chore(providers): onboarding prep — unblock Azure/GCP/OCI merges#287
Merged
Conversation
Contributor
Test Results Summary12 612 tests +251 12 295 ✅ +251 6m 25s ⏱️ -7s Results for commit 42688a0. ± Comparison against base commit 542a7de. This pull request removes 8 and adds 259 tests. Note that renamed tests count towards both.♻️ This comment has been updated with latest results. |
b8626e9 to
f4fd4dd
Compare
This was referenced Jul 8, 2026
fgogolli
added a commit
that referenced
this pull request
Jul 8, 2026
…287) The release_hosts provider_data-optional change and the ProviderHandlerBase scaffolding protocol overlap with PR #287 (provider onboarding prep), which owns the cross-provider handler contract and rewrites these same handler files. That work does not belong in this k8s perf/parity PR. Reverts the handler signature changes to main and removes the orphaned scaffolding file (which was an incomplete copy of #287's — missing __init__ and siblings). The contract-test adapter is restored to main's captured-provider_data pattern. The kmock list-semantics fix is unaffected and retained.
27 tasks
8368853 to
447140c
Compare
fgogolli
added a commit
that referenced
this pull request
Jul 13, 2026
Rebasing #287 onto main surfaced: inline imports still used the pre-rename orb.providers.k8s.exceptions.k8s_errors path (main renamed the module to k8s_exceptions); and CLISpecRegistry test used the old _specs attribute (main renamed to _store). Correct both so the rebased branch is green.
fgogolli
added a commit
that referenced
this pull request
Jul 13, 2026
#287 added scaffolding/exceptions/strategy tests under tests/providers/base/, but the providers CI leg only runs discovered provider subtrees (aws, k8s via testconf.mk) and the unit leg runs tests/unit — so tests/providers/base ran in NO CI leg. Move them into tests/unit/providers/base/ so the unit leg executes them. Also replace the deprecated asyncio.get_event_loop().run_until_complete() with asyncio.run() in the handler-base tests — get_event_loop() raises under Python 3.12 once another test has closed the global loop, which surfaced as order-dependent failures now that these run in the shared unit leg.
447140c to
bb73c61
Compare
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #287 +/- ##
==========================================
+ Coverage 62.76% 63.27% +0.50%
==========================================
Files 837 840 +3
Lines 56277 56378 +101
Branches 6891 6903 +12
==========================================
+ Hits 35325 35671 +346
+ Misses 19176 19015 -161
+ Partials 1776 1692 -84
Flags with carried forward coverage won't be shown. Click here to find out more.
|
fgogolli
added a commit
that referenced
this pull request
Jul 13, 2026
Rebasing #287 onto main surfaced: inline imports still used the pre-rename orb.providers.k8s.exceptions.k8s_errors path (main renamed the module to k8s_exceptions); and CLISpecRegistry test used the old _specs attribute (main renamed to _store). Correct both so the rebased branch is green.
fgogolli
added a commit
that referenced
this pull request
Jul 13, 2026
#287 added scaffolding/exceptions/strategy tests under tests/providers/base/, but the providers CI leg only runs discovered provider subtrees (aws, k8s via testconf.mk) and the unit leg runs tests/unit — so tests/providers/base ran in NO CI leg. Move them into tests/unit/providers/base/ so the unit leg executes them. Also replace the deprecated asyncio.get_event_loop().run_until_complete() with asyncio.run() in the handler-base tests — get_event_loop() raises under Python 3.12 once another test has closed the global loop, which surfaced as order-dependent failures now that these run in the shared unit leg.
9204bea to
1034b72
Compare
Remove AWS-specific defaults from shared domain/config; rename fields to provider-neutral equivalents so non-AWS providers can onboard cleanly.
Accept machine_type alongside deprecated instance_type on Template DTOs; emit operator-visible warnings for the old field and migrate AWS handlers.
…hardening Tighten IAM ARN validation to an allowlist, restrict CORS/trusted_hosts to loopback, harden the /info endpoint, and lock down test assertions.
Add ProviderError base exception and get_resource_id_pattern() classmethod for provider-scoped ID validation; scaffolding stubs added then removed.
Register --provider-type on the shared parent parser so all sub-commands inherit it consistently rather than each registering it independently.
Add regression tests covering abstract-method contracts on SQLQueryBuilder to prevent silent interface drift as the storage layer evolves.
…ixes Align k8s tests with the refuse-and-raise release semantics and fix stale import paths and registry names introduced by the earlier rebase.
Finish the instance_profile->machine_role rename in base context flags that was missed in the earlier AWS handler migration.
821f9de to
dc29142
Compare
…nts from the number Consolidate coverage uploads into one combined report with after_n_builds synchronisation; exclude legacy/entrypoint modules from the coverage metric.
ab739df to
f61c541
Compare
The scorecard workflow already publishes results (publish_results: true); this surfaces the score in the README badge row. Badge image: api.securityscorecards.dev; click-through: scorecard.dev viewer.
f61c541 to
42688a0
Compare
canonicalname
approved these changes
Jul 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Cross-cutting prep to remove AWS-shaped leaks from shared code and finalise the
ProviderStrategycontract before Azure (PR #258), GCP (PR #257), and OCI (PR #234) provider PRs land. Blocks the multi-provider merge train.Rebased onto current
mainand regrouped into 9 thematic commits (down from the original working history), each single-purpose. Highlights:Shared-code AWS leak removal:
Machine.provider_typenow required (droppeddefault="aws"— silent misclassification for non-AWS machines)ProviderValidationServicePROVIDER_TYPE_AWSaws_default_us-east-1fallbackimage_idmoved from universally required to AWS-specific validatorregionregex moved fromNamingConfiginto AWS provider configDomain model neutrality (with
AliasChoicesback-compat +DeprecationWarning):Template.instance_type→Template.machine_typeTemplate.instance_profile→Template.machine_roleTemplate.provider_datadeleted; readers migrated to typed subclasses (AWSTemplate,K8sTemplate)Provider contract additions:
get_resource_id_pattern()classmethod onProviderStrategy(AWS returns^i-[a-f0-9]{8,17}$, non-AWS returnsNone)providers/base/exceptions/: sharedProviderErrorhierarchy with anis_retryableaxis and asafe_to_dict()variant that omitsunderlying_exceptionto prevent ARN/DSN/secret leakage in HTTP responsesSecurity hardening:
admin_arnsallowlist (frozenset exact-match) instead of substring bypass;:rootunconditional grant now respects the allowlisttrusted_hostsdefaults tightened to loopback-only (localhost,127.0.0.1,::1,testserver)/infono longer discloses auth strategy to unauthenticated callersTypeErrorthat shipped in an earlier releaseStorage backfill:
Machinerecords withoutprovider_typeare backfilled to"aws"on readCLI hygiene:
--provider-typeregistered via a shared parent parser (prevents the argparse regression pattern that caused a large test-failure cascade)API DTO renames with deprecation:
TemplateCreateRequest,TemplateUpdateRequest,CreateTemplateInput,UpdateTemplateInputaccept bothmachine_type(primary) andinstance_type(deprecated alias with warning log)Config hygiene:
default_config.json(both packaged + repo sample) restored to loopback-onlyserver.host/cors.origins— the packaged JSON is the lowest-precedence base layer and was overriding the hardened schema defaults back to0.0.0.0/["*"], silently defeating the security tightening.spot_fleet/ec2_fleet/asgpatterns,fleet_types,price_types) out of the sharedNamingConfig— no shared reader consumes them.CI / coverage:
coverage-combinefan-in job that merges every leg's.coveragedata first. A single deterministic upload replaces the per-leg uploads that produced mid-run partial-merge flapping, and it auto-scales to any number of provider legs (no hardcoded leg count).k8s_legacy, test files, and thin process entrypoints (__main__.py,run.py,server_daemon.py) excluded from the coverage number so it reflects real production source. Combined coverage: ~63%.Post-review hardening (adversarial review + CodeQL + CI feedback):
ProviderErrorgained anis_retryableaxis (Transient/Permanent was orthogonal to Config/Auth/Quota) + asafe_to_dict()that omitsunderlying_exceptionto prevent ARN/DSN/secret leakage into HTTP responses.:rootunconditional admin grant now respects theadmin_arnsallowlist when one is configured._StickyOverridesDict.__eq__with__hash__ = None),trusted_hostsasserted by exact list rather than substring membership, unused module-level logger removed.mainbecause its CI matrix was AWS-only; k8s now runs on every PR via provider discovery.serial(not just its own subtree), which deselected every k8s test under-m "not serial".ApiException(status=404)so the classifier recognises the not-found path, instead of a hand-mocked generic exception.Type of Change
Breaking-change surface (all backwards-compatible via aliases + deprecation warnings):
Template.instance_type→Template.machine_type(alias preserved)Template.instance_profile→Template.machine_role(alias preserved)Template.provider_datafield removed; readers migrated to typed subclassesMachine.provider_typenow required (no default) — legacy storage records are backfilledHow Has This Been Tested?