Files
RedBear-OS/local/scripts/tests/test_audit_patch_idempotency.py
T
kellito ae749ffb23 build: ship build-system hardening arc (5 of 10 improvements)
The v6.0 build-system hardening arc lands 5 of the 10 improvements
proposed in local/docs/BUILD-SYSTEM-IMPROVEMENTS.md. All scripts
have unit tests (62 -> 86, all pass in <1s) and the new 'lint-recipe'
Gitea Actions job runs on every PR.

Per-recipe audit & lint scripts (catch R1/R2 violations BEFORE cook):
  * audit-patch-idempotency.py  — verifies external patches in
    local/patches/ still apply against the upstream pinned rev.
    Caught 1 real bug on first run: libdrm/02-redox-dispatch.patch
    hunk at xf86drm.c:321 no longer matches libdrm-2.4.125.
  * audit-kf6-deps.py           — fetches upstream, scans for
    find_package(KF6Xxx REQUIRED), compares to recipe deps. Catches
    missing + dead dependencies in every kf6-* and qt* recipe.
  * classify-cook-failure.py    — 17-rule cook-failure classifier.
    10-30s diagnosis vs 5-10min manual. exit code is intentionally
    inverted (0=novel failure, 1=known fix) for CI signal.
  * lint-recipe.py              — 7-rule recipe lint: R1-NO-PATCH-FILE,
    R1-PATH-SOURCE, R2-INLINE-SED, R2-PATCHES-DIR-UNUSED,
    NO-LEGACY-MAKE, R1-LEGACY-APPLY-PATCHES, DEP-NOT-FOUND.
    1.1s for 171 recipes (down from 60s+ in v1 via recipe-index
    precomputation). Strict mode promotes warnings to errors.

Build-system convenience:
  * repair-cook.sh              — incremental-build optimizer.
    Equivalent to 'repo cook <pkg>' but with a fast-path that
    skips configure when CMakeCache.txt is newer than source AND
    external patches haven't changed. 30-60s vs 5-10min on KF6
    recipes. make repair.<pkg> / make clean-repair.<pkg> targets.
  * migrate-kf6-seds-to-patches.sh — migration skeleton for
    converting 56 inline 'sed -i' chains across the KF6 recipes
    to durable external patches in local/patches/<name>/.

Gitea Actions (host-execution, no Docker):
  * .gitea/workflows/build-system.yml — 8-job pipeline:
    unit-tests, lint-offline, lint-network (nightly),
    lint-recipe (NEW), lint-docs, build-mini, build-full,
    smoke (QEMU boot).
  * .gitea/RUNNER-SETUP.md — one-time Manjaro/Arch host setup.

Build script hardening:
  * build-redbear.sh            — when a low-level source (relibc,
    kernel, base, bootloader, installer) is newer than its pkgar,
    clean build/ and sysroot/ across all recipes too. Low-level
    package changes leave autotools packages (pcre2, gettext,
    libiconv, ...) with stale configure/libtool scripts referencing
    the old runtime, causing 'libtool version mismatch' and
    'not a valid libtool object' errors. Cleaning forces
    re-configuration; stage/ and source/ are preserved so the
    cookbook skips unchanged packages that don't use autotools.
  * Makefile                    — wire lint-cook-failure,
    lint-cook-failure-explain, lint-recipe, lint-recipe.%,
    lint-recipe.strict, lint-recipe.%.strict, repair.%,
    clean-repair.%, test-lint-scripts[-quiet]. Replace the
    legacy 'validate-patches' target with a deprecation notice
    pointing at validate-sources.

Documentation:
  * BUILD-SYSTEM-IMPROVEMENTS.md   — mark #2 and #5 DONE; full
    implementation notes; updated Make-targets table.
  * BUILD-SYSTEM-V6-HARDENING-POSTMORTEM.md (NEW) — 226-line durable
    record of the 8-session arc: 32 findings categorized, 5 P0
    audit-script bugs fixed, 6 over-broad multi-pattern rules
    discovered + fixed, test coverage 86/86 in <1s, 7/10
    improvements DONE.
  * SCRIPT-BEHAVIOR-MATRIX.md   — apply-patches.sh row marked
    LEGACY/ARCHIVED; build-redbear.sh row no longer claims to
    call it.
  * boot-logs/README.md (NEW)   — frozen-evidence policy:
    'do not edit' rule for REDBEAR-FULL-BOOT-*-RESULTS.md files.
  * libdrm/02-redox-dispatch.patch.README (NEW) — 8-step regen
    procedure for the broken hunk.

Cleanup:
  * local/cache/README.md deleted (1-line placeholder).
  * legacy 'make validate-patches' target removed.

Per build-system improvement #5: lint-recipe.py's first run on
the live tree surfaced 1 broken-patch reference (redbear-sessiond),
1 dangling cookbook_apply_patches call (tc), 19 sed -i calls in
sddm (warning — cookbook_apply_patches present, drop-x11.py
migration in progress), 4 sed -i calls in qt6-wayland-smoke
(uncovers the same bug class the libwayland fix prevented).
2026-06-12 13:37:39 +03:00

104 lines
3.6 KiB
Python

#!/usr/bin/env python3
"""Smoke tests for audit-patch-idempotency.py.
Run with:
python3 -m unittest local/scripts/tests/test_audit_patch_idempotency.py
"""
import re
import sys
import unittest
from pathlib import Path
SCRIPTS_DIR = Path(__file__).resolve().parent.parent
sys.path.insert(0, str(SCRIPTS_DIR))
import importlib.util # noqa: E402
_spec = importlib.util.spec_from_file_location(
"api", SCRIPTS_DIR / "audit-patch-idempotency.py"
)
assert _spec is not None and _spec.loader is not None
api = importlib.util.module_from_spec(_spec)
_spec.loader.exec_module(api)
class TestCollectPatches(unittest.TestCase):
"""The patch collector walks local/patches/<component>/NN-*.patch."""
def test_collect_real_patches(self):
# On the live tree, this should find at least 10 patches.
patches = list(api.collect_patches())
self.assertGreater(len(patches), 0)
# Every patch is a 2-tuple (component, Path).
for comp, p in patches:
self.assertIsInstance(comp, str)
self.assertTrue(p.exists())
def test_collect_filter_by_component(self):
# Should find the 3 libdrm patches.
patches = list(api.collect_patches(component_filter="libdrm"))
for _, name in patches:
self.assertIn("libdrm", str(name))
def test_collect_nonexistent_component(self):
patches = list(api.collect_patches(component_filter="does-not-exist-xyz"))
self.assertEqual(patches, [])
class TestPatchNameValidation(unittest.TestCase):
"""The regex accepts files matching NN-name.patch."""
def test_valid_patch_names(self):
# The collector uses PATCH_NAME_RE — verify it accepts real names.
names = [
"01-foo.patch", "02-bar.patch", "99-trailing-numbers.patch",
"10-multi-word-name-with-dashes.patch",
]
for n in names:
self.assertTrue(api.PATCH_NAME_RE.match(n),
f"should accept {n!r}")
def test_invalid_patch_names(self):
for n in ["foo.patch", "01-foo", "01-.patch", "foo-01-bar.patch"]:
self.assertFalse(api.PATCH_NAME_RE.match(n),
f"should reject {n!r}")
class TestJSONSchemaHonesty(unittest.TestCase):
"""--no-fetch must produce JSON with skipped entries and a clear message."""
def test_no_fetch_json_shape(self):
import json
import subprocess
proc = subprocess.run(
["python3", str(SCRIPTS_DIR / "audit-patch-idempotency.py"),
"--no-fetch", "--json"],
capture_output=True, text=True,
)
# With --no-fetch, every entry is skipped -> exit 2 (CI-safe).
self.assertEqual(proc.returncode, 2)
data = json.loads(proc.stdout)
self.assertIn("patches", data)
self.assertIn("total", data)
self.assertIn("errors", data)
self.assertIn("skipped", data)
# Every entry must be status=skipped.
for entry in data["patches"]:
self.assertEqual(entry["status"], "skipped")
self.assertEqual(data["skipped"], data["total"])
def test_no_fetch_text_honest_about_skipping(self):
import subprocess
proc = subprocess.run(
["python3", str(SCRIPTS_DIR / "audit-patch-idempotency.py"),
"--no-fetch"],
capture_output=True, text=True,
)
# Must NOT say "All N patches are idempotent" when none were
# actually audited.
self.assertIn("SKIPPED", proc.stdout)
self.assertIn("No audit was performed", proc.stdout)
if __name__ == "__main__":
unittest.main()