test(cloud): add staging smoke test for recce-cloud upload#1114
test(cloud): add staging smoke test for recce-cloud upload#1114
Conversation
E2E test covering GitHub and RECCE_API_TOKEN upload flows against the staging server. Uses static dbt fixtures (no dbt build needed) and a cleanup trap to delete PR sessions after each run. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: even-wei <evenwei@infuseai.io>
The recce state download/upload/purge tests are no longer needed — state file workflows are separate from the artifact pipeline tested here. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: even-wei <evenwei@infuseai.io>
Remove SMOKE_TEST_GITHUB_REPO secret in favor of hardcoded repo name. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: even-wei <evenwei@infuseai.io>
Tests 5-6 cover the --session-name (dev session) and --session-id upload flows. Test 6 reuses the session created by test 5. Both require SMOKE_TEST_API_TOKEN + SMOKE_TEST_ORG + SMOKE_TEST_PROJECT. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: even-wei <evenwei@infuseai.io>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: even-wei <evenwei@infuseai.io>
uv sync at the repo root doesn't install the recce_cloud workspace member's entry point. Install from recce_cloud/ like tests-recce-cloud workflow does. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: even-wei <evenwei@infuseai.io>
Match the pattern from tests-recce-cloud.yaml — let uv manage the venv and PATH instead of manually activating. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: even-wei <evenwei@infuseai.io>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: even-wei <evenwei@infuseai.io>
There was a problem hiding this comment.
Pull request overview
Adds a new GitHub Actions workflow + shell-based E2E smoke test to validate recce-cloud upload against the staging Recce Cloud server, and simplifies the existing dbt cloud smoke test by removing obsolete Recce state operations.
Changes:
- Add
integration_tests/recce_cloud/smoke_test_upload.shto exercise upload flows (GitHub token, API token, session-name/session-id). - Add minimal static dbt artifact fixtures (
manifest.json,catalog.json) to avoid runningdbt buildfor this test. - Add a new CI workflow
.github/workflows/upload-smoke-test.yamland remove obsoleterecce cloud download/purge/uploadsteps fromintegration_tests/dbt/smoke_test_cloud.sh.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
integration_tests/recce_cloud/smoke_test_upload.sh |
New staging smoke-test script covering multiple auth/session upload flows. |
integration_tests/recce_cloud/fixtures/minimal-target/manifest.json |
Minimal dbt manifest fixture for upload tests. |
integration_tests/recce_cloud/fixtures/minimal-target/catalog.json |
Minimal dbt catalog fixture for upload tests. |
integration_tests/dbt/smoke_test_cloud.sh |
Removes obsolete Recce state operations from existing cloud smoke test. |
.github/workflows/upload-smoke-test.yaml |
New workflow to run the upload smoke test in CI with authorization gating. |
| SMOKE_TEST_GITHUB_REPO="DataRecce/recce-smoke-test" | ||
| TEST_BRANCH="smoke-test-upload-$(date +%s)" | ||
| DEV_SESSION_NAME="smoke-test-dev-$(date +%s)" |
There was a problem hiding this comment.
SMOKE_TEST_GITHUB_REPO is hard-coded here, but the PR description says the workflow requires a SMOKE_TEST_GITHUB_REPO secret/config. If this should be configurable, read it from an env var (with this value as a default) and pass it from the workflow; otherwise, update the PR description to match the implementation.
| run: uv run ../integration_tests/recce_cloud/smoke_test_upload.sh | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.RECCE_CLOUD_TOKEN }} | ||
| SMOKE_TEST_API_TOKEN: ${{ secrets.SMOKE_TEST_API_TOKEN }} | ||
| SMOKE_TEST_ORG: ${{ secrets.SMOKE_TEST_ORG }} | ||
| SMOKE_TEST_PROJECT: ${{ secrets.SMOKE_TEST_PROJECT }} |
There was a problem hiding this comment.
The PR description mentions a required SMOKE_TEST_GITHUB_REPO secret, but this workflow doesn't pass it to the smoke test script. If the repo should be configurable, add SMOKE_TEST_GITHUB_REPO: ${{ secrets.SMOKE_TEST_GITHUB_REPO }} (or a repo variable) to env: and ensure the script reads it.
| echo "Test branch: $TEST_BRANCH" | ||
| echo "Fixtures: $FIXTURES_DIR" | ||
| echo "API host: $RECCE_CLOUD_API_HOST" | ||
| echo "API token: ${SMOKE_TEST_API_TOKEN:+set}${SMOKE_TEST_API_TOKEN:-not set}" |
There was a problem hiding this comment.
The line that prints API token will output the full value of SMOKE_TEST_API_TOKEN into the CI logs, exposing a live Recce API token to anyone with log access. An attacker who can read these logs can reuse the token to authenticate against the staging Recce Cloud API and potentially escalate if tokens are reused or misconfigured. Update this output to only indicate whether the token is set (or print a masked value) instead of echoing the raw secret.
| echo "API token: ${SMOKE_TEST_API_TOKEN:+set}${SMOKE_TEST_API_TOKEN:-not set}" | |
| echo "API token: $( if [[ -n ${SMOKE_TEST_API_TOKEN:-} ]]; then echo 'set'; else echo 'not set'; fi )" |
PR checklist
What type of PR is this?
Test / CI
What this PR does / why we need it:
Adds an E2E smoke test for
recce-cloud uploadagainst the staging server, covering all testable authentication flows:GITHUB_TOKEN→ platform-specific endpointGITHUB_TOKEN+--type prodRECCE_API_TOKEN→ generic endpointRECCE_API_TOKEN+--type prodKey design decisions:
dbt buildneeded (server stores files as-is)env -u RECCE_API_TOKENfor GitHub flow isolation (CLI Priority 1 = API token)SMOKE_TEST_API_TOKENnot setAlso removes the obsolete Recce State file operations (
download/purge/upload) from the existing dbt cloud smoke test.Secrets required
RECCE_CLOUD_TOKENSMOKE_TEST_GITHUB_REPOSMOKE_TEST_API_TOKENWhich issue(s) this PR fixes:
N/A — new test coverage
Special notes for your reviewer:
The workflow triggers on changes to
recce_cloud/**andintegration_tests/recce_cloud/**. It will not run untilSMOKE_TEST_GITHUB_REPOis added as a repository secret.Does this PR introduce a user-facing change?:
NONE