@@ -2,6 +2,8 @@ import * as sinon from "sinon";
22import { expect } from "chai" ;
33import * as localBuildModule from "@apphosting/build" ;
44import { localBuild } from "./localbuilds" ;
5+ import * as secrets from "./secrets" ;
6+ import { EnvMap } from "./yaml" ;
57
68describe ( "localBuild" , ( ) => {
79 afterEach ( ( ) => {
@@ -38,10 +40,81 @@ describe("localBuild", () => {
3840 const localApphostingBuildStub : sinon . SinonStub = sinon
3941 . stub ( localBuildModule , "localBuild" )
4042 . resolves ( bundleConfig ) ;
41- const { outputFiles, annotations, buildConfig } = await localBuild ( "./" , "nextjs" ) ;
43+ const { outputFiles, annotations, buildConfig } = await localBuild (
44+ "test-project" ,
45+ "./" ,
46+ "nextjs" ,
47+ ) ;
4248 expect ( annotations ) . to . deep . equal ( expectedAnnotations ) ;
4349 expect ( buildConfig ) . to . deep . equal ( expectedBuildConfig ) ;
4450 expect ( outputFiles ) . to . deep . equal ( expectedOutputFiles ) ;
4551 sinon . assert . calledWith ( localApphostingBuildStub , "./" , "nextjs" ) ;
4652 } ) ;
53+
54+ it ( "resolves BUILD-available secrets passed in the environment map and ignores RUNTIME-only ones" , async ( ) => {
55+ const bundleConfig = {
56+ version : "v1" as const ,
57+ runConfig : { runCommand : "npm run build:prod" } ,
58+ metadata : {
59+ adapterPackageName : "@apphosting/angular-adapter" ,
60+ adapterVersion : "14.1" ,
61+ framework : "nextjs" ,
62+ } ,
63+ outputFiles : { serverApp : { include : [ "./next/standalone" ] } } ,
64+ } ;
65+ sinon . stub ( localBuildModule , "localBuild" ) . callsFake ( async ( ) => {
66+ expect ( process . env . MY_BUILD_SECRET ) . to . equal ( "secret-value" ) ;
67+ expect ( process . env . MY_RUNTIME_SECRET ) . to . be . undefined ;
68+ expect ( process . env . MY_PLAIN_VAR ) . to . equal ( "plain-value" ) ;
69+ return bundleConfig ;
70+ } ) ;
71+ const loadSecretStub = sinon . stub ( secrets , "loadSecret" ) . resolves ( "secret-value" ) ;
72+
73+ const envMap : EnvMap = {
74+ MY_BUILD_SECRET : { secret : "my-secret-id" , availability : [ "BUILD" ] } ,
75+ MY_RUNTIME_SECRET : { secret : "runtime-only-id" , availability : [ "RUNTIME" ] } ,
76+ MY_PLAIN_VAR : { value : "plain-value" } ,
77+ } ;
78+
79+ await localBuild ( "test-project" , "./" , "nextjs" , envMap ) ;
80+
81+ expect ( loadSecretStub ) . to . have . been . calledWith ( "test-project" , "my-secret-id" ) ;
82+ // Confirm RUNTIME-only secret was ignored
83+ expect ( loadSecretStub ) . to . have . been . calledOnce ;
84+ // Confirm injected envs were cleaned up from the global scope after the build finishes
85+ expect ( process . env . MY_BUILD_SECRET ) . to . be . undefined ;
86+ expect ( process . env . MY_RUNTIME_SECRET ) . to . be . undefined ;
87+ } ) ;
88+
89+ it ( "handles environment variables that do not contain secrets" , async ( ) => {
90+ const bundleConfig = {
91+ version : "v1" as const ,
92+ runConfig : { runCommand : "npm run build:prod" } ,
93+ metadata : {
94+ adapterPackageName : "@apphosting/angular-adapter" ,
95+ adapterVersion : "14.1" ,
96+ framework : "nextjs" ,
97+ } ,
98+ outputFiles : { serverApp : { include : [ "./next/standalone" ] } } ,
99+ } ;
100+ sinon . stub ( localBuildModule , "localBuild" ) . callsFake ( async ( ) => {
101+ expect ( process . env . MY_PLAIN_VAR ) . to . equal ( "plain-value" ) ;
102+ expect ( process . env . ANOTHER_VAR ) . to . equal ( "another-value" ) ;
103+ return bundleConfig ;
104+ } ) ;
105+ const loadSecretStub = sinon . stub ( secrets , "loadSecret" ) . resolves ( "secret-value" ) ;
106+
107+ const envMap : EnvMap = {
108+ MY_PLAIN_VAR : { value : "plain-value" } ,
109+ ANOTHER_VAR : { value : "another-value" } ,
110+ } ;
111+
112+ await localBuild ( "test-project" , "./" , "nextjs" , envMap ) ;
113+
114+ expect ( loadSecretStub ) . to . not . have . been . called ;
115+ // We expect the original process.env to not have these injected globally after run completes,
116+ // as localBuild cleans up.
117+ expect ( process . env . MY_PLAIN_VAR ) . to . be . undefined ;
118+ expect ( process . env . ANOTHER_VAR ) . to . be . undefined ;
119+ } ) ;
47120} ) ;
0 commit comments