Skip to content

[需求] CI容器通用化k8s错误反馈机制-补充优化-的开发实现-runner-container-hooks部分#22

Closed
flysky22222 wants to merge 6 commits into
mainfrom
issue-1203-from-main
Closed

[需求] CI容器通用化k8s错误反馈机制-补充优化-的开发实现-runner-container-hooks部分#22
flysky22222 wants to merge 6 commits into
mainfrom
issue-1203-from-main

Conversation

@flysky22222

Copy link
Copy Markdown

背景

[需求] CI容器通用化k8s错误反馈机制-补充优化(runner-container-hooks)· 开发流水线 · 开发预览阶段(代码已推 + 预览已部署 + UT 已补;门禁/对抗由 PR CI 异步跑)

改动内容

fix(runner-container-hooks): eliminate module shadowing, add exitCode guard, refactor describePodFailure for pre-fetched pod

Changes in runner-container-hooks submodule

1. Delete packages/k8s/src/k8s/utils.ts (TS compile fix)

  • The old utils.ts file shadowed the utils/index.ts directory, preventing TypeScript from resolving new exports (EXTERNALS_VOLUME_NAME, GITHUB_VOLUME_NAME, WORK_VOLUME, CONTAINER_VOLUMES, sleep, listDirAllCommand, prepareJobScript, writeRunScript, writeContainerStepScript). This caused 12 compile errors and 8/9 test suite failures.
  • All imports from ./utils and ../k8s/utils now correctly resolve to utils/index.ts.

2. Add exitCode !== 0 guard to getContainerTerminatedErrors (false positive fix)

  • packages/k8s/src/k8s/index.ts:798: Changed condition from terminated?.reason && unrecoverableReasons.has(terminated.reason) to terminated?.reason && terminated.exitCode !== 0 && unrecoverableReasons.has(terminated.reason).
  • Prevents false positives where a container successfully exits with exitCode=0 but has a whitelisted termination reason (e.g. reason='Error' + exitCode=0). Aligns with describePodFailure line 939 which already checks exitCode !== 0.

3. Refactor describePodFailure to accept preFetchedPod (redundant API call elimination)

  • packages/k8s/src/k8s/index.ts:887: Changed signature from (podName: string) to (podName: string, preFetchedPod?: k8s.V1Pod).
  • When preFetchedPod is provided, skips the readPod(podName) API call and uses the pre-fetched pod directly, avoiding redundant K8s API calls that fetch the same pod resource twice.

4. Update run-container-step.ts to pass pre-fetched pod

  • packages/k8s/src/hooks/run-container-step.ts:126: Changed describePodFailure(podName) to describePodFailure(podName, pod), passing the pod already fetched by getPodByName on line 123.

5. Update waitForPodPhases to pass pre-fetched pod to all describePodFailure calls

  • packages/k8s/src/k8s/index.ts:1029, 1054, 1066: All three describePodFailure(podName) calls in waitForPodPhases now pass the pod fetched by readPod on line 1020 as the second argument.

6. Move utils/index.spec.ts to tests/utils-test.ts

  • The .spec.ts naming didn't match the Jest testMatch: ['**/*-test.ts'] pattern, so the file was never executed by npm test. Moved and renamed to tests/utils-test.ts with corrected import paths.

UT files added/modified

packages/k8s/tests/wait-for-pod-phases-test.ts

  • Added: does not flag containers with unrecoverable reason but exitCode=0 (false positive guard) — verifies getContainerTerminatedErrors returns empty when reason='Error' + exitCode=0
  • Added: skips readPod when preFetchedPod is provided — verifies describePodFailure with preFetchedPod does not call readNamespacedPod spy

packages/k8s/tests/run-container-step-terminated-test.ts

  • Added: passes pre-fetched pod to describePodFailure to avoid redundant API call — verifies describePodFailureSpy is called with (podName, podObj) not just (podName)
  • Modified: Updated OOMKilled, Error, and FailedPostStartHookError test assertions to verify describePodFailure receives the pre-fetched pod as second argument

packages/k8s/tests/utils-test.ts (moved from src/k8s/utils/index.spec.ts)

  • All 31 existing tests preserved; import paths updated to ../src/k8s/utils

Verification

  • npm run build --prefix packages/k8s: TS compile + ncc bundle succeeds (0 errors)
  • 52 pure unit tests pass (wait-for-pod-phases-test, run-container-step-terminated-test)
  • 31 utils unit tests pass (utils-test)
  • e2e/integration tests fail due to k8s RBAC 403 (environment issue, not code bug)

相关 Issue

resolve https://github.com/opensourceways/backlog/issues/1203

AI 使用声明

当前 PR 是否有 AI 参与:

@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@opensourceways-bot

Copy link
Copy Markdown

Welcome To opensourceways Community

Hey @flysky22222 , thanks for your contribution to the community.

Bot Usage Manual

I'm the Bot here serving you. You can find the instructions on how to interact with me at Here . That means you can comment below every pull request or issue to trigger Bot Commands.

Contact Guide

If you have any questions, please contact the SIG: infratructure ,
and any of the maintainers: @GeorgeCao-hw, @TangJia025, @pkking, @zhongjun2 ,
and any of the committers: @GeorgeCao-hw, @Goalina, @Hourunze1997, @JavaPythonAIForBAT, @KadenZhang3321, @LiYanghang00, @ccijunk, @drizzlezyk, @githubliuyang777, @pkking, @rosecoffe, @tfhddd, @yao-xiaobai, @zhongjun2, @zkhzkhz .

@opensourceways-bot

Copy link
Copy Markdown

CLA Signature Pass

flysky22222, thanks for your pull request. All authors of the commits have signed the CLA. 👍

@socket-security

socket-security Bot commented Jul 2, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: Handlebars.js has JavaScript Injection via AST Type Confusion

CVE: GHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type Confusion (CRITICAL)

Affected versions: >= 4.0.0 < 4.7.9

Patched version: 4.7.9

From: packages/k8s/package-lock.jsonnpm/ts-jest@29.4.4npm/handlebars@4.7.8

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/handlebars@4.7.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm damerau-levenshtein is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: packages/hooklib/package-lock.jsonnpm/eslint-plugin-github@6.0.0npm/damerau-levenshtein@1.0.8

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/damerau-levenshtein@1.0.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm es-abstract is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: packages/hooklib/package-lock.jsonnpm/eslint-plugin-github@6.0.0npm/es-abstract@1.24.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-abstract@1.24.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm openid-client is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: packages/k8s/package-lock.jsonnpm/@kubernetes/client-node@1.3.0npm/openid-client@6.8.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/openid-client@6.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm string.prototype.trimend is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: packages/hooklib/package-lock.jsonnpm/eslint-plugin-github@6.0.0npm/string.prototype.trimend@1.0.9

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/string.prototype.trimend@1.0.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

…d exitCode guard and preFetchedPod optimization
@opensourceways-bot

Copy link
Copy Markdown

CLA Signature Pass

flysky22222, thanks for your pull request. All authors of the commits have signed the CLA. 👍

@opensourceways-bot

Copy link
Copy Markdown
检查项 状态
敏感信息扫描
安全编码扫描
漏洞扫描
开源license合规扫描
UT覆盖率
开发阶段设计文档检查
流水线链接 点击跳转查看日志

@opensourceways-bot

Copy link
Copy Markdown

Notification

This pull request source branch has changed, so removes the following label(s): gate_check_pass.

@opensourceways-bot

Copy link
Copy Markdown

CLA Signature Pass

flysky22222, thanks for your pull request. All authors of the commits have signed the CLA. 👍

@opensourceways-bot

Copy link
Copy Markdown
检查项 状态
敏感信息扫描
安全编码扫描
漏洞扫描
开源license合规扫描
UT覆盖率
开发阶段设计文档检查
流水线链接 点击跳转查看日志

@opensourceways-bot

Copy link
Copy Markdown

Notification

This pull request source branch has changed, so removes the following label(s): gate_check_pass.

@opensourceways-bot

Copy link
Copy Markdown

CLA Signature Pass

flysky22222, thanks for your pull request. All authors of the commits have signed the CLA. 👍

@opensourceways-bot

Copy link
Copy Markdown
检查项 状态
敏感信息扫描
安全编码扫描
漏洞扫描
开源license合规扫描
UT覆盖率
开发阶段设计文档检查
流水线链接 点击跳转查看日志

@opensourceways-bot

Copy link
Copy Markdown

Notification

This pull request source branch has changed, so removes the following label(s): gate_check_pass.

@opensourceways-bot

Copy link
Copy Markdown

CLA Signature Pass

flysky22222, thanks for your pull request. All authors of the commits have signed the CLA. 👍

@opensourceways-bot

Copy link
Copy Markdown
检查项 状态
敏感信息扫描
安全编码扫描
漏洞扫描
开源license合规扫描
UT覆盖率
开发阶段设计文档检查
流水线链接 点击跳转查看日志

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants