fix: replace orchestrator-develop branch references with main

The orchestrator-develop branch no longer exists. Update all fallback clone commands and test fixtures to use main instead. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ci: set macOS builds to continue-on-error
2026-06-13 09:23:52 -07:00 · 2026-03-09 20:04:50 +00:00 · 2026-03-05 23:33:29 +00:00 · 2026-03-05 12:55:18 +00:00 · 2026-03-05 08:41:04 +00:00 · 2026-03-05 08:35:03 +00:00
13 changed files with 1204 additions and 1822 deletions
@@ -182,8 +182,8 @@ inputs:
    required: false
    default: ''
    description:
-      '[Orchestrator] Run a custom job instead of the standard build automation for orchestrator (in yaml format with
+      '[Orchestrator] Run a custom job instead of the standard build automation for orchestrator (in yaml format with the
-      the keys image, secrets (name, value object array), command line string)'
+      keys image, secrets (name, value object array), command line string)'
  awsStackName:
    default: 'game-ci'
    required: false
@@ -194,6 +194,15 @@ inputs:
    description:
      '[Orchestrator] Either local, k8s or aws can be used to run builds on a remote cluster. Additional parameters must
      be configured.'
  secretSource:
    default: ''
    required: false
    description:
      '[Orchestrator] Premade secret source for pulling build secrets. Supported values: aws-secrets-manager,
      aws-parameter-store, gcp-secret-manager, azure-key-vault, hashicorp-vault, hashicorp-vault-kv1,
      vault (alias for hashicorp-vault), env. Can also be a custom shell command with {0} placeholder
      for the key, or a path to a YAML file defining custom sources. Takes precedence over
      inputPullCommand when set.'
  resourceTracking:
    default: 'false'
    required: false
@@ -279,30 +288,6 @@ inputs:
    description:
      '[Orchestrator] Specifies the repo for the unity builder. Useful if you forked the repo for testing, features, or
      fixes.'
  gitIntegrityCheck:
    description: 'Run git integrity checks before build (fsck, lock cleanup, submodule validation)'
    required: false
    default: 'false'
  gitAutoRecover:
    description: 'Attempt automatic recovery if git corruption is detected'
    required: false
    default: 'false'
  cleanReservedFilenames:
    description: 'Remove Windows reserved filenames that cause Unity import loops'
    required: false
    default: 'false'
  buildArchiveEnabled:
    description: 'Archive build output after successful build'
    required: false
    default: 'false'
  buildArchivePath:
    description: 'Path to store build archives'
    required: false
    default: './build-archives'
  buildArchiveRetention:
    description: 'Days to retain build archives before cleanup'
    required: false
    default: '30'
 outputs:
  volume:
@@ -38,7 +38,6 @@ const model_1 = __nccwpck_require__(41359);
 const cli_1 = __nccwpck_require__(55651);
 const mac_builder_1 = __importDefault(__nccwpck_require__(39364));
 const platform_setup_1 = __importDefault(__nccwpck_require__(64423));
 const reliability_1 = __nccwpck_require__(9842);
 async function runMain() {
    try {
        if (cli_1.Cli.InitCliMode()) {
@@ -47,32 +46,9 @@ async function runMain() {
        }
        model_1.Action.checkCompatibility();
        model_1.Cache.verify();
        // Always configure git environment for CI reliability
        reliability_1.BuildReliabilityService.configureGitEnvironment();
        const { workspace, actionFolder } = model_1.Action;
        const buildParameters = await model_1.BuildParameters.create();
        const baseImage = new model_1.ImageTag(buildParameters);
        // Pre-build reliability checks
        if (buildParameters.gitIntegrityCheck) {
            core.info('Running git integrity checks...');
            const isHealthy = reliability_1.BuildReliabilityService.checkGitIntegrity(workspace);
            reliability_1.BuildReliabilityService.cleanStaleLockFiles(workspace);
            reliability_1.BuildReliabilityService.validateSubmoduleBackingStores(workspace);
            if (buildParameters.cleanReservedFilenames) {
                reliability_1.BuildReliabilityService.cleanReservedFilenames(buildParameters.projectPath);
            }
            if (!isHealthy && buildParameters.gitAutoRecover) {
                core.info('Git corruption detected, attempting automatic recovery...');
                const recovered = reliability_1.BuildReliabilityService.recoverCorruptedRepo(workspace);
                if (!recovered) {
                    core.warning('Automatic recovery failed. Build may encounter issues.');
                }
            }
        }
        else if (buildParameters.cleanReservedFilenames) {
            // cleanReservedFilenames can run independently of gitIntegrityCheck
            reliability_1.BuildReliabilityService.cleanReservedFilenames(buildParameters.projectPath);
        }
        let exitCode = -1;
        if (buildParameters.providerStrategy === 'local') {
            core.info('Building locally');
@@ -90,12 +66,6 @@ async function runMain() {
            await model_1.Orchestrator.run(buildParameters, baseImage.toString());
            exitCode = 0;
        }
        // Post-build: archive and enforce retention
        if (buildParameters.buildArchiveEnabled && exitCode === 0) {
            core.info('Archiving build output...');
            reliability_1.BuildReliabilityService.archiveBuildOutput(buildParameters.buildPath, buildParameters.buildArchivePath);
            reliability_1.BuildReliabilityService.enforceRetention(buildParameters.buildArchivePath, buildParameters.buildArchiveRetention);
        }
        // Set output
        await model_1.Output.setBuildVersion(buildParameters.buildVersion);
        await model_1.Output.setAndroidVersionCode(buildParameters.androidVersionCode);
@@ -405,12 +375,6 @@ class BuildParameters {
            cacheUnityInstallationOnMac: input_1.default.cacheUnityInstallationOnMac,
            unityHubVersionOnMac: input_1.default.unityHubVersionOnMac,
            dockerWorkspacePath: input_1.default.dockerWorkspacePath,
            gitIntegrityCheck: input_1.default.gitIntegrityCheck,
            gitAutoRecover: input_1.default.gitAutoRecover,
            cleanReservedFilenames: input_1.default.cleanReservedFilenames,
            buildArchiveEnabled: input_1.default.buildArchiveEnabled,
            buildArchivePath: input_1.default.buildArchivePath,
            buildArchiveRetention: input_1.default.buildArchiveRetention,
        };
    }
    static parseBuildFile(filename, platform, androidExportType) {
@@ -1862,28 +1826,6 @@ class Input {
    static get skipActivation() {
        return Input.getInput('skipActivation')?.toLowerCase() ?? 'false';
    }
    static get gitIntegrityCheck() {
        const input = Input.getInput('gitIntegrityCheck') ?? 'false';
        return input === 'true';
    }
    static get gitAutoRecover() {
        const input = Input.getInput('gitAutoRecover') ?? 'false';
        return input === 'true';
    }
    static get cleanReservedFilenames() {
        const input = Input.getInput('cleanReservedFilenames') ?? 'false';
        return input === 'true';
    }
    static get buildArchiveEnabled() {
        const input = Input.getInput('buildArchiveEnabled') ?? 'false';
        return input === 'true';
    }
    static get buildArchivePath() {
        return Input.getInput('buildArchivePath') ?? './build-archives';
    }
    static get buildArchiveRetention() {
        return Number.parseInt(Input.getInput('buildArchiveRetention') ?? '30', 10);
    }
    static ToEnvVarFormat(input) {
        if (input.toUpperCase() === input) {
            return input;
@@ -2301,6 +2243,9 @@ class OrchestratorOptions {
    static get pullInputList() {
        return OrchestratorOptions.getInput('pullInputList')?.split(`,`) || [];
    }
    static get secretSource() {
        return OrchestratorOptions.getInput('secretSource') || '';
    }
    static get inputPullCommand() {
        const value = OrchestratorOptions.getInput('inputPullCommand');
        if (value === 'gcp-secret-manager') {
@@ -2422,13 +2367,39 @@ exports["default"] = OrchestratorOptions;
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    var desc = Object.getOwnPropertyDescriptor(m, k);
    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
      desc = { enumerable: true, get: function() { return m[k]; } };
    }
    Object.defineProperty(o, k2, desc);
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
    __setModuleDefault(result, mod);
    return result;
 };
 var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 const core = __importStar(__nccwpck_require__(42186));
 const input_1 = __importDefault(__nccwpck_require__(91933));
 const generic_input_reader_1 = __nccwpck_require__(2263);
 const orchestrator_options_1 = __importDefault(__nccwpck_require__(82473));
 const secret_source_service_1 = __nccwpck_require__(79089);
 const orchestrator_logger_1 = __importDefault(__nccwpck_require__(32549));
 const formatFunction = (value, arguments_) => {
    for (const element of arguments_) {
        value = value.replace(`{${element.key}}`, element.value);
@@ -2436,7 +2407,6 @@ const formatFunction = (value, arguments_) => {
    return value;
 };
 class OrchestratorQueryOverride {
    // TODO accept premade secret sources or custom secret source definition yamls
    static query(key, alternativeKey) {
        if (OrchestratorQueryOverride.queryOverrides && OrchestratorQueryOverride.queryOverrides[key] !== undefined) {
            return OrchestratorQueryOverride.queryOverrides[key];
@@ -2464,11 +2434,49 @@ class OrchestratorQueryOverride {
        if (!this.shouldUseOverride(query)) {
            throw new Error(`Should not be trying to run override query on ${query}`);
        }
-        return await generic_input_reader_1.GenericInputReader.Run(formatFunction(orchestrator_options_1.default.inputPullCommand, [{ key: 0, value: query }]));
+        // Validate the query key before interpolating it into a shell command
        (0, secret_source_service_1.validateSecretKey)(query);
        const result = await generic_input_reader_1.GenericInputReader.Run(formatFunction(orchestrator_options_1.default.inputPullCommand, [{ key: 0, value: query }]));
        // Mask the fetched secret value so it does not appear in GitHub Actions logs
        if (result && result.trim().length > 0) {
            core.setSecret(result);
        }
        return result;
    }
    /**
     * Populate query overrides using either:
     * 1. Premade/custom secret sources (via secretSource input), or
     * 2. Shell command (via inputPullCommand, legacy approach)
     *
     * The secretSource input takes precedence if set. It supports:
     * - Premade names: 'aws-secrets-manager', 'aws-parameter-store', 'gcp-secret-manager', 'azure-key-vault', 'env'
     * - Custom commands: any string containing {0} placeholder
     * - YAML file path: a path ending in .yml or .yaml containing custom source definitions
     */
    static async PopulateQueryOverrideInput() {
        const queries = orchestrator_options_1.default.pullInputList;
        OrchestratorQueryOverride.queryOverrides = {};
        const secretSource = orchestrator_options_1.default.secretSource;
        // Use SecretSourceService if secretSource is configured
        if (secretSource) {
            orchestrator_logger_1.default.log(`Using secret source: ${secretSource}`);
            // YAML file: load definitions and use the first source
            if (secretSource.endsWith('.yml') || secretSource.endsWith('.yaml')) {
                const definitions = secret_source_service_1.SecretSourceService.loadFromYaml(secretSource);
                if (definitions.length > 0) {
                    orchestrator_logger_1.default.log(`Loaded ${definitions.length} secret source(s) from ${secretSource}`);
                    for (const key of queries) {
                        OrchestratorQueryOverride.queryOverrides[key] = await secret_source_service_1.SecretSourceService.fetchSecret(definitions[0], key);
                    }
                }
                return;
            }
            // Premade or custom command source
            const results = await secret_source_service_1.SecretSourceService.fetchAll(secretSource, queries);
            Object.assign(OrchestratorQueryOverride.queryOverrides, results);
            return;
        }
        // Legacy: use inputPullCommand if set
        for (const element of queries) {
            if (OrchestratorQueryOverride.shouldUseOverride(element)) {
                OrchestratorQueryOverride.queryOverrides[element] = await OrchestratorQueryOverride.queryOverride(element);
@@ -9692,7 +9700,7 @@ exports.ContainerHookService = ContainerHookService;
 /***/ }),
-/***/ 37347:
+/***/ 79089:
 /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
 "use strict";
@@ -9724,499 +9732,297 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.BuildReliabilityService = void 0;
+exports.SecretSourceService = exports.validateSecretKey = void 0;
 const node_child_process_1 = __nccwpck_require__(17718);
 const node_fs_1 = __importDefault(__nccwpck_require__(87561));
 const node_path_1 = __importDefault(__nccwpck_require__(49411));
 const core = __importStar(__nccwpck_require__(42186));
 const orchestrator_logger_1 = __importDefault(__nccwpck_require__(32549));
 const orchestrator_system_1 = __nccwpck_require__(9744);
 /**
- * Build reliability features for hardening CI pipelines.
+ * Validate that a secret key name contains only safe characters.
- * Provides git integrity checks, stale lock cleanup, submodule validation,
+ * Prevents shell injection when keys are interpolated into commands.
- * reserved filename removal, build archival, and git environment configuration.
+ *
- * All features are opt-in and fail gracefully (warnings only).
+ * Allowed characters: alphanumeric, hyphens, underscores, dots, forward slashes.
 *
 * @param key - The secret key name to validate
 * @returns The validated key (unchanged)
 * @throws Error if the key contains disallowed characters
 */
-class BuildReliabilityService {
+function validateSecretKey(key) {
-    /**
+    if (!/^[a-zA-Z0-9\-_./]+$/.test(key)) {
-     * Run git fsck to check repository integrity.
+        throw new Error(`Invalid secret key name: "${key}". Keys may only contain alphanumeric characters, hyphens, underscores, dots, and forward slashes.`);
     * Returns true if the repo is healthy, false if corruption detected.
     */
    static checkGitIntegrity(repoPath = '.') {
        core.info(`[Reliability] Checking git integrity in ${repoPath}`);
        try {
            const output = (0, node_child_process_1.execSync)(`git -C "${repoPath}" fsck --no-dangling`, {
                encoding: 'utf8',
                timeout: 120000,
                stdio: ['pipe', 'pipe', 'pipe'],
            });
            // Parse output for corruption indicators
            const corruptionPatterns = [
                /broken link/i,
                /missing (blob|tree|commit|tag)/i,
                /dangling/i,
                /corrupt/i,
                /error in /i,
            ];
            for (const pattern of corruptionPatterns) {
                if (pattern.test(output)) {
                    core.warning(`[Reliability] Git integrity check found issues: ${output.trim()}`);
                    return false;
                }
            }
            core.info('[Reliability] Git integrity check passed');
            return true;
        }
        catch (error) {
            // execSync throws on non-zero exit code
            const stderr = error.stderr?.toString() ?? error.message;
            core.warning(`[Reliability] Git integrity check failed: ${stderr}`);
            return false;
        }
    }
-    /**
+    return key;
-     * Remove stale .lock files from the .git directory.
+}
-     * Only removes lock files older than 10 minutes to avoid interfering with active operations.
+exports.validateSecretKey = validateSecretKey;
-     * Returns the number of lock files removed.
+/**
-     */
+ * Mask a secret value so it does not appear in GitHub Actions logs.
-    static cleanStaleLockFiles(repoPath = '.') {
+ * Empty or whitespace-only values are skipped (core.setSecret would be a no-op).
-        const gitDir = node_path_1.default.join(repoPath, '.git');
+ */
-        if (!node_fs_1.default.existsSync(gitDir) || !node_fs_1.default.statSync(gitDir).isDirectory()) {
+function maskSecretValue(value) {
-            return 0;
+    if (value.trim().length > 0) {
-        }
+        core.setSecret(value);
        core.info(`[Reliability] Scanning for stale lock files in ${gitDir}`);
        const now = Date.now();
        let removed = 0;
        const cleanDirectory = (directory) => {
            if (!node_fs_1.default.existsSync(directory))
                return;
            try {
                const entries = node_fs_1.default.readdirSync(directory, { withFileTypes: true });
                for (const entry of entries) {
                    const fullPath = node_path_1.default.join(directory, entry.name);
                    if (entry.isDirectory()) {
                        cleanDirectory(fullPath);
                    }
                    else if (entry.name.endsWith('.lock')) {
                        // Check if it is a known lock file location OR under refs/
                        const relativePath = node_path_1.default.relative(gitDir, fullPath);
                        const isKnownLock = BuildReliabilityService.LOCK_FILE_NAMES.has(entry.name);
                        const isRefsLock = relativePath.startsWith('refs' + node_path_1.default.sep);
                        if (isKnownLock || isRefsLock) {
                            try {
                                const stat = node_fs_1.default.statSync(fullPath);
                                const ageMs = now - stat.mtimeMs;
                                if (ageMs > BuildReliabilityService.LOCK_FILE_MAX_AGE_MS) {
                                    node_fs_1.default.unlinkSync(fullPath);
                                    removed++;
                                    core.info(`[Reliability] Removed stale lock file (age: ${Math.round(ageMs / 1000)}s): ${relativePath}`);
                                }
                                else {
                                    core.info(`[Reliability] Lock file is recent (age: ${Math.round(ageMs / 1000)}s), skipping: ${relativePath}`);
                                }
                            }
                            catch {
                                core.warning(`[Reliability] Could not remove lock file: ${fullPath}`);
                            }
                        }
                    }
                }
            }
            catch {
                // Directory not accessible
            }
        };
        cleanDirectory(gitDir);
        if (removed > 0) {
            core.info(`[Reliability] Cleaned ${removed} stale lock file(s)`);
        }
        else {
            core.info('[Reliability] No stale lock files found');
        }
        return removed;
    }
    /**
     * Validate that submodule .git files point to existing backing stores
     * under .git/modules/. Returns list of submodule paths with broken backing stores.
     */
    static validateSubmoduleBackingStores(repoPath = '.') {
        const broken = [];
        const gitmodulesPath = node_path_1.default.join(repoPath, '.gitmodules');
        if (!node_fs_1.default.existsSync(gitmodulesPath)) {
            core.info('[Reliability] No .gitmodules found, skipping submodule validation');
            return broken;
        }
        core.info(`[Reliability] Validating submodule backing stores in ${repoPath}`);
        try {
            const content = node_fs_1.default.readFileSync(gitmodulesPath, 'utf8');
            const pathMatches = content.matchAll(/path\s*=\s*(.+)/g);
            for (const match of pathMatches) {
                const submodulePath = match[1].trim();
                const gitFile = node_path_1.default.join(repoPath, submodulePath, '.git');
                if (!node_fs_1.default.existsSync(gitFile)) {
                    // Submodule not initialized -- not necessarily broken
                    continue;
                }
                try {
                    const stat = node_fs_1.default.statSync(gitFile);
                    if (stat.isFile()) {
                        // .git is a file -- should contain "gitdir: <path>"
                        const gitFileContent = node_fs_1.default.readFileSync(gitFile, 'utf8').trim();
                        const gitdirMatch = gitFileContent.match(/^gitdir:\s*(.+)$/);
                        if (gitdirMatch) {
                            const backingStore = node_path_1.default.resolve(node_path_1.default.join(repoPath, submodulePath), gitdirMatch[1]);
                            if (!node_fs_1.default.existsSync(backingStore)) {
                                broken.push(submodulePath);
                                core.warning(`[Reliability] Submodule ${submodulePath} has broken backing store: ${backingStore}`);
                            }
                            else {
                                core.info(`[Reliability] Submodule ${submodulePath} backing store OK`);
                            }
                        }
                        else {
                            broken.push(submodulePath);
                            core.warning(`[Reliability] Submodule ${submodulePath} .git file has invalid format`);
                        }
                    }
                }
                catch {
                    // Can't read .git file
                    core.warning(`[Reliability] Could not read .git file for submodule: ${submodulePath}`);
                }
            }
        }
        catch (error) {
            core.warning(`[Reliability] Could not read .gitmodules: ${error.message}`);
        }
        if (broken.length > 0) {
            core.warning(`[Reliability] ${broken.length} submodule(s) have broken backing stores`);
        }
        else {
            core.info('[Reliability] All submodule backing stores are valid');
        }
        return broken;
    }
    /**
     * Orchestrate recovery of a corrupted repository.
     * Sequence: fsck -> clean locks -> re-fetch -> retry fsck.
     * Returns true if recovery succeeded.
     */
    static recoverCorruptedRepo(repoPath = '.') {
        core.warning(`[Reliability] Attempting automatic recovery for ${repoPath}`);
        // Step 1: Clean stale lock files that may be preventing operations
        const locksRemoved = BuildReliabilityService.cleanStaleLockFiles(repoPath);
        if (locksRemoved > 0) {
            core.info(`[Reliability] Recovery: cleaned ${locksRemoved} lock file(s)`);
        }
        // Step 2: Re-fetch to restore missing objects
        try {
            core.info('[Reliability] Recovery: re-fetching from remote');
            (0, node_child_process_1.execSync)(`git -C "${repoPath}" fetch --all`, {
                encoding: 'utf8',
                timeout: 300000,
                stdio: ['pipe', 'pipe', 'pipe'],
            });
            core.info('[Reliability] Recovery: fetch completed');
        }
        catch (error) {
            core.warning(`[Reliability] Recovery: fetch failed: ${error.stderr?.toString() ?? error.message}`);
        }
        // Step 3: Retry fsck
        const healthy = BuildReliabilityService.checkGitIntegrity(repoPath);
        if (healthy) {
            core.info('[Reliability] Recovery succeeded -- repository is healthy');
        }
        else {
            core.warning('[Reliability] Recovery failed -- repository still has integrity issues');
        }
        return healthy;
    }
    /**
     * Scan a directory tree for files/directories with Windows reserved names.
     * These names (con, prn, aux, nul, com1-9, lpt1-9) with any extension
     * cause Unity asset importer infinite loops on Windows.
     * Returns list of paths that were removed.
     */
    static cleanReservedFilenames(projectPath) {
        const assetsPath = node_path_1.default.join(projectPath, 'Assets');
        if (!node_fs_1.default.existsSync(assetsPath)) {
            core.info(`[Reliability] No Assets directory found at ${assetsPath}, skipping reserved filename scan`);
            return [];
        }
        core.info(`[Reliability] Scanning for reserved filenames in ${assetsPath}`);
        const cleaned = [];
        const scanDirectory = (directory) => {
            try {
                const entries = node_fs_1.default.readdirSync(directory, { withFileTypes: true });
                for (const entry of entries) {
                    const nameWithoutExtension = entry.name.split('.')[0].toLowerCase();
                    const fullPath = node_path_1.default.join(directory, entry.name);
                    if (BuildReliabilityService.RESERVED_NAMES.has(nameWithoutExtension)) {
                        try {
                            if (entry.isDirectory()) {
                                node_fs_1.default.rmSync(fullPath, { recursive: true, force: true });
                            }
                            else {
                                node_fs_1.default.unlinkSync(fullPath);
                            }
                            cleaned.push(fullPath);
                            core.warning(`[Reliability] Removed reserved filename: ${fullPath}`);
                        }
                        catch {
                            core.warning(`[Reliability] Could not remove reserved filename: ${fullPath}`);
                        }
                    }
                    else if (entry.isDirectory()) {
                        scanDirectory(fullPath);
                    }
                }
            }
            catch {
                // Directory not accessible
            }
        };
        scanDirectory(assetsPath);
        if (cleaned.length > 0) {
            core.warning(`[Reliability] Cleaned ${cleaned.length} reserved filename(s)`);
        }
        else {
            core.info('[Reliability] No reserved filenames found');
        }
        return cleaned;
    }
    /**
     * Get available disk space in megabytes for a given directory.
     * Returns -1 if the check fails (unknown space).
     *
     * Cross-platform: uses wmic on Windows, df on Unix.
     */
    static getAvailableSpaceMB(directoryPath) {
        try {
            if (process.platform === 'win32') {
                const drive = node_path_1.default.parse(directoryPath).root;
                const driveLetter = drive.replace(/[:\\\/]/g, '');
                const output = (0, node_child_process_1.execFileSync)('wmic', ['logicaldisk', 'where', `DeviceID='${driveLetter}:'`, 'get', 'FreeSpace', '/value'], { encoding: 'utf8', timeout: 10000 });
                const match = output.match(/FreeSpace=(\d+)/);
                return match ? Number.parseInt(match[1], 10) / (1024 * 1024) : -1;
            }
            else {
                const output = (0, node_child_process_1.execFileSync)('df', ['-BM', '--output=avail', directoryPath], {
                    encoding: 'utf8',
                    timeout: 10000,
                });
                const lines = output.trim().split('\n');
                return Number.parseInt(lines[lines.length - 1], 10);
            }
        }
        catch {
            return -1; // Unknown, caller should proceed with warning
        }
    }
    /**
     * Calculate the total size of a directory in megabytes.
     * Returns -1 if the calculation fails.
     */
    static getDirectorySizeMB(directoryPath) {
        try {
            const stat = node_fs_1.default.statSync(directoryPath);
            if (!stat.isDirectory()) {
                return stat.size / (1024 * 1024);
            }
            let totalBytes = 0;
            const walkDirectory = (dir) => {
                const entries = node_fs_1.default.readdirSync(dir, { withFileTypes: true });
                for (const entry of entries) {
                    const fullPath = node_path_1.default.join(dir, entry.name);
                    if (entry.isDirectory()) {
                        walkDirectory(fullPath);
                    }
                    else {
                        try {
                            totalBytes += node_fs_1.default.statSync(fullPath).size;
                        }
                        catch {
                            // Skip inaccessible files
                        }
                    }
                }
            };
            walkDirectory(directoryPath);
            return totalBytes / (1024 * 1024);
        }
        catch {
            return -1;
        }
    }
    /**
     * Create a tar.gz archive of build output.
     *
     * Validates disk space before archiving. Skips archival with a warning
     * if insufficient space is detected, preventing partial writes on full disks.
     */
    static archiveBuildOutput(sourcePath, archivePath) {
        if (!node_fs_1.default.existsSync(sourcePath)) {
            core.info(`[Reliability] No build output to archive at ${sourcePath}`);
            return;
        }
        node_fs_1.default.mkdirSync(archivePath, { recursive: true });
        // Check available disk space before archiving
        const sourceSizeMB = BuildReliabilityService.getDirectorySizeMB(sourcePath);
        const availableSpaceMB = BuildReliabilityService.getAvailableSpaceMB(archivePath);
        if (sourceSizeMB >= 0 && availableSpaceMB >= 0) {
            const neededMB = Math.ceil(sourceSizeMB * 1.1); // 10% safety margin
            if (availableSpaceMB < neededMB) {
                core.warning(`[Reliability] Insufficient disk space for archive. ` +
                    `Need ~${neededMB}MB, available: ${Math.floor(availableSpaceMB)}MB. Skipping archive.`);
                return;
            }
            core.info(`[Reliability] Disk space check passed: need ~${neededMB}MB, available: ${Math.floor(availableSpaceMB)}MB`);
        }
        else if (availableSpaceMB < 0) {
            core.warning('[Reliability] Could not determine available disk space. Proceeding with archive cautiously.');
        }
        const timestamp = new Date().toISOString().replace(/[.:]/g, '-');
        const archiveFile = node_path_1.default.join(archivePath, `build-${timestamp}.tar.gz`);
        try {
            (0, node_child_process_1.execSync)(`tar -czf "${archiveFile}" -C "${node_path_1.default.dirname(sourcePath)}" "${node_path_1.default.basename(sourcePath)}"`, {
                encoding: 'utf8',
                timeout: 600000,
                stdio: ['pipe', 'pipe', 'pipe'],
            });
            core.info(`[Reliability] Build output archived to ${archiveFile}`);
        }
        catch (error) {
            core.warning(`[Reliability] Failed to archive build output: ${error.stderr?.toString() ?? error.message}`);
            // Clean up partial archive if it exists to avoid leaving corrupted files
            try {
                if (node_fs_1.default.existsSync(archiveFile)) {
                    node_fs_1.default.unlinkSync(archiveFile);
                    core.info(`[Reliability] Cleaned up partial archive: ${archiveFile}`);
                }
            }
            catch {
                // Best-effort cleanup
            }
        }
    }
    /**
     * Enforce retention policy -- delete archives older than the retention period.
     * Returns the number of old archives removed.
     */
    static enforceRetention(archivePath, retentionDays) {
        if (!node_fs_1.default.existsSync(archivePath)) {
            return 0;
        }
        const now = Date.now();
        const retentionMs = retentionDays * 24 * 60 * 60 * 1000;
        let removed = 0;
        try {
            const entries = node_fs_1.default.readdirSync(archivePath, { withFileTypes: true });
            for (const entry of entries) {
                const fullPath = node_path_1.default.join(archivePath, entry.name);
                try {
                    const stat = node_fs_1.default.statSync(fullPath);
                    const ageMs = now - stat.mtimeMs;
                    if (ageMs > retentionMs) {
                        if (entry.isDirectory()) {
                            node_fs_1.default.rmSync(fullPath, { recursive: true, force: true });
                        }
                        else {
                            node_fs_1.default.unlinkSync(fullPath);
                        }
                        removed++;
                        core.info(`[Reliability] Removed old archive: ${entry.name} (age: ${Math.round(ageMs / (24 * 60 * 60 * 1000))} days)`);
                    }
                }
                catch {
                    core.warning(`[Reliability] Could not process archive entry: ${fullPath}`);
                }
            }
        }
        catch {
            core.warning(`[Reliability] Could not read archive directory: ${archivePath}`);
            return 0;
        }
        if (removed > 0) {
            core.info(`[Reliability] Retention enforced: removed ${removed} old archive(s), retention: ${retentionDays} days`);
        }
        return removed;
    }
    /**
     * Configure git environment variables for CI reliability.
     * Sets GIT_TERMINAL_PROMPT=0, increases http.postBuffer, enables core.longpaths.
     */
    static configureGitEnvironment() {
        core.info('[Reliability] Configuring git environment for CI');
        // Prevent git from prompting for credentials (hangs in CI)
        process.env.GIT_TERMINAL_PROMPT = '0';
        core.info('[Reliability] Set GIT_TERMINAL_PROMPT=0');
        try {
            // Increase http.postBuffer to 500MB for large pushes
            (0, node_child_process_1.execSync)('git config --global http.postBuffer 524288000', {
                encoding: 'utf8',
                timeout: 10000,
                stdio: ['pipe', 'pipe', 'pipe'],
            });
            core.info('[Reliability] Set http.postBuffer=524288000 (500MB)');
        }
        catch (error) {
            core.warning(`[Reliability] Could not set http.postBuffer: ${error.message}`);
        }
        try {
            // Enable long paths on Windows
            (0, node_child_process_1.execSync)('git config --global core.longpaths true', {
                encoding: 'utf8',
                timeout: 10000,
                stdio: ['pipe', 'pipe', 'pipe'],
            });
            core.info('[Reliability] Set core.longpaths=true');
        }
        catch (error) {
            core.warning(`[Reliability] Could not set core.longpaths: ${error.message}`);
        }
    }
 }
-exports.BuildReliabilityService = BuildReliabilityService;
+/**
-// Windows reserved device names that cause Unity asset importer infinite loops
+ * Premade secret sources and custom YAML-based secret source definitions.
-BuildReliabilityService.RESERVED_NAMES = new Set([
+ *
-    'con',
+ * Premade sources are string shortcuts that expand to shell commands:
-    'prn',
+ *   - `aws-secrets-manager` -- AWS Secrets Manager
-    'aux',
+ *   - `aws-parameter-store` -- AWS Systems Manager Parameter Store
-    'nul',
+ *   - `gcp-secret-manager` -- Google Cloud Secret Manager
-    'com1',
+ *   - `azure-key-vault` -- Azure Key Vault (requires AZURE_VAULT_NAME env var)
-    'com2',
+ *   - `hashicorp-vault` -- HashiCorp Vault KV v2 (requires VAULT_ADDR, optionally VAULT_MOUNT)
-    'com3',
+ *   - `hashicorp-vault-kv1` -- HashiCorp Vault KV v1 (requires VAULT_ADDR, optionally VAULT_MOUNT)
-    'com4',
+ *   - `env` -- Read from environment variables (no shell command needed)
-    'com5',
+ *
-    'com6',
+ * Custom YAML format:
-    'com7',
+ *   sources:
-    'com8',
+ *     - name: my-vault
-    'com9',
+ *       command: 'vault kv get -field=value secret/{0}'
-    'lpt1',
+ *     - name: my-api
-    'lpt2',
+ *       command: 'curl -s https://secrets.example.com/api/{0}'
-    'lpt3',
+ *       parseOutput: json-field
-    'lpt4',
+ *       jsonField: value
-    'lpt5',
+ */
-    'lpt6',
+class SecretSourceService {
-    'lpt7',
+    /**
-    'lpt8',
+     * Check if a source name is a known premade source.
-    'lpt9',
+     */
-]);
+    static isPremadeSource(sourceName) {
-// Lock files to look for in the .git directory
+        return sourceName in SecretSourceService.premadeSources;
-BuildReliabilityService.LOCK_FILE_NAMES = new Set(['index.lock', 'shallow.lock', 'config.lock', 'HEAD.lock']);
+    }
-// Maximum age in milliseconds before a lock file is considered stale (10 minutes)
+    /**
-BuildReliabilityService.LOCK_FILE_MAX_AGE_MS = 10 * 60 * 1000;
+     * Get the list of available premade source names.
-
+     */
-
+    static getAvailableSources() {
-/***/ }),
+        return Object.keys(SecretSourceService.premadeSources);
-
+    }
-/***/ 9842:
+    /**
-/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
+     * Resolve a source name to a SecretSourceDefinition.
-
+     *
-"use strict";
+     * - If the name matches a premade source, returns that definition.
-
+     * - If it looks like a shell command (contains spaces or {0}), wraps it as a custom command.
-Object.defineProperty(exports, "__esModule", ({ value: true }));
+     * - Otherwise, returns undefined.
-exports.BuildReliabilityService = void 0;
+     */
-var build_reliability_service_1 = __nccwpck_require__(37347);
+    static resolveSource(sourceName) {
-Object.defineProperty(exports, "BuildReliabilityService", ({ enumerable: true, get: function () { return build_reliability_service_1.BuildReliabilityService; } }));
+        // Check premade sources
        if (SecretSourceService.isPremadeSource(sourceName)) {
            return SecretSourceService.premadeSources[sourceName];
        }
        // If it contains a placeholder or spaces, treat it as a raw command
        if (sourceName.includes('{0}') || sourceName.includes(' ')) {
            return {
                name: 'custom-command',
                command: sourceName,
                parseOutput: 'raw',
            };
        }
        return undefined;
    }
    /**
     * Load custom secret source definitions from a YAML file.
     *
     * Expected format:
     *   sources:
     *     - name: my-source
     *       command: 'my-tool get-secret {0}'
     *     - name: my-api
     *       command: 'curl -s https://api.example.com/secrets/{0}'
     *       parseOutput: json-field
     *       jsonField: value
     */
    static loadFromYaml(filePath) {
        if (!node_fs_1.default.existsSync(filePath)) {
            orchestrator_logger_1.default.logWarning(`Secret source YAML not found: ${filePath}`);
            return [];
        }
        try {
            const content = node_fs_1.default.readFileSync(filePath, 'utf8');
            const parsed = SecretSourceService.parseSimpleYaml(content);
            return parsed;
        }
        catch (error) {
            orchestrator_logger_1.default.logWarning(`Failed to parse secret source YAML: ${error.message}`);
            return [];
        }
    }
    /**
     * Fetch a secret value using the given source definition.
     *
     * Validates the key against an allowlist pattern before interpolating it
     * into the command string to prevent shell injection. The fetched secret
     * value is masked via core.setSecret() so it does not leak in logs.
     *
     * @param source - The secret source definition to use
     * @param key - The secret key to fetch
     * @returns The secret value, or empty string on failure
     */
    static async fetchSecret(source, key) {
        // Validate the key to prevent shell injection
        validateSecretKey(key);
        const command = source.command.replace(/\{0\}/g, key);
        try {
            const output = await orchestrator_system_1.OrchestratorSystem.Run(command, false, true);
            let value;
            if (source.parseOutput === 'json-field' && source.jsonField) {
                try {
                    const parsed = JSON.parse(output);
                    value = parsed[source.jsonField] || '';
                }
                catch {
                    orchestrator_logger_1.default.logWarning(`Failed to parse JSON output from ${source.name} for key ${key}`);
                    value = output.trim();
                }
            }
            else {
                value = output.trim();
            }
            // Mask the secret value so it does not appear in GitHub Actions logs
            maskSecretValue(value);
            return value;
        }
        catch (error) {
            orchestrator_logger_1.default.logWarning(`Failed to fetch secret '${key}' from ${source.name}: ${error.message}`);
            return '';
        }
    }
    /**
     * Fetch a secret from an environment variable. No shell command needed.
     * The value is masked via core.setSecret() so it does not leak in logs.
     */
    static fetchFromEnv(key) {
        const value = process.env[key] || '';
        maskSecretValue(value);
        return value;
    }
    /**
     * Resolve a source name and fetch all secrets from it.
     *
     * @param sourceName - Premade source name, shell command, or 'env'
     * @param keys - List of secret keys to fetch
     * @returns Map of key -> value
     */
    static async fetchAll(sourceName, keys) {
        const results = {};
        if (sourceName === 'env') {
            for (const key of keys) {
                results[key] = SecretSourceService.fetchFromEnv(key);
            }
            return results;
        }
        const source = SecretSourceService.resolveSource(sourceName);
        if (!source) {
            orchestrator_logger_1.default.logWarning(`Unknown secret source '${sourceName}'. Available sources: ${SecretSourceService.getAvailableSources().join(', ')}`);
            return results;
        }
        orchestrator_logger_1.default.log(`Fetching ${keys.length} secret(s) from ${source.name}`);
        for (const key of keys) {
            results[key] = await SecretSourceService.fetchSecret(source, key);
        }
        return results;
    }
    /**
     * Simple YAML parser for secret source definitions.
     * Handles the specific structure we expect without requiring a YAML library.
     */
    static parseSimpleYaml(content) {
        const definitions = [];
        const lines = content.split('\n');
        let current = null;
        for (const rawLine of lines) {
            const line = rawLine.replace(/\r$/, '');
            const trimmed = line.trim();
            if (trimmed === '' || trimmed.startsWith('#'))
                continue;
            if (trimmed === '- name:' || trimmed.startsWith('- name:')) {
                if (current?.name && current?.command) {
                    definitions.push(current);
                }
                current = {
                    name: trimmed
                        .replace('- name:', '')
                        .trim()
                        .replace(/^['"]|['"]$/g, ''),
                    parseOutput: 'raw',
                };
                continue;
            }
            if (current && trimmed.startsWith('command:')) {
                current.command = trimmed
                    .replace('command:', '')
                    .trim()
                    .replace(/^['"]|['"]$/g, '');
            }
            else if (current && trimmed.startsWith('parseOutput:')) {
                const value = trimmed
                    .replace('parseOutput:', '')
                    .trim()
                    .replace(/^['"]|['"]$/g, '');
                current.parseOutput = value;
            }
            else if (current && trimmed.startsWith('jsonField:')) {
                current.jsonField = trimmed
                    .replace('jsonField:', '')
                    .trim()
                    .replace(/^['"]|['"]$/g, '');
            }
        }
        if (current?.name && current?.command) {
            definitions.push(current);
        }
        return definitions;
    }
 }
 exports.SecretSourceService = SecretSourceService;
 SecretSourceService.premadeSources = {
    'aws-secrets-manager': {
        name: 'aws-secrets-manager',
        command: 'aws secretsmanager get-secret-value --secret-id {0} --query SecretString --output text',
        parseOutput: 'raw',
    },
    'aws-secret-manager': {
        // Alias for backward compatibility (original name in inputPullCommand)
        name: 'aws-secret-manager',
        command: 'aws secretsmanager get-secret-value --secret-id {0} --query SecretString --output text',
        parseOutput: 'raw',
    },
    'aws-parameter-store': {
        name: 'aws-parameter-store',
        command: 'aws ssm get-parameter --name {0} --with-decryption --query Parameter.Value --output text',
        parseOutput: 'raw',
    },
    'gcp-secret-manager': {
        name: 'gcp-secret-manager',
        command: 'gcloud secrets versions access latest --secret="{0}"',
        parseOutput: 'raw',
    },
    'azure-key-vault': {
        name: 'azure-key-vault',
        command: 'az keyvault secret show --vault-name "$AZURE_VAULT_NAME" --name {0} --query value --output tsv',
        parseOutput: 'raw',
    },
    'hashicorp-vault': {
        // HashiCorp Vault KV v2 (default). Requires VAULT_ADDR env var.
        // Optionally set VAULT_MOUNT to override the mount path (default: 'secret').
        // Authentication is handled by VAULT_TOKEN or other Vault auth env vars.
        name: 'hashicorp-vault',
        command: 'vault kv get -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
        parseOutput: 'raw',
    },
    'hashicorp-vault-kv1': {
        // HashiCorp Vault KV v1. Requires VAULT_ADDR env var.
        // Optionally set VAULT_MOUNT to override the mount path (default: 'secret').
        name: 'hashicorp-vault-kv1',
        command: 'vault read -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
        parseOutput: 'raw',
    },
    vault: {
        // Short alias for hashicorp-vault (KV v2)
        name: 'vault',
        command: 'vault kv get -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
        parseOutput: 'raw',
    },
 };
 /***/ }),
@@ -3,7 +3,6 @@ import { Action, BuildParameters, Cache, Orchestrator, Docker, ImageTag, Output
 import { Cli } from './model/cli/cli';
 import MacBuilder from './model/mac-builder';
 import PlatformSetup from './model/platform-setup';
 import { BuildReliabilityService } from './model/orchestrator/services/reliability';
 async function runMain() {
  try {
@@ -15,38 +14,11 @@ async function runMain() {
    Action.checkCompatibility();
    Cache.verify();
    // Always configure git environment for CI reliability
    BuildReliabilityService.configureGitEnvironment();
    const { workspace, actionFolder } = Action;
    const buildParameters = await BuildParameters.create();
    const baseImage = new ImageTag(buildParameters);
    // Pre-build reliability checks
    if (buildParameters.gitIntegrityCheck) {
      core.info('Running git integrity checks...');
      const isHealthy = BuildReliabilityService.checkGitIntegrity(workspace);
      BuildReliabilityService.cleanStaleLockFiles(workspace);
      BuildReliabilityService.validateSubmoduleBackingStores(workspace);
      if (buildParameters.cleanReservedFilenames) {
        BuildReliabilityService.cleanReservedFilenames(buildParameters.projectPath);
      }
      if (!isHealthy && buildParameters.gitAutoRecover) {
        core.info('Git corruption detected, attempting automatic recovery...');
        const recovered = BuildReliabilityService.recoverCorruptedRepo(workspace);
        if (!recovered) {
          core.warning('Automatic recovery failed. Build may encounter issues.');
        }
      }
    } else if (buildParameters.cleanReservedFilenames) {
      // cleanReservedFilenames can run independently of gitIntegrityCheck
      BuildReliabilityService.cleanReservedFilenames(buildParameters.projectPath);
    }
    let exitCode = -1;
    if (buildParameters.providerStrategy === 'local') {
@@ -65,13 +37,6 @@ async function runMain() {
      exitCode = 0;
    }
    // Post-build: archive and enforce retention
    if (buildParameters.buildArchiveEnabled && exitCode === 0) {
      core.info('Archiving build output...');
      BuildReliabilityService.archiveBuildOutput(buildParameters.buildPath, buildParameters.buildArchivePath);
      BuildReliabilityService.enforceRetention(buildParameters.buildArchivePath, buildParameters.buildArchiveRetention);
    }
    // Set output
    await Output.setBuildVersion(buildParameters.buildVersion);
    await Output.setAndroidVersionCode(buildParameters.androidVersionCode);
@@ -106,12 +106,6 @@ class BuildParameters {
  public cacheUnityInstallationOnMac!: boolean;
  public unityHubVersionOnMac!: string;
  public dockerWorkspacePath!: string;
  public gitIntegrityCheck!: boolean;
  public gitAutoRecover!: boolean;
  public cleanReservedFilenames!: boolean;
  public buildArchiveEnabled!: boolean;
  public buildArchivePath!: string;
  public buildArchiveRetention!: number;
  public static shouldUseRetainedWorkspaceMode(buildParameters: BuildParameters) {
    return buildParameters.maxRetainedWorkspaces > 0 && Orchestrator.lockedWorkspace !== ``;
@@ -248,12 +242,6 @@ class BuildParameters {
      cacheUnityInstallationOnMac: Input.cacheUnityInstallationOnMac,
      unityHubVersionOnMac: Input.unityHubVersionOnMac,
      dockerWorkspacePath: Input.dockerWorkspacePath,
      gitIntegrityCheck: Input.gitIntegrityCheck,
      gitAutoRecover: Input.gitAutoRecover,
      cleanReservedFilenames: Input.cleanReservedFilenames,
      buildArchiveEnabled: Input.buildArchiveEnabled,
      buildArchivePath: Input.buildArchivePath,
      buildArchiveRetention: Input.buildArchiveRetention,
    };
  }
@@ -282,38 +282,6 @@ class Input {
    return Input.getInput('skipActivation')?.toLowerCase() ?? 'false';
  }
  static get gitIntegrityCheck(): boolean {
    const input = Input.getInput('gitIntegrityCheck') ?? 'false';
    return input === 'true';
  }
  static get gitAutoRecover(): boolean {
    const input = Input.getInput('gitAutoRecover') ?? 'false';
    return input === 'true';
  }
  static get cleanReservedFilenames(): boolean {
    const input = Input.getInput('cleanReservedFilenames') ?? 'false';
    return input === 'true';
  }
  static get buildArchiveEnabled(): boolean {
    const input = Input.getInput('buildArchiveEnabled') ?? 'false';
    return input === 'true';
  }
  static get buildArchivePath(): string {
    return Input.getInput('buildArchivePath') ?? './build-archives';
  }
  static get buildArchiveRetention(): number {
    return Number.parseInt(Input.getInput('buildArchiveRetention') ?? '30', 10);
  }
  public static ToEnvVarFormat(input: string) {
    if (input.toUpperCase() === input) {
      return input;
@@ -190,6 +190,10 @@ class OrchestratorOptions {
    return OrchestratorOptions.getInput('pullInputList')?.split(`,`) || [];
  }
  static get secretSource(): string {
    return OrchestratorOptions.getInput('secretSource') || '';
  }
  static get inputPullCommand(): string {
    const value = OrchestratorOptions.getInput('inputPullCommand');
@@ -1,6 +1,9 @@
 import * as core from '@actions/core';
 import Input from '../../input';
 import { GenericInputReader } from '../../input-readers/generic-input-reader';
 import OrchestratorOptions from './orchestrator-options';
 import { SecretSourceService, validateSecretKey } from '../services/secrets/secret-source-service';
 import OrchestratorLogger from '../services/core/orchestrator-logger';
 const formatFunction = (value: string, arguments_: any[]) => {
  for (const element of arguments_) {
@@ -13,8 +16,6 @@ const formatFunction = (value: string, arguments_: any[]) => {
 class OrchestratorQueryOverride {
  static queryOverrides: { [key: string]: string } | undefined;
  // TODO accept premade secret sources or custom secret source definition yamls
  public static query(key: string, alternativeKey: string) {
    if (OrchestratorQueryOverride.queryOverrides && OrchestratorQueryOverride.queryOverrides[key] !== undefined) {
      return OrchestratorQueryOverride.queryOverrides[key];
@@ -49,14 +50,62 @@ class OrchestratorQueryOverride {
      throw new Error(`Should not be trying to run override query on ${query}`);
    }
-    return await GenericInputReader.Run(
+    // Validate the query key before interpolating it into a shell command
    validateSecretKey(query);
    const result = await GenericInputReader.Run(
      formatFunction(OrchestratorOptions.inputPullCommand, [{ key: 0, value: query }]),
    );
    // Mask the fetched secret value so it does not appear in GitHub Actions logs
    if (result && result.trim().length > 0) {
      core.setSecret(result);
    }
    return result;
  }
  /**
   * Populate query overrides using either:
   * 1. Premade/custom secret sources (via secretSource input), or
   * 2. Shell command (via inputPullCommand, legacy approach)
   *
   * The secretSource input takes precedence if set. It supports:
   * - Premade names: 'aws-secrets-manager', 'aws-parameter-store', 'gcp-secret-manager', 'azure-key-vault', 'env'
   * - Custom commands: any string containing {0} placeholder
   * - YAML file path: a path ending in .yml or .yaml containing custom source definitions
   */
  public static async PopulateQueryOverrideInput() {
    const queries = OrchestratorOptions.pullInputList;
    OrchestratorQueryOverride.queryOverrides = {};
    const secretSource = OrchestratorOptions.secretSource;
    // Use SecretSourceService if secretSource is configured
    if (secretSource) {
      OrchestratorLogger.log(`Using secret source: ${secretSource}`);
      // YAML file: load definitions and use the first source
      if (secretSource.endsWith('.yml') || secretSource.endsWith('.yaml')) {
        const definitions = SecretSourceService.loadFromYaml(secretSource);
        if (definitions.length > 0) {
          OrchestratorLogger.log(`Loaded ${definitions.length} secret source(s) from ${secretSource}`);
          for (const key of queries) {
            OrchestratorQueryOverride.queryOverrides[key] = await SecretSourceService.fetchSecret(definitions[0], key);
          }
        }
        return;
      }
      // Premade or custom command source
      const results = await SecretSourceService.fetchAll(secretSource, queries);
      Object.assign(OrchestratorQueryOverride.queryOverrides, results);
      return;
    }
    // Legacy: use inputPullCommand if set
    for (const element of queries) {
      if (OrchestratorQueryOverride.shouldUseOverride(element)) {
        OrchestratorQueryOverride.queryOverrides[element] = await OrchestratorQueryOverride.queryOverride(element);
@@ -1,638 +0,0 @@
 import { execSync, execFileSync } from 'node:child_process';
 import fs from 'node:fs';
 import path from 'node:path';
 import { BuildReliabilityService } from './build-reliability-service';
 // Mock dependencies
 jest.mock('node:child_process');
 jest.mock('node:fs');
 jest.mock('@actions/core', () => ({
  info: jest.fn(),
  warning: jest.fn(),
 }));
 const mockExecSync = execSync as jest.MockedFunction<typeof execSync>;
 const mockExecFileSync = execFileSync as jest.MockedFunction<typeof execFileSync>;
 const mockFs = fs as jest.Mocked<typeof fs>;
 describe('BuildReliabilityService', () => {
  beforeEach(() => {
    jest.clearAllMocks();
  });
  // =========================================================================
  // checkGitIntegrity
  // =========================================================================
  describe('checkGitIntegrity', () => {
    it('should return true when fsck succeeds with clean output', () => {
      mockExecSync.mockReturnValue('');
      const result = BuildReliabilityService.checkGitIntegrity('/repo');
      expect(result).toBe(true);
      expect(mockExecSync).toHaveBeenCalledWith(
        'git -C "/repo" fsck --no-dangling',
        expect.objectContaining({ encoding: 'utf8' }),
      );
    });
    it('should return false when fsck output contains corruption indicators', () => {
      mockExecSync.mockReturnValue('broken link from tree abc123');
      const result = BuildReliabilityService.checkGitIntegrity('/repo');
      expect(result).toBe(false);
    });
    it('should return false when fsck output contains missing objects', () => {
      mockExecSync.mockReturnValue('missing blob abc123');
      const result = BuildReliabilityService.checkGitIntegrity('/repo');
      expect(result).toBe(false);
    });
    it('should return false when execSync throws (non-zero exit code)', () => {
      mockExecSync.mockImplementation(() => {
        const error: any = new Error('fsck failed');
        error.stderr = Buffer.from('error: bad object HEAD');
        throw error;
      });
      const result = BuildReliabilityService.checkGitIntegrity('/repo');
      expect(result).toBe(false);
    });
    it('should use current directory when no repoPath provided', () => {
      mockExecSync.mockReturnValue('');
      BuildReliabilityService.checkGitIntegrity();
      expect(mockExecSync).toHaveBeenCalledWith('git -C "." fsck --no-dangling', expect.anything());
    });
  });
  // =========================================================================
  // cleanStaleLockFiles
  // =========================================================================
  describe('cleanStaleLockFiles', () => {
    it('should return 0 when .git directory does not exist', () => {
      mockFs.existsSync.mockReturnValue(false);
      const result = BuildReliabilityService.cleanStaleLockFiles('/repo');
      expect(result).toBe(0);
    });
    it('should remove lock files older than 10 minutes', () => {
      const now = Date.now();
      const oldTime = now - 15 * 60 * 1000; // 15 minutes ago
      mockFs.existsSync.mockReturnValue(true);
      mockFs.statSync.mockImplementation((filePath: any) => {
        if (filePath === path.join('/repo', '.git')) {
          return { isDirectory: () => true } as fs.Stats;
        }
        return { mtimeMs: oldTime } as fs.Stats;
      });
      mockFs.readdirSync.mockImplementation((dir: any) => {
        if (dir === path.join('/repo', '.git')) {
          return [
            { name: 'index.lock', isDirectory: () => false },
            { name: 'HEAD.lock', isDirectory: () => false },
          ] as any;
        }
        return [];
      });
      mockFs.unlinkSync.mockReturnValue(undefined);
      const result = BuildReliabilityService.cleanStaleLockFiles('/repo');
      expect(result).toBe(2);
      expect(mockFs.unlinkSync).toHaveBeenCalledTimes(2);
    });
    it('should NOT remove lock files younger than 10 minutes', () => {
      const now = Date.now();
      const recentTime = now - 2 * 60 * 1000; // 2 minutes ago
      mockFs.existsSync.mockReturnValue(true);
      mockFs.statSync.mockImplementation((filePath: any) => {
        if (filePath === path.join('/repo', '.git')) {
          return { isDirectory: () => true } as fs.Stats;
        }
        return { mtimeMs: recentTime } as fs.Stats;
      });
      mockFs.readdirSync.mockImplementation((dir: any) => {
        if (dir === path.join('/repo', '.git')) {
          return [{ name: 'index.lock', isDirectory: () => false }] as any;
        }
        return [];
      });
      const result = BuildReliabilityService.cleanStaleLockFiles('/repo');
      expect(result).toBe(0);
      expect(mockFs.unlinkSync).not.toHaveBeenCalled();
    });
    it('should recursively scan refs directory for lock files', () => {
      const now = Date.now();
      const oldTime = now - 15 * 60 * 1000;
      mockFs.existsSync.mockReturnValue(true);
      mockFs.statSync.mockImplementation((filePath: any) => {
        if (filePath === path.join('/repo', '.git')) {
          return { isDirectory: () => true } as fs.Stats;
        }
        return { mtimeMs: oldTime } as fs.Stats;
      });
      mockFs.readdirSync.mockImplementation((dir: any) => {
        const gitDir = path.join('/repo', '.git');
        if (dir === gitDir) {
          return [{ name: 'refs', isDirectory: () => true }] as any;
        }
        if (dir === path.join(gitDir, 'refs')) {
          return [{ name: 'heads', isDirectory: () => true }] as any;
        }
        if (dir === path.join(gitDir, 'refs', 'heads')) {
          return [{ name: 'main.lock', isDirectory: () => false }] as any;
        }
        return [];
      });
      mockFs.unlinkSync.mockReturnValue(undefined);
      const result = BuildReliabilityService.cleanStaleLockFiles('/repo');
      expect(result).toBe(1);
    });
  });
  // =========================================================================
  // validateSubmoduleBackingStores
  // =========================================================================
  describe('validateSubmoduleBackingStores', () => {
    it('should return empty array when .gitmodules does not exist', () => {
      mockFs.existsSync.mockReturnValue(false);
      const result = BuildReliabilityService.validateSubmoduleBackingStores('/repo');
      expect(result).toEqual([]);
    });
    it('should detect broken backing store for submodule', () => {
      mockFs.existsSync.mockImplementation((p: any) => {
        if (p === path.join('/repo', '.gitmodules')) return true;
        if (p === path.join('/repo', 'lib/sub', '.git')) return true;
        // Backing store does not exist
        return false;
      });
      mockFs.readFileSync.mockImplementation((p: any) => {
        if (p === path.join('/repo', '.gitmodules')) {
          return '[submodule "sub"]\n\tpath = lib/sub\n\turl = https://example.com/sub.git';
        }
        if (p === path.join('/repo', 'lib/sub', '.git')) {
          return 'gitdir: ../../.git/modules/lib/sub';
        }
        return '';
      });
      mockFs.statSync.mockReturnValue({ isFile: () => true } as fs.Stats);
      const result = BuildReliabilityService.validateSubmoduleBackingStores('/repo');
      expect(result).toContain('lib/sub');
    });
    it('should return empty array when all submodule backing stores are valid', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.readFileSync.mockImplementation((p: any) => {
        if (p === path.join('/repo', '.gitmodules')) {
          return '[submodule "sub"]\n\tpath = lib/sub\n\turl = https://example.com/sub.git';
        }
        if (p === path.join('/repo', 'lib/sub', '.git')) {
          return 'gitdir: ../../.git/modules/lib/sub';
        }
        return '';
      });
      mockFs.statSync.mockReturnValue({ isFile: () => true } as fs.Stats);
      const result = BuildReliabilityService.validateSubmoduleBackingStores('/repo');
      expect(result).toEqual([]);
    });
  });
  // =========================================================================
  // recoverCorruptedRepo
  // =========================================================================
  describe('recoverCorruptedRepo', () => {
    it('should orchestrate fsck cleanup and re-fetch, returning true on success', () => {
      // cleanStaleLockFiles: no .git dir
      mockFs.existsSync.mockReturnValue(false);
      mockFs.statSync.mockReturnValue({ isDirectory: () => false } as fs.Stats);
      // fetch succeeds, then fsck succeeds
      mockExecSync.mockReturnValue('');
      const result = BuildReliabilityService.recoverCorruptedRepo('/repo');
      expect(result).toBe(true);
      // Should have called fetch
      expect(mockExecSync).toHaveBeenCalledWith('git -C "/repo" fetch --all', expect.anything());
    });
    it('should return false when recovery fails to restore integrity', () => {
      mockFs.existsSync.mockReturnValue(false);
      mockFs.statSync.mockReturnValue({ isDirectory: () => false } as fs.Stats);
      // fetch succeeds, but fsck fails
      mockExecSync.mockImplementation((cmd: any) => {
        if (typeof cmd === 'string' && cmd.includes('fetch')) return '';
        if (typeof cmd === 'string' && cmd.includes('fsck')) {
          return 'missing blob abc123';
        }
        return '';
      });
      const result = BuildReliabilityService.recoverCorruptedRepo('/repo');
      expect(result).toBe(false);
    });
    it('should continue recovery even when fetch fails', () => {
      mockFs.existsSync.mockReturnValue(false);
      mockFs.statSync.mockReturnValue({ isDirectory: () => false } as fs.Stats);
      let callCount = 0;
      mockExecSync.mockImplementation((cmd: any) => {
        callCount++;
        if (typeof cmd === 'string' && cmd.includes('fetch')) {
          throw new Error('network error');
        }
        // fsck call
        return '';
      });
      const result = BuildReliabilityService.recoverCorruptedRepo('/repo');
      // Should still attempt fsck after failed fetch
      expect(callCount).toBeGreaterThanOrEqual(2);
    });
  });
  // =========================================================================
  // cleanReservedFilenames
  // =========================================================================
  describe('cleanReservedFilenames', () => {
    it('should return empty array when Assets directory does not exist', () => {
      mockFs.existsSync.mockReturnValue(false);
      const result = BuildReliabilityService.cleanReservedFilenames('/project');
      expect(result).toEqual([]);
    });
    it('should remove files with reserved names (con, prn, aux, nul)', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.readdirSync.mockImplementation((dir: any) => {
        if (dir === path.join('/project', 'Assets')) {
          return [
            { name: 'con.txt', isDirectory: () => false },
            { name: 'PRN.meta', isDirectory: () => false },
            { name: 'aux.shader', isDirectory: () => false },
            { name: 'nul.png', isDirectory: () => false },
            { name: 'valid-file.cs', isDirectory: () => false },
          ] as any;
        }
        return [];
      });
      mockFs.unlinkSync.mockReturnValue(undefined);
      const result = BuildReliabilityService.cleanReservedFilenames('/project');
      expect(result).toHaveLength(4);
      expect(mockFs.unlinkSync).toHaveBeenCalledTimes(4);
    });
    it('should remove directories with reserved names', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.readdirSync.mockImplementation((dir: any) => {
        if (dir === path.join('/project', 'Assets')) {
          return [{ name: 'com1', isDirectory: () => true }] as any;
        }
        return [];
      });
      mockFs.rmSync.mockReturnValue(undefined);
      const result = BuildReliabilityService.cleanReservedFilenames('/project');
      expect(result).toHaveLength(1);
      expect(mockFs.rmSync).toHaveBeenCalledWith(path.join('/project', 'Assets', 'com1'), {
        recursive: true,
        force: true,
      });
    });
    it('should detect COM1 through COM9 and LPT1 through LPT9', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.readdirSync.mockImplementation((dir: any) => {
        if (dir === path.join('/project', 'Assets')) {
          return [
            { name: 'com1.txt', isDirectory: () => false },
            { name: 'COM9.meta', isDirectory: () => false },
            { name: 'lpt1.dat', isDirectory: () => false },
            { name: 'LPT9.log', isDirectory: () => false },
          ] as any;
        }
        return [];
      });
      mockFs.unlinkSync.mockReturnValue(undefined);
      const result = BuildReliabilityService.cleanReservedFilenames('/project');
      expect(result).toHaveLength(4);
    });
    it('should not remove files that merely contain reserved names as substrings', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.readdirSync.mockImplementation((dir: any) => {
        if (dir === path.join('/project', 'Assets')) {
          return [
            { name: 'controller.cs', isDirectory: () => false },
            { name: 'printer-utils.cs', isDirectory: () => false },
            { name: 'auxiliary.shader', isDirectory: () => false },
          ] as any;
        }
        return [];
      });
      const result = BuildReliabilityService.cleanReservedFilenames('/project');
      expect(result).toHaveLength(0);
    });
  });
  // =========================================================================
  // getAvailableSpaceMB
  // =========================================================================
  describe('getAvailableSpaceMB', () => {
    it('should return -1 when the check fails', () => {
      mockExecFileSync.mockImplementation(() => {
        throw new Error('Command failed');
      });
      const result = BuildReliabilityService.getAvailableSpaceMB('/some/path');
      expect(result).toBe(-1);
    });
    it('should parse wmic output on Windows', () => {
      const originalPlatform = process.platform;
      Object.defineProperty(process, 'platform', { value: 'win32' });
      // 10 GB in bytes
      mockExecFileSync.mockReturnValue('\r\nFreeSpace=10737418240\r\n' as any);
      const result = BuildReliabilityService.getAvailableSpaceMB('C:\\builds');
      // 10737418240 / (1024 * 1024) = 10240 MB
      expect(result).toBeCloseTo(10240, 0);
      Object.defineProperty(process, 'platform', { value: originalPlatform });
    });
    it('should parse df output on Unix', () => {
      const originalPlatform = process.platform;
      Object.defineProperty(process, 'platform', { value: 'linux' });
      mockExecFileSync.mockReturnValue('  Avail\n  5120M\n' as any);
      const result = BuildReliabilityService.getAvailableSpaceMB('/builds');
      expect(result).toBe(5120);
      Object.defineProperty(process, 'platform', { value: originalPlatform });
    });
  });
  // =========================================================================
  // getDirectorySizeMB
  // =========================================================================
  describe('getDirectorySizeMB', () => {
    it('should return file size for a single file', () => {
      // 5 MB in bytes
      mockFs.statSync.mockReturnValue({ isDirectory: () => false, size: 5 * 1024 * 1024 } as any);
      const result = BuildReliabilityService.getDirectorySizeMB('/path/to/file.zip');
      expect(result).toBeCloseTo(5, 0);
    });
    it('should return total size for a directory tree', () => {
      const subDir = path.join('/build', 'sub');
      mockFs.statSync.mockImplementation((p: any) => {
        const pathStr = typeof p === 'string' ? p : p.toString();
        if (pathStr === '/build' || pathStr === subDir) {
          return { isDirectory: () => true, size: 0 } as any;
        }
        return { isDirectory: () => false, size: 1024 * 1024 } as any; // 1 MB each
      });
      mockFs.readdirSync.mockImplementation((dirPath: any, _options?: any) => {
        const dirStr = typeof dirPath === 'string' ? dirPath : dirPath.toString();
        if (dirStr === '/build') {
          return [
            { name: 'file1.bin', isDirectory: () => false },
            { name: 'sub', isDirectory: () => true },
          ] as any;
        }
        if (dirStr === subDir) {
          return [{ name: 'file2.bin', isDirectory: () => false }] as any;
        }
        return [] as any;
      });
      const result = BuildReliabilityService.getDirectorySizeMB('/build');
      expect(result).toBeCloseTo(2, 0); // 2 files * 1 MB each
    });
    it('should return -1 when calculation fails', () => {
      mockFs.statSync.mockImplementation(() => {
        throw new Error('Access denied');
      });
      const result = BuildReliabilityService.getDirectorySizeMB('/inaccessible');
      expect(result).toBe(-1);
    });
  });
  // =========================================================================
  // archiveBuildOutput
  // =========================================================================
  describe('archiveBuildOutput', () => {
    it('should skip archiving when source path does not exist', () => {
      mockFs.existsSync.mockReturnValue(false);
      BuildReliabilityService.archiveBuildOutput('/builds/output', '/archives');
      expect(mockExecSync).not.toHaveBeenCalled();
    });
    it('should create archive directory and tar.gz output', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.mkdirSync.mockReturnValue(undefined as any);
      mockExecSync.mockReturnValue('');
      // Make disk space check return unknown so we proceed
      mockExecFileSync.mockImplementation(() => {
        throw new Error('Command not found');
      });
      mockFs.statSync.mockImplementation(() => {
        throw new Error('Not mocked');
      });
      BuildReliabilityService.archiveBuildOutput('/builds/output', '/archives');
      expect(mockFs.mkdirSync).toHaveBeenCalledWith('/archives', { recursive: true });
      expect(mockExecSync).toHaveBeenCalledWith(expect.stringContaining('tar -czf'), expect.anything());
    });
    it('should skip archival when insufficient disk space', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.mkdirSync.mockReturnValue(undefined as any);
      // Source is 1000 MB
      mockFs.statSync.mockImplementation((p: any) => {
        const pathStr = typeof p === 'string' ? p : p.toString();
        if (pathStr.endsWith('big-file.bin')) {
          return { isDirectory: () => false, size: 1000 * 1024 * 1024 } as any;
        }
        return { isDirectory: () => true, size: 0 } as any;
      });
      mockFs.readdirSync.mockImplementation(() => {
        return [{ name: 'big-file.bin', isDirectory: () => false }] as any;
      });
      // Only 500 MB available
      const originalPlatform = process.platform;
      Object.defineProperty(process, 'platform', { value: 'linux' });
      mockExecFileSync.mockReturnValue('  Avail\n  500M\n' as any);
      BuildReliabilityService.archiveBuildOutput('/builds/output', '/archives');
      // Should NOT have attempted the tar command
      expect(mockExecSync).not.toHaveBeenCalledWith(expect.stringContaining('tar'), expect.anything());
      Object.defineProperty(process, 'platform', { value: originalPlatform });
    });
    it('should clean up partial archive on tar failure', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.mkdirSync.mockReturnValue(undefined as any);
      mockFs.unlinkSync.mockReturnValue(undefined);
      // Make disk space check return unknown so we proceed
      mockExecFileSync.mockImplementation(() => {
        throw new Error('Command not found');
      });
      mockFs.statSync.mockImplementation(() => {
        throw new Error('Not mocked');
      });
      // tar command fails
      mockExecSync.mockImplementation(() => {
        const error: any = new Error('tar failed');
        error.stderr = Buffer.from('No space left on device');
        throw error;
      });
      BuildReliabilityService.archiveBuildOutput('/builds/output', '/archives');
      // Should have attempted to clean up the partial archive
      // (existsSync returns true for the partial file)
      expect(mockFs.unlinkSync).toHaveBeenCalled();
    });
    it('should proceed with warning when disk space check fails', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.mkdirSync.mockReturnValue(undefined as any);
      mockExecSync.mockReturnValue('');
      // Disk space check fails
      mockExecFileSync.mockImplementation(() => {
        throw new Error('Command not found');
      });
      // Directory size check also fails
      mockFs.statSync.mockImplementation(() => {
        throw new Error('Not mocked');
      });
      BuildReliabilityService.archiveBuildOutput('/builds/output', '/archives');
      // Should still proceed with tar
      expect(mockExecSync).toHaveBeenCalledWith(expect.stringContaining('tar -czf'), expect.anything());
    });
  });
  // =========================================================================
  // enforceRetention
  // =========================================================================
  describe('enforceRetention', () => {
    it('should return 0 when archive path does not exist', () => {
      mockFs.existsSync.mockReturnValue(false);
      const result = BuildReliabilityService.enforceRetention('/archive', 30);
      expect(result).toBe(0);
    });
    it('should remove archives older than retention period', () => {
      const now = Date.now();
      const oldTime = now - 45 * 24 * 60 * 60 * 1000; // 45 days ago
      const recentTime = now - 5 * 24 * 60 * 60 * 1000; // 5 days ago
      mockFs.existsSync.mockReturnValue(true);
      mockFs.readdirSync.mockReturnValue([
        { name: 'build-old.tar.gz', isDirectory: () => false },
        { name: 'build-recent.tar.gz', isDirectory: () => false },
      ] as any);
      mockFs.statSync.mockImplementation((p: any) => {
        if ((p as string).includes('old')) {
          return { mtimeMs: oldTime } as fs.Stats;
        }
        return { mtimeMs: recentTime } as fs.Stats;
      });
      mockFs.unlinkSync.mockReturnValue(undefined);
      const result = BuildReliabilityService.enforceRetention('/archive', 30);
      expect(result).toBe(1);
      expect(mockFs.unlinkSync).toHaveBeenCalledTimes(1);
    });
    it('should keep all archives within retention period', () => {
      const now = Date.now();
      const recentTime = now - 5 * 24 * 60 * 60 * 1000;
      mockFs.existsSync.mockReturnValue(true);
      mockFs.readdirSync.mockReturnValue([
        { name: 'build-1.tar.gz', isDirectory: () => false },
        { name: 'build-2.tar.gz', isDirectory: () => false },
      ] as any);
      mockFs.statSync.mockReturnValue({ mtimeMs: recentTime } as fs.Stats);
      const result = BuildReliabilityService.enforceRetention('/archive', 30);
      expect(result).toBe(0);
    });
  });
  // =========================================================================
  // configureGitEnvironment
  // =========================================================================
  describe('configureGitEnvironment', () => {
    it('should set GIT_TERMINAL_PROMPT=0 in process.env', () => {
      mockExecSync.mockReturnValue('');
      BuildReliabilityService.configureGitEnvironment();
      expect(process.env.GIT_TERMINAL_PROMPT).toBe('0');
    });
    it('should configure http.postBuffer via git config', () => {
      mockExecSync.mockReturnValue('');
      BuildReliabilityService.configureGitEnvironment();
      expect(mockExecSync).toHaveBeenCalledWith('git config --global http.postBuffer 524288000', expect.anything());
    });
    it('should configure core.longpaths via git config', () => {
      mockExecSync.mockReturnValue('');
      BuildReliabilityService.configureGitEnvironment();
      expect(mockExecSync).toHaveBeenCalledWith('git config --global core.longpaths true', expect.anything());
    });
    it('should warn but not throw when git config commands fail', () => {
      const core = require('@actions/core');
      mockExecSync.mockImplementation(() => {
        throw new Error('git config failed');
      });
      // Should not throw
      expect(() => BuildReliabilityService.configureGitEnvironment()).not.toThrow();
      expect(core.warning).toHaveBeenCalled();
    });
  });
 });
@@ -1,527 +0,0 @@
 import { execSync, execFileSync } from 'node:child_process';
 import fs from 'node:fs';
 import path from 'node:path';
 import * as core from '@actions/core';
 /**
 * Build reliability features for hardening CI pipelines.
 * Provides git integrity checks, stale lock cleanup, submodule validation,
 * reserved filename removal, build archival, and git environment configuration.
 * All features are opt-in and fail gracefully (warnings only).
 */
 export class BuildReliabilityService {
  // Windows reserved device names that cause Unity asset importer infinite loops
  private static readonly RESERVED_NAMES = new Set([
    'con',
    'prn',
    'aux',
    'nul',
    'com1',
    'com2',
    'com3',
    'com4',
    'com5',
    'com6',
    'com7',
    'com8',
    'com9',
    'lpt1',
    'lpt2',
    'lpt3',
    'lpt4',
    'lpt5',
    'lpt6',
    'lpt7',
    'lpt8',
    'lpt9',
  ]);
  // Lock files to look for in the .git directory
  private static readonly LOCK_FILE_NAMES = new Set(['index.lock', 'shallow.lock', 'config.lock', 'HEAD.lock']);
  // Maximum age in milliseconds before a lock file is considered stale (10 minutes)
  private static readonly LOCK_FILE_MAX_AGE_MS = 10 * 60 * 1000;
  /**
   * Run git fsck to check repository integrity.
   * Returns true if the repo is healthy, false if corruption detected.
   */
  static checkGitIntegrity(repoPath: string = '.'): boolean {
    core.info(`[Reliability] Checking git integrity in ${repoPath}`);
    try {
      const output = execSync(`git -C "${repoPath}" fsck --no-dangling`, {
        encoding: 'utf8',
        timeout: 120_000,
        stdio: ['pipe', 'pipe', 'pipe'],
      });
      // Parse output for corruption indicators
      const corruptionPatterns = [
        /broken link/i,
        /missing (blob|tree|commit|tag)/i,
        /dangling/i,
        /corrupt/i,
        /error in /i,
      ];
      for (const pattern of corruptionPatterns) {
        if (pattern.test(output)) {
          core.warning(`[Reliability] Git integrity check found issues: ${output.trim()}`);
          return false;
        }
      }
      core.info('[Reliability] Git integrity check passed');
      return true;
    } catch (error: any) {
      // execSync throws on non-zero exit code
      const stderr = error.stderr?.toString() ?? error.message;
      core.warning(`[Reliability] Git integrity check failed: ${stderr}`);
      return false;
    }
  }
  /**
   * Remove stale .lock files from the .git directory.
   * Only removes lock files older than 10 minutes to avoid interfering with active operations.
   * Returns the number of lock files removed.
   */
  static cleanStaleLockFiles(repoPath: string = '.'): number {
    const gitDir = path.join(repoPath, '.git');
    if (!fs.existsSync(gitDir) || !fs.statSync(gitDir).isDirectory()) {
      return 0;
    }
    core.info(`[Reliability] Scanning for stale lock files in ${gitDir}`);
    const now = Date.now();
    let removed = 0;
    const cleanDirectory = (directory: string): void => {
      if (!fs.existsSync(directory)) return;
      try {
        const entries = fs.readdirSync(directory, { withFileTypes: true });
        for (const entry of entries) {
          const fullPath = path.join(directory, entry.name);
          if (entry.isDirectory()) {
            cleanDirectory(fullPath);
          } else if (entry.name.endsWith('.lock')) {
            // Check if it is a known lock file location OR under refs/
            const relativePath = path.relative(gitDir, fullPath);
            const isKnownLock = BuildReliabilityService.LOCK_FILE_NAMES.has(entry.name);
            const isRefsLock = relativePath.startsWith('refs' + path.sep);
            if (isKnownLock || isRefsLock) {
              try {
                const stat = fs.statSync(fullPath);
                const ageMs = now - stat.mtimeMs;
                if (ageMs > BuildReliabilityService.LOCK_FILE_MAX_AGE_MS) {
                  fs.unlinkSync(fullPath);
                  removed++;
                  core.info(
                    `[Reliability] Removed stale lock file (age: ${Math.round(ageMs / 1000)}s): ${relativePath}`,
                  );
                } else {
                  core.info(
                    `[Reliability] Lock file is recent (age: ${Math.round(ageMs / 1000)}s), skipping: ${relativePath}`,
                  );
                }
              } catch {
                core.warning(`[Reliability] Could not remove lock file: ${fullPath}`);
              }
            }
          }
        }
      } catch {
        // Directory not accessible
      }
    };
    cleanDirectory(gitDir);
    if (removed > 0) {
      core.info(`[Reliability] Cleaned ${removed} stale lock file(s)`);
    } else {
      core.info('[Reliability] No stale lock files found');
    }
    return removed;
  }
  /**
   * Validate that submodule .git files point to existing backing stores
   * under .git/modules/. Returns list of submodule paths with broken backing stores.
   */
  static validateSubmoduleBackingStores(repoPath: string = '.'): string[] {
    const broken: string[] = [];
    const gitmodulesPath = path.join(repoPath, '.gitmodules');
    if (!fs.existsSync(gitmodulesPath)) {
      core.info('[Reliability] No .gitmodules found, skipping submodule validation');
      return broken;
    }
    core.info(`[Reliability] Validating submodule backing stores in ${repoPath}`);
    try {
      const content = fs.readFileSync(gitmodulesPath, 'utf8');
      const pathMatches = content.matchAll(/path\s*=\s*(.+)/g);
      for (const match of pathMatches) {
        const submodulePath = match[1].trim();
        const gitFile = path.join(repoPath, submodulePath, '.git');
        if (!fs.existsSync(gitFile)) {
          // Submodule not initialized -- not necessarily broken
          continue;
        }
        try {
          const stat = fs.statSync(gitFile);
          if (stat.isFile()) {
            // .git is a file -- should contain "gitdir: <path>"
            const gitFileContent = fs.readFileSync(gitFile, 'utf8').trim();
            const gitdirMatch = gitFileContent.match(/^gitdir:\s*(.+)$/);
            if (gitdirMatch) {
              const backingStore = path.resolve(path.join(repoPath, submodulePath), gitdirMatch[1]);
              if (!fs.existsSync(backingStore)) {
                broken.push(submodulePath);
                core.warning(`[Reliability] Submodule ${submodulePath} has broken backing store: ${backingStore}`);
              } else {
                core.info(`[Reliability] Submodule ${submodulePath} backing store OK`);
              }
            } else {
              broken.push(submodulePath);
              core.warning(`[Reliability] Submodule ${submodulePath} .git file has invalid format`);
            }
          }
        } catch {
          // Can't read .git file
          core.warning(`[Reliability] Could not read .git file for submodule: ${submodulePath}`);
        }
      }
    } catch (error: any) {
      core.warning(`[Reliability] Could not read .gitmodules: ${error.message}`);
    }
    if (broken.length > 0) {
      core.warning(`[Reliability] ${broken.length} submodule(s) have broken backing stores`);
    } else {
      core.info('[Reliability] All submodule backing stores are valid');
    }
    return broken;
  }
  /**
   * Orchestrate recovery of a corrupted repository.
   * Sequence: fsck -> clean locks -> re-fetch -> retry fsck.
   * Returns true if recovery succeeded.
   */
  static recoverCorruptedRepo(repoPath: string = '.'): boolean {
    core.warning(`[Reliability] Attempting automatic recovery for ${repoPath}`);
    // Step 1: Clean stale lock files that may be preventing operations
    const locksRemoved = BuildReliabilityService.cleanStaleLockFiles(repoPath);
    if (locksRemoved > 0) {
      core.info(`[Reliability] Recovery: cleaned ${locksRemoved} lock file(s)`);
    }
    // Step 2: Re-fetch to restore missing objects
    try {
      core.info('[Reliability] Recovery: re-fetching from remote');
      execSync(`git -C "${repoPath}" fetch --all`, {
        encoding: 'utf8',
        timeout: 300_000,
        stdio: ['pipe', 'pipe', 'pipe'],
      });
      core.info('[Reliability] Recovery: fetch completed');
    } catch (error: any) {
      core.warning(`[Reliability] Recovery: fetch failed: ${error.stderr?.toString() ?? error.message}`);
    }
    // Step 3: Retry fsck
    const healthy = BuildReliabilityService.checkGitIntegrity(repoPath);
    if (healthy) {
      core.info('[Reliability] Recovery succeeded -- repository is healthy');
    } else {
      core.warning('[Reliability] Recovery failed -- repository still has integrity issues');
    }
    return healthy;
  }
  /**
   * Scan a directory tree for files/directories with Windows reserved names.
   * These names (con, prn, aux, nul, com1-9, lpt1-9) with any extension
   * cause Unity asset importer infinite loops on Windows.
   * Returns list of paths that were removed.
   */
  static cleanReservedFilenames(projectPath: string): string[] {
    const assetsPath = path.join(projectPath, 'Assets');
    if (!fs.existsSync(assetsPath)) {
      core.info(`[Reliability] No Assets directory found at ${assetsPath}, skipping reserved filename scan`);
      return [];
    }
    core.info(`[Reliability] Scanning for reserved filenames in ${assetsPath}`);
    const cleaned: string[] = [];
    const scanDirectory = (directory: string): void => {
      try {
        const entries = fs.readdirSync(directory, { withFileTypes: true });
        for (const entry of entries) {
          const nameWithoutExtension = entry.name.split('.')[0].toLowerCase();
          const fullPath = path.join(directory, entry.name);
          if (BuildReliabilityService.RESERVED_NAMES.has(nameWithoutExtension)) {
            try {
              if (entry.isDirectory()) {
                fs.rmSync(fullPath, { recursive: true, force: true });
              } else {
                fs.unlinkSync(fullPath);
              }
              cleaned.push(fullPath);
              core.warning(`[Reliability] Removed reserved filename: ${fullPath}`);
            } catch {
              core.warning(`[Reliability] Could not remove reserved filename: ${fullPath}`);
            }
          } else if (entry.isDirectory()) {
            scanDirectory(fullPath);
          }
        }
      } catch {
        // Directory not accessible
      }
    };
    scanDirectory(assetsPath);
    if (cleaned.length > 0) {
      core.warning(`[Reliability] Cleaned ${cleaned.length} reserved filename(s)`);
    } else {
      core.info('[Reliability] No reserved filenames found');
    }
    return cleaned;
  }
  /**
   * Get available disk space in megabytes for a given directory.
   * Returns -1 if the check fails (unknown space).
   *
   * Cross-platform: uses wmic on Windows, df on Unix.
   */
  static getAvailableSpaceMB(directoryPath: string): number {
    try {
      if (process.platform === 'win32') {
        const drive = path.parse(directoryPath).root;
        const driveLetter = drive.replace(/[:\\\/]/g, '');
        const output = execFileSync(
          'wmic',
          ['logicaldisk', 'where', `DeviceID='${driveLetter}:'`, 'get', 'FreeSpace', '/value'],
          { encoding: 'utf8', timeout: 10_000 },
        );
        const match = output.match(/FreeSpace=(\d+)/);
        return match ? Number.parseInt(match[1], 10) / (1024 * 1024) : -1;
      } else {
        const output = execFileSync('df', ['-BM', '--output=avail', directoryPath], {
          encoding: 'utf8',
          timeout: 10_000,
        });
        const lines = output.trim().split('\n');
        return Number.parseInt(lines[lines.length - 1], 10);
      }
    } catch {
      return -1; // Unknown, caller should proceed with warning
    }
  }
  /**
   * Calculate the total size of a directory in megabytes.
   * Returns -1 if the calculation fails.
   */
  static getDirectorySizeMB(directoryPath: string): number {
    try {
      const stat = fs.statSync(directoryPath);
      if (!stat.isDirectory()) {
        return stat.size / (1024 * 1024);
      }
      let totalBytes = 0;
      const walkDirectory = (dir: string): void => {
        const entries = fs.readdirSync(dir, { withFileTypes: true });
        for (const entry of entries) {
          const fullPath = path.join(dir, entry.name);
          if (entry.isDirectory()) {
            walkDirectory(fullPath);
          } else {
            try {
              totalBytes += fs.statSync(fullPath).size;
            } catch {
              // Skip inaccessible files
            }
          }
        }
      };
      walkDirectory(directoryPath);
      return totalBytes / (1024 * 1024);
    } catch {
      return -1;
    }
  }
  /**
   * Create a tar.gz archive of build output.
   *
   * Validates disk space before archiving. Skips archival with a warning
   * if insufficient space is detected, preventing partial writes on full disks.
   */
  static archiveBuildOutput(sourcePath: string, archivePath: string): void {
    if (!fs.existsSync(sourcePath)) {
      core.info(`[Reliability] No build output to archive at ${sourcePath}`);
      return;
    }
    fs.mkdirSync(archivePath, { recursive: true });
    // Check available disk space before archiving
    const sourceSizeMB = BuildReliabilityService.getDirectorySizeMB(sourcePath);
    const availableSpaceMB = BuildReliabilityService.getAvailableSpaceMB(archivePath);
    if (sourceSizeMB >= 0 && availableSpaceMB >= 0) {
      const neededMB = Math.ceil(sourceSizeMB * 1.1); // 10% safety margin
      if (availableSpaceMB < neededMB) {
        core.warning(
          `[Reliability] Insufficient disk space for archive. ` +
            `Need ~${neededMB}MB, available: ${Math.floor(availableSpaceMB)}MB. Skipping archive.`,
        );
        return;
      }
      core.info(
        `[Reliability] Disk space check passed: need ~${neededMB}MB, available: ${Math.floor(availableSpaceMB)}MB`,
      );
    } else if (availableSpaceMB < 0) {
      core.warning('[Reliability] Could not determine available disk space. Proceeding with archive cautiously.');
    }
    const timestamp = new Date().toISOString().replace(/[.:]/g, '-');
    const archiveFile = path.join(archivePath, `build-${timestamp}.tar.gz`);
    try {
      execSync(`tar -czf "${archiveFile}" -C "${path.dirname(sourcePath)}" "${path.basename(sourcePath)}"`, {
        encoding: 'utf8',
        timeout: 600_000,
        stdio: ['pipe', 'pipe', 'pipe'],
      });
      core.info(`[Reliability] Build output archived to ${archiveFile}`);
    } catch (error: any) {
      core.warning(`[Reliability] Failed to archive build output: ${error.stderr?.toString() ?? error.message}`);
      // Clean up partial archive if it exists to avoid leaving corrupted files
      try {
        if (fs.existsSync(archiveFile)) {
          fs.unlinkSync(archiveFile);
          core.info(`[Reliability] Cleaned up partial archive: ${archiveFile}`);
        }
      } catch {
        // Best-effort cleanup
      }
    }
  }
  /**
   * Enforce retention policy -- delete archives older than the retention period.
   * Returns the number of old archives removed.
   */
  static enforceRetention(archivePath: string, retentionDays: number): number {
    if (!fs.existsSync(archivePath)) {
      return 0;
    }
    const now = Date.now();
    const retentionMs = retentionDays * 24 * 60 * 60 * 1000;
    let removed = 0;
    try {
      const entries = fs.readdirSync(archivePath, { withFileTypes: true });
      for (const entry of entries) {
        const fullPath = path.join(archivePath, entry.name);
        try {
          const stat = fs.statSync(fullPath);
          const ageMs = now - stat.mtimeMs;
          if (ageMs > retentionMs) {
            if (entry.isDirectory()) {
              fs.rmSync(fullPath, { recursive: true, force: true });
            } else {
              fs.unlinkSync(fullPath);
            }
            removed++;
            core.info(
              `[Reliability] Removed old archive: ${entry.name} (age: ${Math.round(
                ageMs / (24 * 60 * 60 * 1000),
              )} days)`,
            );
          }
        } catch {
          core.warning(`[Reliability] Could not process archive entry: ${fullPath}`);
        }
      }
    } catch {
      core.warning(`[Reliability] Could not read archive directory: ${archivePath}`);
      return 0;
    }
    if (removed > 0) {
      core.info(
        `[Reliability] Retention enforced: removed ${removed} old archive(s), retention: ${retentionDays} days`,
      );
    }
    return removed;
  }
  /**
   * Configure git environment variables for CI reliability.
   * Sets GIT_TERMINAL_PROMPT=0, increases http.postBuffer, enables core.longpaths.
   */
  static configureGitEnvironment(): void {
    core.info('[Reliability] Configuring git environment for CI');
    // Prevent git from prompting for credentials (hangs in CI)
    process.env.GIT_TERMINAL_PROMPT = '0';
    core.info('[Reliability] Set GIT_TERMINAL_PROMPT=0');
    try {
      // Increase http.postBuffer to 500MB for large pushes
      execSync('git config --global http.postBuffer 524288000', {
        encoding: 'utf8',
        timeout: 10_000,
        stdio: ['pipe', 'pipe', 'pipe'],
      });
      core.info('[Reliability] Set http.postBuffer=524288000 (500MB)');
    } catch (error: any) {
      core.warning(`[Reliability] Could not set http.postBuffer: ${error.message}`);
    }
    try {
      // Enable long paths on Windows
      execSync('git config --global core.longpaths true', {
        encoding: 'utf8',
        timeout: 10_000,
        stdio: ['pipe', 'pipe', 'pipe'],
      });
      core.info('[Reliability] Set core.longpaths=true');
    } catch (error: any) {
      core.warning(`[Reliability] Could not set core.longpaths: ${error.message}`);
    }
  }
 }
@@ -1 +0,0 @@
 export { BuildReliabilityService } from './build-reliability-service';
@@ -0,0 +1,446 @@
 import fs from 'node:fs';
 import * as core from '@actions/core';
 import { SecretSourceService, validateSecretKey } from './secret-source-service';
 jest.mock('node:fs');
 jest.mock('@actions/core', () => ({
  setSecret: jest.fn(),
  info: jest.fn(),
  warning: jest.fn(),
  error: jest.fn(),
 }));
 jest.mock('../core/orchestrator-system', () => ({
  OrchestratorSystem: {
    Run: jest.fn().mockResolvedValue(''),
  },
 }));
 jest.mock('../core/orchestrator-logger', () => ({
  __esModule: true,
  default: {
    log: jest.fn(),
    logWarning: jest.fn(),
    error: jest.fn(),
  },
 }));
 const mockFs = fs as jest.Mocked<typeof fs>;
 describe('SecretSourceService', () => {
  beforeEach(() => {
    jest.clearAllMocks();
  });
  describe('validateSecretKey', () => {
    it('should accept alphanumeric keys', () => {
      expect(validateSecretKey('MY_SECRET_KEY')).toBe('MY_SECRET_KEY');
    });
    it('should accept keys with hyphens', () => {
      expect(validateSecretKey('my-secret-key')).toBe('my-secret-key');
    });
    it('should accept keys with dots', () => {
      expect(validateSecretKey('my.secret.key')).toBe('my.secret.key');
    });
    it('should accept keys with forward slashes', () => {
      expect(validateSecretKey('path/to/secret')).toBe('path/to/secret');
    });
    it('should accept keys with mixed valid characters', () => {
      expect(validateSecretKey('my-app/prod_db.password')).toBe('my-app/prod_db.password');
    });
    it('should reject keys with semicolons (shell injection)', () => {
      expect(() => validateSecretKey('; rm -rf /')).toThrow('Invalid secret key name');
    });
    it('should reject keys with backticks (command substitution)', () => {
      expect(() => validateSecretKey('`whoami`')).toThrow('Invalid secret key name');
    });
    it('should reject keys with dollar signs (variable expansion)', () => {
      expect(() => validateSecretKey('$HOME')).toThrow('Invalid secret key name');
    });
    it('should reject keys with pipe characters', () => {
      expect(() => validateSecretKey('key | cat /etc/passwd')).toThrow('Invalid secret key name');
    });
    it('should reject keys with ampersands', () => {
      expect(() => validateSecretKey('key && echo pwned')).toThrow('Invalid secret key name');
    });
    it('should reject keys with newlines', () => {
      expect(() => validateSecretKey('key\nmalicious')).toThrow('Invalid secret key name');
    });
    it('should reject keys with quotes', () => {
      expect(() => validateSecretKey('"key"')).toThrow('Invalid secret key name');
      expect(() => validateSecretKey("'key'")).toThrow('Invalid secret key name');
    });
    it('should reject keys with parentheses (subshell)', () => {
      expect(() => validateSecretKey('$(whoami)')).toThrow('Invalid secret key name');
    });
    it('should reject empty keys', () => {
      expect(() => validateSecretKey('')).toThrow('Invalid secret key name');
    });
    it('should reject keys with spaces', () => {
      expect(() => validateSecretKey('key with spaces')).toThrow('Invalid secret key name');
    });
  });
  describe('isPremadeSource', () => {
    it('should return true for aws-secrets-manager', () => {
      expect(SecretSourceService.isPremadeSource('aws-secrets-manager')).toBe(true);
    });
    it('should return true for aws-secret-manager (legacy alias)', () => {
      expect(SecretSourceService.isPremadeSource('aws-secret-manager')).toBe(true);
    });
    it('should return true for aws-parameter-store', () => {
      expect(SecretSourceService.isPremadeSource('aws-parameter-store')).toBe(true);
    });
    it('should return true for gcp-secret-manager', () => {
      expect(SecretSourceService.isPremadeSource('gcp-secret-manager')).toBe(true);
    });
    it('should return true for azure-key-vault', () => {
      expect(SecretSourceService.isPremadeSource('azure-key-vault')).toBe(true);
    });
    it('should return true for hashicorp-vault', () => {
      expect(SecretSourceService.isPremadeSource('hashicorp-vault')).toBe(true);
    });
    it('should return true for hashicorp-vault-kv1', () => {
      expect(SecretSourceService.isPremadeSource('hashicorp-vault-kv1')).toBe(true);
    });
    it('should return true for vault (short alias)', () => {
      expect(SecretSourceService.isPremadeSource('vault')).toBe(true);
    });
    it('should return false for unknown source', () => {
      expect(SecretSourceService.isPremadeSource('unknown-source')).toBe(false);
    });
  });
  describe('getAvailableSources', () => {
    it('should return all premade source names', () => {
      const sources = SecretSourceService.getAvailableSources();
      expect(sources).toContain('aws-secrets-manager');
      expect(sources).toContain('aws-parameter-store');
      expect(sources).toContain('gcp-secret-manager');
      expect(sources).toContain('azure-key-vault');
      expect(sources).toContain('hashicorp-vault');
      expect(sources).toContain('hashicorp-vault-kv1');
      expect(sources).toContain('vault');
      expect(sources.length).toBeGreaterThanOrEqual(8);
    });
  });
  describe('resolveSource', () => {
    it('should resolve premade source by name', () => {
      const source = SecretSourceService.resolveSource('aws-secrets-manager');
      expect(source).toBeDefined();
      expect(source!.name).toBe('aws-secrets-manager');
      expect(source!.command).toContain('secretsmanager');
    });
    it('should resolve custom command with {0} placeholder', () => {
      const source = SecretSourceService.resolveSource('vault kv get -field=value secret/{0}');
      expect(source).toBeDefined();
      expect(source!.name).toBe('custom-command');
      expect(source!.command).toContain('{0}');
    });
    it('should resolve command with spaces as custom command', () => {
      const source = SecretSourceService.resolveSource('my-tool get-secret');
      expect(source).toBeDefined();
      expect(source!.name).toBe('custom-command');
    });
    it('should return undefined for unknown single-word source', () => {
      const source = SecretSourceService.resolveSource('unknown');
      expect(source).toBeUndefined();
    });
  });
  describe('fetchSecret', () => {
    it('should run the command with {0} replaced by key', async () => {
      const { OrchestratorSystem } = require('../core/orchestrator-system');
      OrchestratorSystem.Run.mockResolvedValue('my-secret-value');
      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
      const result = await SecretSourceService.fetchSecret(source, 'MY_SECRET');
      expect(result).toBe('my-secret-value');
      expect(OrchestratorSystem.Run).toHaveBeenCalledWith(expect.stringContaining('MY_SECRET'), false, true);
    });
    it('should parse JSON output when parseOutput is json-field', async () => {
      const { OrchestratorSystem } = require('../core/orchestrator-system');
      OrchestratorSystem.Run.mockResolvedValue(JSON.stringify({ value: 'extracted-secret' }));
      const source = {
        name: 'test-source',
        command: 'fetch {0}',
        parseOutput: 'json-field' as const,
        jsonField: 'value',
      };
      const result = await SecretSourceService.fetchSecret(source, 'KEY');
      expect(result).toBe('extracted-secret');
    });
    it('should fall back to raw output on invalid JSON with json-field mode', async () => {
      const { OrchestratorSystem } = require('../core/orchestrator-system');
      OrchestratorSystem.Run.mockResolvedValue('not-json');
      const source = {
        name: 'test-source',
        command: 'fetch {0}',
        parseOutput: 'json-field' as const,
        jsonField: 'value',
      };
      const result = await SecretSourceService.fetchSecret(source, 'KEY');
      expect(result).toBe('not-json');
    });
    it('should return empty string on command failure', async () => {
      const { OrchestratorSystem } = require('../core/orchestrator-system');
      OrchestratorSystem.Run.mockRejectedValue(new Error('command not found'));
      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
      const result = await SecretSourceService.fetchSecret(source, 'KEY');
      expect(result).toBe('');
    });
    it('should reject keys with shell injection characters', async () => {
      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
      await expect(SecretSourceService.fetchSecret(source, '; rm -rf /')).rejects.toThrow('Invalid secret key name');
    });
    it('should reject keys with command substitution', async () => {
      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
      await expect(SecretSourceService.fetchSecret(source, '$(whoami)')).rejects.toThrow('Invalid secret key name');
    });
    it('should reject keys with backtick command substitution', async () => {
      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
      await expect(SecretSourceService.fetchSecret(source, '`cat /etc/passwd`')).rejects.toThrow(
        'Invalid secret key name',
      );
    });
    it('should accept keys with valid path-like patterns', async () => {
      const { OrchestratorSystem } = require('../core/orchestrator-system');
      OrchestratorSystem.Run.mockResolvedValue('secret-value');
      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
      const result = await SecretSourceService.fetchSecret(source, 'prod/database/password');
      expect(result).toBe('secret-value');
    });
    it('should mask fetched secret values with core.setSecret', async () => {
      const { OrchestratorSystem } = require('../core/orchestrator-system');
      OrchestratorSystem.Run.mockResolvedValue('super-secret-value');
      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
      await SecretSourceService.fetchSecret(source, 'MY_SECRET');
      expect(core.setSecret).toHaveBeenCalledWith('super-secret-value');
    });
    it('should not mask empty secret values', async () => {
      const { OrchestratorSystem } = require('../core/orchestrator-system');
      OrchestratorSystem.Run.mockResolvedValue('');
      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
      await SecretSourceService.fetchSecret(source, 'MY_SECRET');
      expect(core.setSecret).not.toHaveBeenCalled();
    });
    it('should mask JSON-extracted secret values', async () => {
      const { OrchestratorSystem } = require('../core/orchestrator-system');
      OrchestratorSystem.Run.mockResolvedValue(JSON.stringify({ value: 'json-secret' }));
      const source = {
        name: 'test-source',
        command: 'fetch {0}',
        parseOutput: 'json-field' as const,
        jsonField: 'value',
      };
      await SecretSourceService.fetchSecret(source, 'KEY');
      expect(core.setSecret).toHaveBeenCalledWith('json-secret');
    });
  });
  describe('fetchFromEnv', () => {
    it('should return env var value when set', () => {
      process.env.TEST_SECRET_KEY = 'env-value';
      const result = SecretSourceService.fetchFromEnv('TEST_SECRET_KEY');
      expect(result).toBe('env-value');
      delete process.env.TEST_SECRET_KEY;
    });
    it('should return empty string when env var is not set', () => {
      const result = SecretSourceService.fetchFromEnv('NONEXISTENT_KEY_12345');
      expect(result).toBe('');
    });
    it('should mask env var values with core.setSecret', () => {
      process.env.TEST_MASK_KEY = 'masked-env-value';
      SecretSourceService.fetchFromEnv('TEST_MASK_KEY');
      expect(core.setSecret).toHaveBeenCalledWith('masked-env-value');
      delete process.env.TEST_MASK_KEY;
    });
    it('should not mask empty env var values', () => {
      const result = SecretSourceService.fetchFromEnv('NONEXISTENT_KEY_99999');
      expect(result).toBe('');
      expect(core.setSecret).not.toHaveBeenCalled();
    });
  });
  describe('fetchAll', () => {
    it('should fetch all keys from env source', async () => {
      process.env.KEY_A = 'val-a';
      process.env.KEY_B = 'val-b';
      const results = await SecretSourceService.fetchAll('env', ['KEY_A', 'KEY_B']);
      expect(results.KEY_A).toBe('val-a');
      expect(results.KEY_B).toBe('val-b');
      delete process.env.KEY_A;
      delete process.env.KEY_B;
    });
    it('should fetch all keys from premade source', async () => {
      const { OrchestratorSystem } = require('../core/orchestrator-system');
      OrchestratorSystem.Run.mockResolvedValueOnce('secret-1').mockResolvedValueOnce('secret-2');
      const results = await SecretSourceService.fetchAll('aws-parameter-store', ['param1', 'param2']);
      expect(results.param1).toBe('secret-1');
      expect(results.param2).toBe('secret-2');
      expect(OrchestratorSystem.Run).toHaveBeenCalledTimes(2);
    });
    it('should return empty results for unknown source', async () => {
      const results = await SecretSourceService.fetchAll('unknown', ['key1']);
      expect(results).toEqual({});
    });
  });
  describe('loadFromYaml', () => {
    it('should return empty array when file does not exist', () => {
      (mockFs.existsSync as jest.Mock).mockReturnValue(false);
      const result = SecretSourceService.loadFromYaml('/nonexistent.yml');
      expect(result).toEqual([]);
    });
    it('should parse valid YAML source definitions', () => {
      (mockFs.existsSync as jest.Mock).mockReturnValue(true);
      (mockFs.readFileSync as jest.Mock).mockReturnValue(`
 sources:
  - name: my-vault
    command: 'vault kv get -field=value secret/{0}'
  - name: my-api
    command: 'curl -s https://api.example.com/{0}'
    parseOutput: json-field
    jsonField: secret_value
 `);
      const result = SecretSourceService.loadFromYaml('/sources.yml');
      expect(result).toHaveLength(2);
      expect(result[0].name).toBe('my-vault');
      expect(result[0].command).toBe('vault kv get -field=value secret/{0}');
      expect(result[1].name).toBe('my-api');
      expect(result[1].parseOutput).toBe('json-field');
      expect(result[1].jsonField).toBe('secret_value');
    });
    it('should handle YAML with single source', () => {
      (mockFs.existsSync as jest.Mock).mockReturnValue(true);
      (mockFs.readFileSync as jest.Mock).mockReturnValue(`
 sources:
  - name: simple
    command: echo {0}
 `);
      const result = SecretSourceService.loadFromYaml('/simple.yml');
      expect(result).toHaveLength(1);
      expect(result[0].name).toBe('simple');
    });
    it('should return empty array on parse error', () => {
      (mockFs.existsSync as jest.Mock).mockReturnValue(true);
      (mockFs.readFileSync as jest.Mock).mockImplementation(() => {
        throw new Error('Permission denied');
      });
      const result = SecretSourceService.loadFromYaml('/error.yml');
      expect(result).toEqual([]);
    });
  });
  describe('premade source commands', () => {
    it('aws-secrets-manager uses --query SecretString', () => {
      const source = SecretSourceService.resolveSource('aws-secrets-manager')!;
      expect(source.command).toContain('--query SecretString');
      expect(source.command).toContain('--output text');
    });
    it('aws-parameter-store uses --with-decryption', () => {
      const source = SecretSourceService.resolveSource('aws-parameter-store')!;
      expect(source.command).toContain('--with-decryption');
      expect(source.command).toContain('--query Parameter.Value');
    });
    it('gcp-secret-manager uses latest version', () => {
      const source = SecretSourceService.resolveSource('gcp-secret-manager')!;
      expect(source.command).toContain('latest');
    });
    it('azure-key-vault uses AZURE_VAULT_NAME env var', () => {
      const source = SecretSourceService.resolveSource('azure-key-vault')!;
      expect(source.command).toContain('$AZURE_VAULT_NAME');
    });
    it('hashicorp-vault uses vault kv get with VAULT_MOUNT', () => {
      const source = SecretSourceService.resolveSource('hashicorp-vault')!;
      expect(source.command).toContain('vault kv get');
      expect(source.command).toContain('VAULT_MOUNT');
      expect(source.command).toContain('-field=value');
    });
    it('hashicorp-vault-kv1 uses vault read for KV v1', () => {
      const source = SecretSourceService.resolveSource('hashicorp-vault-kv1')!;
      expect(source.command).toContain('vault read');
      expect(source.command).toContain('-field=value');
    });
    it('vault alias resolves to same command as hashicorp-vault', () => {
      const vault = SecretSourceService.resolveSource('vault')!;
      const hashicorpVault = SecretSourceService.resolveSource('hashicorp-vault')!;
      expect(vault.command).toBe(hashicorpVault.command);
    });
  });
 });
@@ -0,0 +1,337 @@
 import fs from 'node:fs';
 import * as core from '@actions/core';
 import OrchestratorLogger from '../core/orchestrator-logger';
 import { OrchestratorSystem } from '../core/orchestrator-system';
 /**
 * A secret source definition: how to fetch a secret value by key.
 */
 export interface SecretSourceDefinition {
  name: string;
  command: string;
  parseOutput?: 'raw' | 'json-field';
  jsonField?: string;
 }
 /**
 * Validate that a secret key name contains only safe characters.
 * Prevents shell injection when keys are interpolated into commands.
 *
 * Allowed characters: alphanumeric, hyphens, underscores, dots, forward slashes.
 *
 * @param key - The secret key name to validate
 * @returns The validated key (unchanged)
 * @throws Error if the key contains disallowed characters
 */
 export function validateSecretKey(key: string): string {
  if (!/^[a-zA-Z0-9\-_./]+$/.test(key)) {
    throw new Error(
      `Invalid secret key name: "${key}". Keys may only contain alphanumeric characters, hyphens, underscores, dots, and forward slashes.`,
    );
  }
  return key;
 }
 /**
 * Mask a secret value so it does not appear in GitHub Actions logs.
 * Empty or whitespace-only values are skipped (core.setSecret would be a no-op).
 */
 function maskSecretValue(value: string): void {
  if (value.trim().length > 0) {
    core.setSecret(value);
  }
 }
 /**
 * Premade secret sources and custom YAML-based secret source definitions.
 *
 * Premade sources are string shortcuts that expand to shell commands:
 *   - `aws-secrets-manager` -- AWS Secrets Manager
 *   - `aws-parameter-store` -- AWS Systems Manager Parameter Store
 *   - `gcp-secret-manager` -- Google Cloud Secret Manager
 *   - `azure-key-vault` -- Azure Key Vault (requires AZURE_VAULT_NAME env var)
 *   - `hashicorp-vault` -- HashiCorp Vault KV v2 (requires VAULT_ADDR, optionally VAULT_MOUNT)
 *   - `hashicorp-vault-kv1` -- HashiCorp Vault KV v1 (requires VAULT_ADDR, optionally VAULT_MOUNT)
 *   - `env` -- Read from environment variables (no shell command needed)
 *
 * Custom YAML format:
 *   sources:
 *     - name: my-vault
 *       command: 'vault kv get -field=value secret/{0}'
 *     - name: my-api
 *       command: 'curl -s https://secrets.example.com/api/{0}'
 *       parseOutput: json-field
 *       jsonField: value
 */
 export class SecretSourceService {
  private static readonly premadeSources: Record<string, SecretSourceDefinition> = {
    'aws-secrets-manager': {
      name: 'aws-secrets-manager',
      command: 'aws secretsmanager get-secret-value --secret-id {0} --query SecretString --output text',
      parseOutput: 'raw',
    },
    'aws-secret-manager': {
      // Alias for backward compatibility (original name in inputPullCommand)
      name: 'aws-secret-manager',
      command: 'aws secretsmanager get-secret-value --secret-id {0} --query SecretString --output text',
      parseOutput: 'raw',
    },
    'aws-parameter-store': {
      name: 'aws-parameter-store',
      command: 'aws ssm get-parameter --name {0} --with-decryption --query Parameter.Value --output text',
      parseOutput: 'raw',
    },
    'gcp-secret-manager': {
      name: 'gcp-secret-manager',
      command: 'gcloud secrets versions access latest --secret="{0}"',
      parseOutput: 'raw',
    },
    'azure-key-vault': {
      name: 'azure-key-vault',
      command: 'az keyvault secret show --vault-name "$AZURE_VAULT_NAME" --name {0} --query value --output tsv',
      parseOutput: 'raw',
    },
    'hashicorp-vault': {
      // HashiCorp Vault KV v2 (default). Requires VAULT_ADDR env var.
      // Optionally set VAULT_MOUNT to override the mount path (default: 'secret').
      // Authentication is handled by VAULT_TOKEN or other Vault auth env vars.
      name: 'hashicorp-vault',
      command: 'vault kv get -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
      parseOutput: 'raw',
    },
    'hashicorp-vault-kv1': {
      // HashiCorp Vault KV v1. Requires VAULT_ADDR env var.
      // Optionally set VAULT_MOUNT to override the mount path (default: 'secret').
      name: 'hashicorp-vault-kv1',
      command: 'vault read -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
      parseOutput: 'raw',
    },
    vault: {
      // Short alias for hashicorp-vault (KV v2)
      name: 'vault',
      command: 'vault kv get -mount="${VAULT_MOUNT:-secret}" -field=value {0}',
      parseOutput: 'raw',
    },
  };
  /**
   * Check if a source name is a known premade source.
   */
  static isPremadeSource(sourceName: string): boolean {
    return sourceName in SecretSourceService.premadeSources;
  }
  /**
   * Get the list of available premade source names.
   */
  static getAvailableSources(): string[] {
    return Object.keys(SecretSourceService.premadeSources);
  }
  /**
   * Resolve a source name to a SecretSourceDefinition.
   *
   * - If the name matches a premade source, returns that definition.
   * - If it looks like a shell command (contains spaces or {0}), wraps it as a custom command.
   * - Otherwise, returns undefined.
   */
  static resolveSource(sourceName: string): SecretSourceDefinition | undefined {
    // Check premade sources
    if (SecretSourceService.isPremadeSource(sourceName)) {
      return SecretSourceService.premadeSources[sourceName];
    }
    // If it contains a placeholder or spaces, treat it as a raw command
    if (sourceName.includes('{0}') || sourceName.includes(' ')) {
      return {
        name: 'custom-command',
        command: sourceName,
        parseOutput: 'raw',
      };
    }
    return undefined;
  }
  /**
   * Load custom secret source definitions from a YAML file.
   *
   * Expected format:
   *   sources:
   *     - name: my-source
   *       command: 'my-tool get-secret {0}'
   *     - name: my-api
   *       command: 'curl -s https://api.example.com/secrets/{0}'
   *       parseOutput: json-field
   *       jsonField: value
   */
  static loadFromYaml(filePath: string): SecretSourceDefinition[] {
    if (!fs.existsSync(filePath)) {
      OrchestratorLogger.logWarning(`Secret source YAML not found: ${filePath}`);
      return [];
    }
    try {
      const content = fs.readFileSync(filePath, 'utf8');
      const parsed = SecretSourceService.parseSimpleYaml(content);
      return parsed;
    } catch (error: any) {
      OrchestratorLogger.logWarning(`Failed to parse secret source YAML: ${error.message}`);
      return [];
    }
  }
  /**
   * Fetch a secret value using the given source definition.
   *
   * Validates the key against an allowlist pattern before interpolating it
   * into the command string to prevent shell injection. The fetched secret
   * value is masked via core.setSecret() so it does not leak in logs.
   *
   * @param source - The secret source definition to use
   * @param key - The secret key to fetch
   * @returns The secret value, or empty string on failure
   */
  static async fetchSecret(source: SecretSourceDefinition, key: string): Promise<string> {
    // Validate the key to prevent shell injection
    validateSecretKey(key);
    const command = source.command.replace(/\{0\}/g, key);
    try {
      const output = await OrchestratorSystem.Run(command, false, true);
      let value: string;
      if (source.parseOutput === 'json-field' && source.jsonField) {
        try {
          const parsed = JSON.parse(output);
          value = parsed[source.jsonField] || '';
        } catch {
          OrchestratorLogger.logWarning(`Failed to parse JSON output from ${source.name} for key ${key}`);
          value = output.trim();
        }
      } else {
        value = output.trim();
      }
      // Mask the secret value so it does not appear in GitHub Actions logs
      maskSecretValue(value);
      return value;
    } catch (error: any) {
      OrchestratorLogger.logWarning(`Failed to fetch secret '${key}' from ${source.name}: ${error.message}`);
      return '';
    }
  }
  /**
   * Fetch a secret from an environment variable. No shell command needed.
   * The value is masked via core.setSecret() so it does not leak in logs.
   */
  static fetchFromEnv(key: string): string {
    const value = process.env[key] || '';
    maskSecretValue(value);
    return value;
  }
  /**
   * Resolve a source name and fetch all secrets from it.
   *
   * @param sourceName - Premade source name, shell command, or 'env'
   * @param keys - List of secret keys to fetch
   * @returns Map of key -> value
   */
  static async fetchAll(sourceName: string, keys: string[]): Promise<Record<string, string>> {
    const results: Record<string, string> = {};
    if (sourceName === 'env') {
      for (const key of keys) {
        results[key] = SecretSourceService.fetchFromEnv(key);
      }
      return results;
    }
    const source = SecretSourceService.resolveSource(sourceName);
    if (!source) {
      OrchestratorLogger.logWarning(
        `Unknown secret source '${sourceName}'. Available sources: ${SecretSourceService.getAvailableSources().join(
          ', ',
        )}`,
      );
      return results;
    }
    OrchestratorLogger.log(`Fetching ${keys.length} secret(s) from ${source.name}`);
    for (const key of keys) {
      results[key] = await SecretSourceService.fetchSecret(source, key);
    }
    return results;
  }
  /**
   * Simple YAML parser for secret source definitions.
   * Handles the specific structure we expect without requiring a YAML library.
   */
  private static parseSimpleYaml(content: string): SecretSourceDefinition[] {
    const definitions: SecretSourceDefinition[] = [];
    const lines = content.split('\n');
    let current: Partial<SecretSourceDefinition> | null = null;
    for (const rawLine of lines) {
      const line = rawLine.replace(/\r$/, '');
      const trimmed = line.trim();
      if (trimmed === '' || trimmed.startsWith('#')) continue;
      if (trimmed === '- name:' || trimmed.startsWith('- name:')) {
        if (current?.name && current?.command) {
          definitions.push(current as SecretSourceDefinition);
        }
        current = {
          name: trimmed
            .replace('- name:', '')
            .trim()
            .replace(/^['"]|['"]$/g, ''),
          parseOutput: 'raw',
        };
        continue;
      }
      if (current && trimmed.startsWith('command:')) {
        current.command = trimmed
          .replace('command:', '')
          .trim()
          .replace(/^['"]|['"]$/g, '');
      } else if (current && trimmed.startsWith('parseOutput:')) {
        const value = trimmed
          .replace('parseOutput:', '')
          .trim()
          .replace(/^['"]|['"]$/g, '');
        current.parseOutput = value as 'raw' | 'json-field';
      } else if (current && trimmed.startsWith('jsonField:')) {
        current.jsonField = trimmed
          .replace('jsonField:', '')
          .trim()
          .replace(/^['"]|['"]$/g, '');
      }
    }
    if (current?.name && current?.command) {
      definitions.push(current as SecretSourceDefinition);
    }
    return definitions;
  }
 }
Author	SHA1	Message	Date
frostebite	e0e7b225a1	fix: replace orchestrator-develop branch references with main The orchestrator-develop branch no longer exists. Update all fallback clone commands and test fixtures to use main instead. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-09 20:04:50 +00:00
frostebite	b9f70d35a1	ci: set macOS builds to continue-on-error Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-05 23:33:29 +00:00
frostebite	1f3affe097	fix(secrets): prevent shell injection in secret key names and mask values - Validate secret key names against alphanumeric allowlist before shell interpolation - Apply validation in both SecretSourceService.fetchSecret() and legacy queryOverride() - Mask fetched secret values with core.setSecret() to prevent log exposure - Add 20 new tests for validation and masking Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-05 12:55:18 +00:00
frostebite	7f895304f4	feat(secrets): add HashiCorp Vault as first-class premade secret source Adds three Vault entries: hashicorp-vault (KV v2), hashicorp-vault-kv1 (KV v1), and vault (short alias). Uses VAULT_ADDR for server address and VAULT_MOUNT env var for configurable mount path (defaults to 'secret'). Refs #776 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-05 08:41:04 +00:00
frostebite	e4c156e7b0	feat(orchestrator): add premade secret sources and YAML definitions Add SecretSourceService with premade secret source integrations: - aws-secrets-manager (with --query SecretString for direct value) - aws-parameter-store (with --with-decryption) - gcp-secret-manager (latest version) - azure-key-vault (via $AZURE_VAULT_NAME env var) - env (environment variables, no shell command needed) - Custom commands (any string with {0} placeholder) - YAML file definitions for custom sources Add secretSource input that takes precedence over inputPullCommand. Backward compatible — existing inputPullCommand behavior unchanged. Closes #776 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-05 08:35:03 +00:00
		`@@ -1 +0,0 @@`
			`export { BuildReliabilityService } from './build-reliability-service';`