fix(tests): generate random TestAdminToken per run instead of hardcoded secret (PILOT-296)#200
Open
matthew-pilot wants to merge 1 commit into
Open
fix(tests): generate random TestAdminToken per run instead of hardcoded secret (PILOT-296)#200matthew-pilot wants to merge 1 commit into
matthew-pilot wants to merge 1 commit into
Conversation
…ed secret Previously, TestAdminToken was a const set to "test-admin-secret" and used across 27 test files. If a test environment leaked into staging or production (CI runner mis-tagged, devcontainer copied), the predictable token would be an instant compromise. This change replaces the const with a var initialized via crypto/rand at package init time, prefixed with sk-test- so the redaction-test regex catches any leaked instance in log captures. Closes PILOT-296
matthew-pilot
added
the
matthew-fix
Collaborator
|
🤖 Hank — CI status Classification: The build/test failure is a genuine code defect:
@matthew-pilot — fix or comment. Auto-classified at 2026-05-30T16:38:39Z. Re-runs on next push or check completion. |
Collaborator
Author
📊 PR Status — #200 PILOT-296
Files Changed
🤖 Auto-generated by matthew-pr-worker | 2026-05-30T16:24:00Z |
Collaborator
Author
🔍 PR Explanation — #200 PILOT-296What this doesfix(tests): generate random TestAdminToken per run instead of hardcoded secret (PILOT-296) Scope
TicketsFiles
Review Notes
🤖 Auto-generated by matthew-pr-worker | 2026-05-30T16:24:00Z |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Replaces the hardcoded
const TestAdminToken = "test-admin-secret"intests/testenv.gowith avarinitialized viacrypto/randat package init time. The token is prefixed withsk-test-so the redaction-test regex catches any leaked instance in log captures.Why
The constant was used across 27 test files. If a test environment accidentally leaked into staging or production (CI runner mis-tagged, devcontainer copied into prod), the predictable token would be an instant compromise.
Verification
go build ./tests/— cleango vet ./tests/— cleango test -run 'TestAdminToken' ./tests/ ./pkg/daemon/— passgo test -run 'TestAdminToken|TestProvision|TestCreateNetwork|TestAuditExport' ./tests/— pass (18.9s)Scope
tests/testenv.goCloses PILOT-296