linux probe with install

erika-wallace · erika-wallace · commit 68f5331b9809 · 2026-03-24T16:05:49.000-04:00
diff --git a/scripts/ci/probe-linux.sh b/scripts/ci/probe-linux.sh
@@ -6,35 +6,70 @@ if [[ "$(uname -s)" != Linux ]]; then
   exit 0
 fi
 
-secret_tool_path="$(command -v secret-tool || true)"
-if [[ -n "$secret_tool_path" ]]; then
-  echo "=== secret-tool -> ${secret_tool_path} ==="
-  secret-tool --version 2>/dev/null || true
-  echo "OK: secret-tool on PATH"
+echo "=== apt ==="
+if command -v apt-get >/dev/null 2>&1; then
+  echo "apt-get is available at $(command -v apt-get)"
+
+  missing_tools=()
+  command -v secret-tool >/dev/null 2>&1 || missing_tools+=("secret-tool")
+  command -v gnome-keyring-daemon >/dev/null 2>&1 || missing_tools+=("gnome-keyring-daemon")
+  command -v dbus-run-session >/dev/null 2>&1 || missing_tools+=("dbus-run-session")
+
+  if [[ "${#missing_tools[@]}" -gt 0 ]]; then
+    echo "Installing missing Linux keyring dependencies for: ${missing_tools[*]}"
+    apt_cmd="apt-get"
+    if [[ "$(id -u)" -ne 0 ]] && command -v sudo >/dev/null 2>&1; then
+      apt_cmd="sudo apt-get"
+    fi
+    $apt_cmd update
+    $apt_cmd install -y libsecret-tools gnome-keyring dbus-user-session
+  fi
 else
-  echo "=== secret-tool ==="
-  echo "MISSING: secret-tool not on PATH"
+  echo "apt-get not on PATH"
 fi
 
-if command -v which >/dev/null 2>&1; then
-  echo "=== which ==="
-  echo "which is available at $(command -v which)"
-else
-  echo "which not on PATH"
+if ! command -v dbus-run-session >/dev/null 2>&1; then
+  echo "MISSING: dbus-run-session (cannot run secret-tool probe session)"
+  exit 1
 fi
 
-echo "=== related binaries (gnome-keyring / dbus session) ==="
-for cmd in gnome-keyring-daemon dbus-run-session; do
-  if command -v "$cmd" >/dev/null 2>&1; then
-    echo "OK: ${cmd} -> $(command -v "$cmd")"
-  else
-    echo "MISSING: ${cmd}"
-  fi
-done
+if ! command -v gnome-keyring-daemon >/dev/null 2>&1; then
+  echo "MISSING: gnome-keyring-daemon (cannot run secret-tool probe session)"
+  exit 1
+fi
 
-echo "=== apt ==="
-if command -v apt-get >/dev/null 2>&1; then
-    echo "apt-get is available at $(command -v apt-get)"
-else
-    echo "apt-get not on PATH"
+if ! command -v secret-tool >/dev/null 2>&1; then
+  echo "MISSING: secret-tool (cannot run secret-tool probe session)"
+  exit 1
 fi
+
+echo "=== secret-tool round-trip in dbus session ==="
+dbus-run-session -- bash -c '
+  set -euo pipefail
+  eval "$(echo -n "heroku-credential-manager-ci" | gnome-keyring-daemon --unlock --components=secrets)"
+
+  service="heroku-cli-probe-linux"
+  account="probe-linux@example.com"
+  token="probe-linux-token"
+
+  echo "store credential"
+  printf "%s" "$token" | secret-tool store --label="Heroku CLI Probe" service "$service" account "$account"
+
+  echo "lookup credential"
+  looked_up="$(secret-tool lookup service "$service" account "$account")"
+  if [[ "$looked_up" != "$token" ]]; then
+    echo "ERROR: lookup mismatch (got: ${looked_up})"
+    exit 1
+  fi
+  echo "OK: lookup matched expected token"
+
+  echo "remove credential"
+  secret-tool clear service "$service" account "$account"
+
+  echo "verify removal"
+  if secret-tool lookup service "$service" account "$account" >/dev/null 2>&1; then
+    echo "ERROR: credential still present after clear"
+    exit 1
+  fi
+  echo "OK: credential removed"
+'
