• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

stacklok / toolhive / 28452352865
68%

Build:
DEFAULT BRANCH: main
Ran 30 Jun 2026 02:40PM UTC
Jobs 1
Files 774
Run time 3min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

30 Jun 2026 02:33PM UTC coverage: 67.491% (-0.004%) from 67.495%
28452352865

push

github

web-flow
Stop fabricating partial identity in RestoreSession (#5650)

* Stop fabricating partial identity in RestoreSession

RestoreSession constructed &auth.Identity{Subject, Claims} with Token
and UpstreamTokens unset, then passed it to makeBaseSession where it
propagated to the identityRoundTripper fallback in each backend
connector. This violated the field-completeness contract on *auth.Identity
and was a latent bug for any future consumer (audit log, outgoing-auth
strategy) that assumes a non-nil *Identity is fully populated.

Implements changes for issue #5336:
- Remove partial identity construction from RestoreSession; pass nil to
  makeBaseSession instead. Binding validation (binding.Parse) is kept to
  catch corrupted stored bindings before any backend work is attempted.
- Add field-completeness contract to auth.Identity godoc: a non-nil
  *Identity is always complete; nil represents the anonymous / no-identity
  state, not a partially-initialised struct.
- Replace the test that pinned the old partial-identity behavior with one
  that asserts nil is passed to the backend connector on restore.

Live tool calls are unaffected: TokenValidator.Middleware places a
fully-populated identity on req.Context() before requests reach the
backend connectors, and identityRoundTripper already only injects its
captured fallback when the request context carries none (see #5323).

* Address review feedback: fix stale comment, add E2E TODO

- Update RestoreSession implementation doc comment to reflect that
  connectors now receive nil identity (the old comment said identity was
  reconstructed from the stored iss/sub binding, which is no longer true)
- Add TODO comment to the cross-pod restore E2E test marking the
  upstream-auth extension from AC4 of issue #5336 as dependency-gated
  on a live OIDC provider in the test environment

* Rename stale test to reflect current behavior

TestRestoreSession_PopulatesBothSubjectFieldAndClaims described behavior
removed by the pa... (continued)

28 of 28 new or added lines in 5 files covered. (100.0%)

20 existing lines in 5 files now uncovered.

70949 of 105123 relevant lines covered (67.49%)

63.35 hits per line

Coverage Regressions

Lines Coverage ∆ File
6
76.15
-5.5% pkg/secrets/keyring/keyctl_linux.go
6
62.12
-0.17% pkg/workloads/manager.go
4
87.23
-0.48% pkg/transport/proxy/transparent/transparent_proxy.go
3
64.29
-4.29% pkg/state/runconfig.go
1
96.55
-0.17% pkg/vmcp/session/factory.go
Jobs
ID Job ID Ran Files Coverage
1 28452352865.1 30 Jun 2026 02:39PM UTC 774
67.49
GitHub Action Run
Source Files on build 28452352865
  • Tree
  • List 774
  • Changed 14
  • Source Changed 6
  • Coverage Changed 12
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Github Actions Build #28452352865
  • 5fe154d4 on github
  • Prev Build on main (#28452107534)
  • Next Build on main (#28456424340)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc