From 8d366acba3d5bb5092dfa961a248527491c14635 Mon Sep 17 00:00:00 2001 From: TaprootFreak <142087526+TaprootFreak@users.noreply.github.com> Date: Sat, 16 May 2026 21:33:42 +0200 Subject: [PATCH 1/2] fix(ci): unbreak self-test on quirk-def file + auto-track registry count MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two long-standing red CI jobs on main, both rooted in the testkit exercising its own detection surface: * `composite action self-test`: bitbox-audit found legitimate E1 (non-ASCII) hits in `go/bitbox/simulator/scenarios.go` — that file IS the umlaut-reject scenario, so the matches are test data, not regressions. Marked with `audit-skip-file`, the same mechanism already used by `go/core/guards/*.go`. * `TypeScript unit tests`: hardcoded `expect(Registry.length).toBe(30)` drifted when A4 was added (registry has 31 quirks). Switched to a self-deriving assertion against `quirks.json`, mirroring how the Go side tests for a non-empty registry instead of a fixed count. Closes #1. --- go/bitbox/simulator/scenarios.go | 4 ++++ ts/test/quirks.test.ts | 8 ++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/go/bitbox/simulator/scenarios.go b/go/bitbox/simulator/scenarios.go index fd0aed4..5d05afb 100644 --- a/go/bitbox/simulator/scenarios.go +++ b/go/bitbox/simulator/scenarios.go @@ -1,5 +1,9 @@ //go:build simulator +// audit-skip-file: this file is the simulator scenario library. The umlaut +// payloads exist precisely to exercise quirk E1 (non-ASCII rejection); they +// are test data, not production strings to flag. + package simulator import ( diff --git a/ts/test/quirks.test.ts b/ts/test/quirks.test.ts index d234c6e..8737c84 100644 --- a/ts/test/quirks.test.ts +++ b/ts/test/quirks.test.ts @@ -1,8 +1,12 @@ import { Registry, subset, firmwareApplies } from '../src/quirks/index.js'; +// Plain import (no `with { type: 'json' }`) keeps the test runnable under +// ts-jest, matching the loader's import style — see loader.ts for context. +import rawJson from '../src/quirks/quirks.json'; describe('quirks registry', () => { - it('loads all 30 quirks from quirks.json', () => { - expect(Registry.length).toBe(30); + it('loads every quirk from quirks.json', () => { + expect(Registry.length).toBeGreaterThan(0); + expect(Registry.length).toBe((rawJson as { quirks: unknown[] }).quirks.length); }); it('has no duplicate IDs', () => { From 2a3531db9b80387848b944b51226f922b52b079c Mon Sep 17 00:00:00 2001 From: TaprootFreak <142087526+TaprootFreak@users.noreply.github.com> Date: Sat, 16 May 2026 21:36:42 +0200 Subject: [PATCH 2/2] fix(ci): self-test must build CLI locally, not via go install on a PR SHA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The self-test passed `${{ github.sha }}` as testkit-ref to `go install`. For PR events that resolves to the synthetic merge commit, which is not in `refs/heads/*` and therefore unreachable to the Go module resolver — every PR self-test exited with `unknown revision `. Introduce a `local` sentinel in the action's testkit-ref input that builds the CLI from the checked-out source. The self-test workflow opts in; consumer repos keep using their pinned tag. --- .github/actions/bitbox-audit/action.yml | 23 ++++++++++++++++++++--- .github/workflows/test.yml | 5 ++++- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/.github/actions/bitbox-audit/action.yml b/.github/actions/bitbox-audit/action.yml index b1a18b4..faee63d 100644 --- a/.github/actions/bitbox-audit/action.yml +++ b/.github/actions/bitbox-audit/action.yml @@ -11,7 +11,10 @@ inputs: description: > Git ref of DFXswiss/bitbox-testkit to install. Pin to a tag (v0.2.0) for reproducibility; use 'main' during testkit - development to track the bleeding edge. + development to track the bleeding edge. The sentinel value + 'local' is reserved for the testkit's own self-test workflow + and builds the CLI from the checked-out source — consumers + should never set it. required: false default: v0.2.0 firmware: @@ -117,9 +120,23 @@ runs: env: GOPROXY: 'direct' GOSUMDB: 'off' + TESTKIT_REF: ${{ inputs.testkit-ref }} + ACTION_PATH: ${{ github.action_path }} run: | - go install "github.com/DFXswiss/bitbox-testkit/go/cmd/bitbox-audit@${{ inputs.testkit-ref }}" - go install "github.com/DFXswiss/bitbox-testkit/go/cmd/bitbox-audit-explain@${{ inputs.testkit-ref }}" + set -euo pipefail + if [ "$TESTKIT_REF" = "local" ]; then + # Self-test path: build from the checked-out testkit source. + # PR builds run as `github.sha`, the synthetic merge commit, + # which is not in `refs/heads/*` and therefore unreachable to + # `go install`. The local build sidesteps that and tests the + # exact code in the PR. + src="$(cd "$ACTION_PATH/../../.." && pwd)/go" + echo "::notice::testkit-ref=local — building CLI from $src" + (cd "$src" && go install ./cmd/bitbox-audit ./cmd/bitbox-audit-explain) + else + go install "github.com/DFXswiss/bitbox-testkit/go/cmd/bitbox-audit@$TESTKIT_REF" + go install "github.com/DFXswiss/bitbox-testkit/go/cmd/bitbox-audit-explain@$TESTKIT_REF" + fi - name: Run BitBox-specific Jest tests if: inputs.run-jest == 'true' && steps.deps.outcome == 'success' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b63ea43..67842d1 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -112,7 +112,10 @@ jobs: - name: run composite action against this repo uses: ./.github/actions/bitbox-audit with: - testkit-ref: ${{ github.sha }} + # `local` builds the CLI from the checked-out source. We can't + # use `${{ github.sha }}` because PR builds resolve that to a + # synthetic merge commit that's not reachable to `go install`. + testkit-ref: local run-jest: 'false' comment-on-pr: 'false' wasm-hash-check: 'false'