[fix]. Validate required startup secrets

2026-05-23 00:06:02 +02:00
parent 82436f90d1
commit 7bc6165fff
3 changed files with 31 additions and 1 deletions
--- a/TODO.md
+++ b/TODO.md
@@ -8,7 +8,7 @@
 - [x] `BUG`: Enforce `.codex-review.yml` `enabled=false` at runtime (currently loaded but not enforced).
 - [x] `BUG`: Remove `.codex-review.yml` fix policy (`commands.allow_fix`) and rely on global `ENABLE_FIX_COMMANDS`.
 - [x] `BUG`: Add stuck-job recovery for `running` jobs (lease timeout + requeue/fail) so one crashed worker does not deadlock the queue.
- [ ] `BUG`: Validate required secrets/settings are non-empty at startup (`GITEA_WEBHOOK_SECRET`, `GITEA_TOKEN`, `ALLOWED_REPOS`) and fail fast if blank.
+- [x] `BUG`: Validate required secrets/settings are non-empty at startup (`GITEA_WEBHOOK_SECRET`, `GITEA_TOKEN`, `ALLOWED_REPOS`) and fail fast if blank.
 - [ ] `TEST`: Add integration test proving the runner executes the exact PR head SHA in isolated mode and does not rely on host checkout.

 ### P1 (Important)
--- a/src/gitea_codex_bot/main.py
+++ b/src/gitea_codex_bot/main.py
@@ -35,6 +35,17 @@ logger = logging.getLogger(__name__)


 def _validate_required_env(settings: Settings) -> None:
+    webhook_secret = settings.gitea_webhook_secret.get_secret_value()
+    if not webhook_secret.strip():
+        raise RuntimeError("GITEA_WEBHOOK_SECRET is required")
+
+    gitea_token = settings.gitea_token.get_secret_value()
+    if not gitea_token.strip():
+        raise RuntimeError("GITEA_TOKEN is required")
+
+    if not settings.allowed_repos.strip():
+        raise RuntimeError("ALLOWED_REPOS is required")
+
    if settings.codex_auth_mode != "api_key":
        return
    api_key = settings.openai_api_key.get_secret_value() if settings.openai_api_key else ""
--- a/tests/test_main_env_validation.py
+++ b/tests/test_main_env_validation.py
@@ -6,6 +6,25 @@ from gitea_codex_bot.config import get_settings
 from gitea_codex_bot.main import _validate_required_env


+@pytest.mark.parametrize(
+    ("env_name", "env_value", "error_text"),
+    [
+        ("GITEA_WEBHOOK_SECRET", "   ", "GITEA_WEBHOOK_SECRET is required"),
+        ("GITEA_TOKEN", "   ", "GITEA_TOKEN is required"),
+        ("ALLOWED_REPOS", "   ", "ALLOWED_REPOS is required"),
+    ],
+)
+def test_validate_required_env_fails_on_blank_required_settings(
+    monkeypatch: pytest.MonkeyPatch, env_name: str, env_value: str, error_text: str
+) -> None:
+    monkeypatch.setenv(env_name, env_value)
+    get_settings.cache_clear()
+    settings = get_settings()
+
+    with pytest.raises(RuntimeError, match=error_text):
+        _validate_required_env(settings)
+
+
 def test_validate_required_env_requires_api_key_in_api_key_mode(monkeypatch: pytest.MonkeyPatch) -> None:
    monkeypatch.setenv("OPENAI_API_KEY", "")
    monkeypatch.setenv("CODEX_AUTH_MODE", "api_key")