From 04233cb3c87564480836f8ba3e42e4cfde971b67 Mon Sep 17 00:00:00 2001 From: Dev Date: Sun, 7 Jun 2026 20:51:35 +0300 Subject: [PATCH] test(ORCH-022): isolate TC-17 worktree under tmp_path (fix CI PermissionError on /repos/_wt) TC-17 seeded 17-security-report.md via get_worktree_path() which resolves to settings.worktrees_dir (default /repos/_wt) -> the test wrote into the real shared host worktree path. In CI that dir is owned by another user -> PermissionError. Monkeypatch git_worktree.settings.worktrees_dir to tmp_path/_wt (same pattern as test_git_worktree.py / test_merge_gate.py). Prod logic untouched. --- tests/test_stage_engine_security_gate.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tests/test_stage_engine_security_gate.py b/tests/test_stage_engine_security_gate.py index 8b82f7f..72fd8d7 100644 --- a/tests/test_stage_engine_security_gate.py +++ b/tests/test_stage_engine_security_gate.py @@ -158,13 +158,19 @@ def test_tc16_fail_rolls_back_and_enqueues_developer(monkeypatch): # --------------------------------------------------------------------------- # TC-17 — the rollback task_desc carries the verbatim findings (ORCH-046). # --------------------------------------------------------------------------- -def test_tc17_task_desc_has_verbatim_findings(monkeypatch): +def test_tc17_task_desc_has_verbatim_findings(monkeypatch, tmp_path): """TC-17: the re-launched developer's task_desc embeds the verbatim finding substance (not just a link), following the ORCH-046 pattern.""" reason = "2 secret(s): aws-access-key in src/config.py:12" _qg_with_security(monkeypatch, _fail(reason)) task_id = _make_task("deploy-staging", repo="enduro-trails") + # Isolate the worktree base under tmp_path so this test never touches the real + # shared /repos/_wt host path (PermissionError in CI). Mirrors the pattern in + # tests/test_git_worktree.py / test_merge_gate.py. + from src import git_worktree + monkeypatch.setattr(git_worktree.settings, "worktrees_dir", str(tmp_path / "_wt")) + # Seed a real 17-security-report.md in the worktree so extract_security_findings # has a verbatim body to excerpt. wt = stage_engine.get_worktree_path("enduro-trails", _BRANCH)