheDir)).rejects.toThrow(/Remote workflow fetch failed/);
+    });
+    it("throws on 401 with auth hint", async () => {
+        globalThis.fetch = vi.fn().mockResolvedValue({
+            ok: false,
+            status: 401,
+        });
+        const wf = writeWorkflow(`
+jobs:
+  lint:
+    uses: org/private-repo/.github/workflows/lint.yml@v1
+`);
+        await expect(prefetchRemoteWorkflows(wf, cacheDir)).rejects.toThrow(/gh auth login/);
+    });
+    it("fetches multiple remote refs in parallel", async () => {
+        const remoteYaml = `
+on: workflow_call
+jobs:
+  job:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo hello
+`;
+        mockFetchSuccess(remoteYaml);
+        const wf = writeWorkflow(`
+jobs:
+  lint:
+    uses: org/repo/.github/workflows/lint.yml@v1
+  test:
+    uses: org/repo/.github/workflows/test.yml@v1
+`);
+        const result = await prefetchRemoteWorkflows(wf, cacheDir);
+        expect(result.size).toBe(2);
+        expect(globalThis.fetch).toHaveBeenCalledTimes(2);
+    });
+    it("skips local refs", async () => {
+        mockFetchSuccess("unused");
+        const wf = writeWorkflow(`
+jobs:
+  lint:
+    uses: ./.github/workflows/lint.yml
+`);
+        const result = await prefetchRemoteWorkflows(wf, cacheDir);
+        expect(result.size).toBe(0);
+        expect(globalThis.fetch).not.toHaveBeenCalled();
+    });
+});

package/dist/workflow/reusable-workflow.js

@@ -0,0 +1,134 @@
+import fs from "node:fs";
+import path from "node:path";
+import { parse as parseYaml } from "yaml";
+const MAX_REUSABLE_DEPTH = 4;
+/**
+ * Expand reusable workflow jobs (`uses: ./.github/workflows/...`) into concrete
+ * job entries that can be scheduled alongside regular jobs.
+ *
+ * Local refs (starting with `./`) are resolved relative to repoRoot.
+ * Remote refs are resolved via the remoteCache map (pre-fetched by
+ * prefetchRemoteWorkflows). Nesting is supported up to 4 levels deep
+ * (matching GitHub Actions' limit). Cycles are detected and rejected.
+ */
+export function expandReusableJobs(workflowPath, repoRoot, remoteCache) {
+    return expandReusableJobsInternal(workflowPath, repoRoot, remoteCache, 0, new Set());
+}
+function expandReusableJobsInternal(workflowPath, repoRoot, remoteCache, depth, visitedPaths) {
+    if (depth > MAX_REUSABLE_DEPTH) {
+        throw new Error(`Reusable workflow nesting depth exceeds maximum of ${MAX_REUSABLE_DEPTH}: ${workflowPath}`);
+    }
+    const resolvedPath = path.resolve(workflowPath);
+    if (visitedPaths.has(resolvedPath)) {
+        throw new Error(`Cycle detected in reusable workflows: ${resolvedPath} is already in the call chain`);
+    }
+    visitedPaths.add(resolvedPath);
+    const raw = parseYaml(fs.readFileSync(workflowPath, "utf-8"));
+    const jobs = raw?.jobs ?? {};
+    const entries = [];
+    // Track which caller job IDs map to which inlined terminal job IDs,
+    // so we can rewire downstream `needs:` references.
+    const callerToTerminals = new Map();
+    for (const [jobId, jobDef] of Object.entries(jobs)) {
+        const uses = jobDef?.uses;
+        if (typeof uses === "string") {
+            // This is a reusable workflow call
+            let calledPath;
+            if (uses.startsWith("./")) {
+                calledPath = path.resolve(repoRoot, uses);
+            }
+            else {
+                const cached = remoteCache?.get(uses);
+                if (!cached) {
+                    throw new Error(`Remote reusable workflow not resolved: job "${jobId}" uses ${uses}`);
+                }
+                calledPath = cached;
+            }
+            if (!fs.existsSync(calledPath)) {
+                throw new Error(`Reusable workflow file not found: ${calledPath} (referenced by job "${jobId}")`);
+            }
+            // Extract caller inputs (raw `with:` values)
+            const callerWith = jobDef.with
+                ? Object.fromEntries(Object.entries(jobDef.with).map(([k, v]) => [k, String(v)]))
+                : undefined;
+            // Extract input defaults and output defs from the called workflow's on.workflow_call
+            const calledRaw = parseYaml(fs.readFileSync(calledPath, "utf-8"));
+            const wcInputs = (calledRaw.on || calledRaw.true)?.workflow_call?.inputs;
+            const inputDefaults = wcInputs && typeof wcInputs === "object"
+                ? Object.fromEntries(Object.entries(wcInputs)
+                    .filter(([, def]) => def?.default != null)
+                    .map(([k, def]) => [k, String(def.default)]))
+                : undefined;
+            const wcOutputs = (calledRaw.on || calledRaw.true)?.workflow_call?.outputs;
+            const workflowCallOutputDefs = wcOutputs && typeof wcOutputs === "object"
+                ? Object.fromEntries(Object.entries(wcOutputs)
+                    .filter(([, def]) => def?.value != null)
+                    .map(([k, def]) => [k, String(def.value)]))
+                : undefined;
+            // Recursively expand the called workflow
+            const calledEntries = expandReusableJobsInternal(calledPath, repoRoot, remoteCache, depth + 1, visitedPaths);
+            const callerNeeds = parseNeeds(jobDef?.needs);
+            // Prefix all entry IDs and needs with the caller job ID,
+            // and attach inputs/outputs metadata
+            const prefixed = calledEntries.map((entry) => ({
+                id: `${jobId}/${entry.id}`,
+                workflowPath: entry.workflowPath,
+                sourceTaskName: entry.sourceTaskName,
+                needs: entry.needs.length === 0 ? callerNeeds : entry.needs.map((n) => `${jobId}/${n}`),
+                inputs: callerWith,
+                inputDefaults: inputDefaults && Object.keys(inputDefaults).length > 0 ? inputDefaults : undefined,
+                workflowCallOutputDefs: workflowCallOutputDefs && Object.keys(workflowCallOutputDefs).length > 0
+                    ? workflowCallOutputDefs
+                    : undefined,
+                callerJobId: jobId,
+            }));
+            // Compute terminals among the prefixed entries
+            const prefixedIds = new Set(prefixed.map((e) => e.id));
+            const depended = new Set();
+            for (const entry of prefixed) {
+                for (const n of entry.needs) {
+                    if (prefixedIds.has(n)) {
+                        depended.add(n);
+                    }
+                }
+            }
+            const terminals = prefixed.filter((e) => !depended.has(e.id)).map((e) => e.id);
+            callerToTerminals.set(jobId, terminals);
+            entries.push(...prefixed);
+        }
+        else {
+            // Regular job — has `steps:` or `runs-on:`
+            entries.push({
+                id: jobId,
+                workflowPath,
+                sourceTaskName: jobId,
+                needs: parseNeeds(jobDef?.needs),
+            });
+        }
+    }
+    // Rewire downstream dependencies: any job that `needs: [callerJobId]`
+    // should now depend on the terminal jobs of the inlined sub-graph
+    for (const entry of entries) {
+        entry.needs = entry.needs.flatMap((dep) => {
+            const terminals = callerToTerminals.get(dep);
+            if (terminals && terminals.length > 0) {
+                return terminals;
+            }
+            return [dep];
+        });
+    }
+    visitedPaths.delete(resolvedPath);
+    return entries;
+}
+function parseNeeds(needs) {
+    if (!needs) {
+        return [];
+    }
+    if (typeof needs === "string") {
+        return [needs];
+    }
+    if (Array.isArray(needs)) {
+        return needs.map(String);
+    }
+    return [];
+}