chore: e2e and dependabot management scripting + agent docs#14625
chore: e2e and dependabot management scripting + agent docs#14625
Conversation
- Add AGENTS.md with workflow guide for AI agents - Add .agent-docs/DEPENDABOT.md for dependency management workflow - Add .agent-docs/LOCAL_E2E_TESTING.md for local testing guide - Add scripts/e2e-test-manager.ts for e2e test management - Add scripts/check-dependabot.ts for checking security alerts - Add e2e management commands to package.json (e2e-status, e2e-retry, e2e-monitor, etc.) - Add AWS SDK dependencies to scripts/package.json This infrastructure enables AI coding tools to: - Monitor e2e test status with auto-retry - Check and manage Dependabot alerts - Follow consistent workflows for development and testing
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| console.log(`Retrying ${failedBuildIds.length} failed builds using retry-build-batch`); | ||
|
|
||
| try { | ||
| const result = execSync(`aws codebuild retry-build-batch --region=${REGION} --profile=${E2E_PROFILE_NAME} --id="${batchId}"`, { |
Check warning
Code scanning / CodeQL
Indirect uncontrolled command line Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, the way to fix this is to avoid passing untrusted data into a shell command string. Instead of execSync (string), use an API that does not invoke a shell and accepts arguments as an array, such as execFileSync from child_process. This prevents shell metacharacters in batchId from being interpreted by the shell.
Concretely for this script:
- Change the import from
execSynctoexecFileSync. - Replace the
execSynccall inretryFailedBuildswith anexecFileSynccall where:- The command is
'aws'. - The arguments are passed as an array:
['codebuild', 'retry-build-batch', '--region', REGION, '--profile', E2E_PROFILE_NAME, '--id', batchId].
- The command is
- Keep the options object with
encoding: 'utf8', stdio: 'pipe'so the behavior (capturing JSON output as a string) is preserved. - Do not add additional validation or change how
batchIdis passed to AWS, to avoid altering existing functionality; simply prevent the shell from interpreting it.
All necessary changes are within scripts/e2e-test-manager.ts:
- Update the import line at the top to import
execFileSyncinstead ofexecSync. - Update the body of
retryFailedBuildsto useexecFileSyncwith an array of args.
No other parts of the script need to change.
| @@ -16,7 +16,7 @@ | ||
| import { CloudWatchLogsClient, GetLogEventsCommand } from '@aws-sdk/client-cloudwatch-logs'; | ||
| import { fromIni } from '@aws-sdk/credential-providers'; | ||
| import * as process from 'process'; | ||
| import { execSync } from 'child_process'; | ||
| import { execFileSync } from 'child_process'; | ||
|
|
||
| const E2E_PROFILE_NAME = 'AmplifyE2EProd'; | ||
| const REGION = 'us-east-1'; | ||
| @@ -125,10 +125,23 @@ | ||
| console.log(`Retrying ${failedBuildIds.length} failed builds using retry-build-batch`); | ||
|
|
||
| try { | ||
| const result = execSync(`aws codebuild retry-build-batch --region=${REGION} --profile=${E2E_PROFILE_NAME} --id="${batchId}"`, { | ||
| encoding: 'utf8', | ||
| stdio: 'pipe', | ||
| }); | ||
| const result = execFileSync( | ||
| 'aws', | ||
| [ | ||
| 'codebuild', | ||
| 'retry-build-batch', | ||
| '--region', | ||
| REGION, | ||
| '--profile', | ||
| E2E_PROFILE_NAME, | ||
| '--id', | ||
| batchId, | ||
| ], | ||
| { | ||
| encoding: 'utf8', | ||
| stdio: 'pipe', | ||
| }, | ||
| ); | ||
|
|
||
| // Parse the result to get the new batch ID | ||
| const output = JSON.parse(result); |
| console.error('Error: batchId required for retry command'); | ||
| process.exit(1); | ||
| } | ||
| const maxRetries = arg2 ? parseInt(arg2, 10) : DEFAULT_MAX_RETRIES; |
Check notice
Code scanning / CodeQL
Unused variable, import, function or class Note
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, to fix an unused variable warning, either remove the variable (and any associated computation) if it truly isn’t needed, or refactor the code so that the variable is actually used as intended. Here, maxRetries is calculated from CLI input but not used; current behavior ignores the second argument to retry. To avoid changing behavior, the safest fix is to stop declaring maxRetries altogether and keep treating retry as a single-argument command.
Concretely, in scripts/e2e-test-manager.ts, within the case 'retry': block of the main function, remove the declaration of maxRetries on line 472. Do not change the call to retryFailedBuilds(arg1) or any other logic, so command behavior remains the same while the unused variable disappears.
No extra imports, methods, or definitions are needed.
| @@ -469,7 +469,6 @@ | ||
| console.error('Error: batchId required for retry command'); | ||
| process.exit(1); | ||
| } | ||
| const maxRetries = arg2 ? parseInt(arg2, 10) : DEFAULT_MAX_RETRIES; | ||
| const newBatchId = await retryFailedBuilds(arg1); | ||
| console.log(`New batch started: ${newBatchId}`); | ||
| break; |
- Remove automatic mwinit call that prompts for credentials - Let ada command fail naturally if credentials not available - Provide clear error message instructing user to run mwinit - Matches pattern from amplify-category-api repo
- Change from CodebuildDeveloper (category-api) to CodeBuildE2E (cli-gen1) - Matches role name used in cloud-cli-utils.sh
- Add blank lines between sections per prettier rules - Fixes lint failure in e2e tests
- Allow specifying custom container image via CODEBUILD_IMAGE_OVERRIDE env var - Matches pattern from amplify-category-api repo - Enables testing with updated container images Usage: CODEBUILD_IMAGE_OVERRIDE=<image-uri> yarn cloud-e2e
3 participants
Adds scripting and agentic guidance to assist with:
CODEBUILD_IMAGE_OVERRIDEenvironment variableAdapted from amplify-category-api.