Skip to content

fix(bots): give the engineer-bot e2e repro a token the env scrub can't strip#872

Merged
eric-wang-1990 merged 1 commit into
mainfrom
fix/e2e-token-scrub-config-file
Jul 17, 2026
Merged

fix(bots): give the engineer-bot e2e repro a token the env scrub can't strip#872
eric-wang-1990 merged 1 commit into
mainfrom
fix/e2e-token-scrub-config-file

Conversation

@eric-wang-1990

Copy link
Copy Markdown
Contributor

Problem

The engineer-bot's bug-fix flow requires a live tests/e2e repro. The e2e suite authenticates through conftest.py, which reads the token from DATABRICKS_TOKEN. But the bot runs pytest inside an agent-driven subprocess whose env is scrubbed of every credential-shaped variable (the engine's shared/env_scrub.py strips *TOKEN*/*SECRET*/*PASSWORD*/…). So DATABRICKS_TOKEN is removed before pytest starts, the connection is built with access_token=None, and it hangs.

Observed on #791: every e2e test — including existing, unmodified ones — stalled ~10 min per attempt, burning the 45-min job timeout. The same warehouse and azure-prod secrets are used by code-coverage.yml's e2e job, which passes only because it runs pytest directly (no agent, no scrub). That's the whole difference; it is not warehouse cold-start.

Fix

Pass the connection details through a file instead of a credential-named env var — the pattern the engine's centralize-bot-workflows design doc prescribes verbatim.

  • engineer-bot.yml: a new step writes host/http_path/token/user/catalog to $RUNNER_TEMP/e2e-connection.json (built with jq so the secret is never shell-interpolated; chmod 600) and exports its path to the author step as DATABRICKS_TEST_CONFIG_FILE — a name env_scrub deliberately preserves.
  • conftest.py: each connection fixture now falls back to that file when its env var is absent. The env var still wins, so normal CI and local dev are byte-for-byte unchanged (they leave the path var unset → empty file dict).

Author phase only. The follow-up phase deliberately runs mocked tests/unit and forbids tests/e2e, so it needs no live token — left untouched.

Verification

This pull request and its description were written by Isaac.

…t strip

The bug-fix flow's REQUIRED tests/e2e repro authenticates through conftest.py,
which reads the token from DATABRICKS_TOKEN. But the engineer-bot runs pytest in
an agent-driven subprocess whose environment is scrubbed of every credential-
shaped variable (the engine's shared/env_scrub.py strips *TOKEN*/*SECRET*/... ),
so DATABRICKS_TOKEN is gone before pytest starts. The connection is then built
with access_token=None and hangs — observed on issue #791: every e2e test (incl.
existing, unmodified ones) stalled ~10 min per attempt until the 45-min job
timeout. The same warehouse/env is used by code-coverage.yml's e2e job, which
passes because it runs pytest directly (no agent, no scrub).

Fix (per the engine's centralize-bot-workflows design doc): pass the connection
details through a file instead of a credential-named env var.

- engineer-bot.yml: a new step writes host/http_path/token/user/catalog to
  $RUNNER_TEMP/e2e-connection.json (built with jq so the secret is never shell-
  interpolated; chmod 600) and exports its PATH to the author step as
  DATABRICKS_TEST_CONFIG_FILE — a name env_scrub deliberately preserves.
- conftest.py: each connection fixture now falls back to that file when its env
  var is absent (env var still wins). Normal CI and local dev leave the path var
  unset, so the file dict is empty and behavior is byte-for-byte unchanged.

Author phase only: the follow-up phase deliberately runs mocked tests/unit and
forbids tests/e2e, so it needs no live token (left untouched).

Signed-off-by: eric-wang-1990 <[email protected]>
Co-authored-by: Isaac
Copilot AI review requested due to automatic review settings July 17, 2026 20:31

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@peco-review-bot peco-review-bot Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verdict: 1 Low

Looks good — a clean, well-scoped fix that passes the e2e token through a file (DATABRICKS_TEST_CONFIG_FILE) the env scrub preserves, keeping the env var as the winning source so normal CI/local dev is unchanged. One low note about the or-based fallback changing empty-string-vs-unset semantics for the fixtures. Nit: _test_config_from_file only guards OSError/ValueError; a valid-but-non-object JSON (e.g. a bare string/list) would pass json.load and later raise AttributeError on .get(...) in the fixtures — not reachable given the jq -n '{...}' writer, but a isinstance(..., dict) check would harden it."

Comment thread conftest.py
@eric-wang-1990 eric-wang-1990 added the engineer-bot Maintainer-applied gate: triggers engineer-bot (bug-fix on issue / take-over on PR). label Jul 17, 2026
@eric-wang-1990
eric-wang-1990 added this pull request to the merge queue Jul 17, 2026
Merged via the queue into main with commit 9f81d35 Jul 17, 2026
70 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

engineer-bot Maintainer-applied gate: triggers engineer-bot (bug-fix on issue / take-over on PR).

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants