test: add unit tests for SBOM summary + extract into testable module

ronens88 · claude · ronens88 · commit d68685436cbf · 2026-03-24T11:36:39.000+02:00
Extract parseSBOMEntries and writeSBOMSummary into sbom-summary.js
so they can be unit-tested independently. Add 22 tests covering:
- Parsing with/without SBOM entries, multiple entries, edge cases
- Summary rendering (singular/plural, CycloneDX-only, SPDX-only)
- Backward compatibility with older cimon versions (no SBOM output)
- Binary/garbage output handling

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/dist/post/index.js b/dist/post/index.js
@@ -3520,6 +3520,8 @@ __nccwpck_require__.a(__webpack_module__, async (__webpack_handle_async_dependen
 /* harmony import */ var _actions_exec__WEBPACK_IMPORTED_MODULE_1__ = __nccwpck_require__(514);
 /* harmony import */ var fs__WEBPACK_IMPORTED_MODULE_2__ = __nccwpck_require__(147);
 /* harmony import */ var _actions_http_client__WEBPACK_IMPORTED_MODULE_3__ = __nccwpck_require__(255);
+/* harmony import */ var _sbom_summary_js__WEBPACK_IMPORTED_MODULE_4__ = __nccwpck_require__(21);
+
 
 
 
@@ -3562,6 +3564,11 @@ async function sudoExists() {
  * Determines the Cimon executable path.
  * Prefers the release-path saved by the main step so the same binary
  * is used for both start and stop.
+ *
+ * Backward compatibility: when the main step was run by an older version
+ * of cimon-action that did not call core.saveState('release-path', ...),
+ * core.getState() returns '' and we fall back to the default S3-downloaded
+ * binary at /tmp/cimon/cimon — exactly the same behavior as before.
  */
 function getCimonPath() {
     const savedPath = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getState('release-path');
@@ -3571,53 +3578,6 @@ function getCimonPath() {
     return CIMON_EXECUTABLE_PATH;
 }
 
-/**
- * Parses SBOM file entries from cimon agent stop output.
- * Returns an array of {cyclonedx, spdx} objects.
- */
-function parseSBOMEntries(output) {
-    const entries = [];
-    for (const line of output.split('\n')) {
-        if (!line.includes('"SBOM files written"')) continue;
-        try {
-            const parsed = JSON.parse(line);
-            if (parsed.cyclonedx || parsed.spdx) {
-                entries.push({
-                    cyclonedx: parsed.cyclonedx || '',
-                    spdx: parsed.spdx || '',
-                });
-            }
-        } catch {
-            // Not valid JSON, skip.
-        }
-    }
-    return entries;
-}
-
-/**
- * Builds a GitHub Actions job summary with SBOM results.
- */
-async function writeSBOMSummary(sbomEntries) {
-    if (sbomEntries.length === 0) return;
-
-    const rows = [['Format', 'Path']];
-    for (const entry of sbomEntries) {
-        if (entry.cyclonedx) {
-            rows.push(['CycloneDX', `\`${entry.cyclonedx}\``]);
-        }
-        if (entry.spdx) {
-            rows.push(['SPDX', `\`${entry.spdx}\``]);
-        }
-    }
-
-    await _actions_core__WEBPACK_IMPORTED_MODULE_0__.summary.addHeading('Cimon SBOM Report', 2)
-        .addRaw(
-            `**${sbomEntries.length}** SBOM${sbomEntries.length > 1 ? 's' : ''} generated during build.\n\n`
-        )
-        .addTable(rows)
-        .write();
-}
-
 async function run(config) {
     const cimonPath = getCimonPath();
 
@@ -3677,11 +3637,11 @@ async function run(config) {
     }
 
     // Parse and display SBOM summary regardless of stop exit code.
-    const sbomEntries = parseSBOMEntries(stopOutput);
+    const sbomEntries = (0,_sbom_summary_js__WEBPACK_IMPORTED_MODULE_4__/* .parseSBOMEntries */ .w)(stopOutput);
     if (sbomEntries.length > 0) {
         const reportJobSummary = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getBooleanInput('report-job-summary');
         if (reportJobSummary) {
-            await writeSBOMSummary(sbomEntries);
+            await (0,_sbom_summary_js__WEBPACK_IMPORTED_MODULE_4__/* .writeSBOMSummary */ .k)(_actions_core__WEBPACK_IMPORTED_MODULE_0__, sbomEntries);
         }
     }
 
@@ -3711,6 +3671,77 @@ try {
 __webpack_handle_async_dependencies__();
 }, 1);
 
+/***/ }),
+
+/***/ 21:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __nccwpck_require__) => {
+
+/* harmony export */ __nccwpck_require__.d(__webpack_exports__, {
+/* harmony export */   "w": () => (/* binding */ parseSBOMEntries),
+/* harmony export */   "k": () => (/* binding */ writeSBOMSummary)
+/* harmony export */ });
+/**
+ * Pure helpers for parsing and displaying SBOM results in the
+ * GitHub Actions job summary.  Extracted so they can be unit-tested
+ * independently of the @actions/* runtime.
+ */
+
+/**
+ * Parses SBOM file entries from cimon agent stop output.
+ * Each JSON log line that contains `"SBOM files written"` is expected
+ * to carry `cyclonedx` and/or `spdx` path fields.
+ *
+ * @param {string} output - Combined stdout+stderr from `cimon agent stop`.
+ * @returns {Array<{cyclonedx: string, spdx: string}>}
+ */
+function parseSBOMEntries(output) {
+    const entries = [];
+    for (const line of output.split('\n')) {
+        if (!line.includes('"SBOM files written"')) continue;
+        try {
+            const parsed = JSON.parse(line);
+            if (parsed.cyclonedx || parsed.spdx) {
+                entries.push({
+                    cyclonedx: parsed.cyclonedx || '',
+                    spdx: parsed.spdx || '',
+                });
+            }
+        } catch {
+            // Not valid JSON, skip.
+        }
+    }
+    return entries;
+}
+
+/**
+ * Builds a GitHub Actions job summary table from SBOM entries.
+ *
+ * @param {import('@actions/core')} core - The @actions/core module.
+ * @param {Array<{cyclonedx: string, spdx: string}>} sbomEntries
+ */
+async function writeSBOMSummary(core, sbomEntries) {
+    if (sbomEntries.length === 0) return;
+
+    const rows = [['Format', 'Path']];
+    for (const entry of sbomEntries) {
+        if (entry.cyclonedx) {
+            rows.push(['CycloneDX', `\`${entry.cyclonedx}\``]);
+        }
+        if (entry.spdx) {
+            rows.push(['SPDX', `\`${entry.spdx}\``]);
+        }
+    }
+
+    await core.summary
+        .addHeading('Cimon SBOM Report', 2)
+        .addRaw(
+            `**${sbomEntries.length}** SBOM${sbomEntries.length > 1 ? 's' : ''} generated during build.\n\n`
+        )
+        .addTable(rows)
+        .write();
+}
+
+
 /***/ })
 
 /******/ });
@@ -3820,6 +3851,23 @@ __webpack_handle_async_dependencies__();
 /******/ 	};
 /******/ })();
 /******/ 
+/******/ /* webpack/runtime/define property getters */
+/******/ (() => {
+/******/ 	// define getter functions for harmony exports
+/******/ 	__nccwpck_require__.d = (exports, definition) => {
+/******/ 		for(var key in definition) {
+/******/ 			if(__nccwpck_require__.o(definition, key) && !__nccwpck_require__.o(exports, key)) {
+/******/ 				Object.defineProperty(exports, key, { enumerable: true, get: definition[key] });
+/******/ 			}
+/******/ 		}
+/******/ 	};
+/******/ })();
+/******/ 
+/******/ /* webpack/runtime/hasOwnProperty shorthand */
+/******/ (() => {
+/******/ 	__nccwpck_require__.o = (obj, prop) => (Object.prototype.hasOwnProperty.call(obj, prop))
+/******/ })();
+/******/ 
 /******/ /* webpack/runtime/compat */
 /******/ 
 /******/ if (typeof __nccwpck_require__ !== 'undefined') __nccwpck_require__.ab = new URL('.', import.meta.url).pathname.slice(import.meta.url.match(/^file:\/\/\/\w:/) ? 1 : 0, -1) + "/";
diff --git a/package.json b/package.json
@@ -7,7 +7,8 @@
         "all": "npm run clean && npm run dist/main/index.js && npm run dist/post/index.js",
         "dist/main/index.js": "ncc build --out dist/main src/main/index.js",
         "dist/post/index.js": "ncc build --out dist/post src/post/index.js",
-        "clean": "rm -rf dist"
+        "clean": "rm -rf dist",
+        "test": "node --test src/**/*.test.js"
     },
     "keywords": [],
     "author": "",
diff --git a/src/post/index.js b/src/post/index.js
@@ -2,6 +2,7 @@ import core from '@actions/core';
 import exec from '@actions/exec';
 import fs from 'fs';
 import * as http from '@actions/http-client';
+import { parseSBOMEntries, writeSBOMSummary } from './sbom-summary.js';
 
 const CIMON_SCRIPT_DOWNLOAD_URL =
     'https://cimon-releases.s3.amazonaws.com/install.sh';
@@ -40,6 +41,11 @@ async function sudoExists() {
  * Determines the Cimon executable path.
  * Prefers the release-path saved by the main step so the same binary
  * is used for both start and stop.
+ *
+ * Backward compatibility: when the main step was run by an older version
+ * of cimon-action that did not call core.saveState('release-path', ...),
+ * core.getState() returns '' and we fall back to the default S3-downloaded
+ * binary at /tmp/cimon/cimon — exactly the same behavior as before.
  */
 function getCimonPath() {
     const savedPath = core.getState('release-path');
@@ -49,54 +55,6 @@ function getCimonPath() {
     return CIMON_EXECUTABLE_PATH;
 }
 
-/**
- * Parses SBOM file entries from cimon agent stop output.
- * Returns an array of {cyclonedx, spdx} objects.
- */
-function parseSBOMEntries(output) {
-    const entries = [];
-    for (const line of output.split('\n')) {
-        if (!line.includes('"SBOM files written"')) continue;
-        try {
-            const parsed = JSON.parse(line);
-            if (parsed.cyclonedx || parsed.spdx) {
-                entries.push({
-                    cyclonedx: parsed.cyclonedx || '',
-                    spdx: parsed.spdx || '',
-                });
-            }
-        } catch {
-            // Not valid JSON, skip.
-        }
-    }
-    return entries;
-}
-
-/**
- * Builds a GitHub Actions job summary with SBOM results.
- */
-async function writeSBOMSummary(sbomEntries) {
-    if (sbomEntries.length === 0) return;
-
-    const rows = [['Format', 'Path']];
-    for (const entry of sbomEntries) {
-        if (entry.cyclonedx) {
-            rows.push(['CycloneDX', `\`${entry.cyclonedx}\``]);
-        }
-        if (entry.spdx) {
-            rows.push(['SPDX', `\`${entry.spdx}\``]);
-        }
-    }
-
-    await core.summary
-        .addHeading('Cimon SBOM Report', 2)
-        .addRaw(
-            `**${sbomEntries.length}** SBOM${sbomEntries.length > 1 ? 's' : ''} generated during build.\n\n`
-        )
-        .addTable(rows)
-        .write();
-}
-
 async function run(config) {
     const cimonPath = getCimonPath();
 
@@ -160,7 +118,7 @@ async function run(config) {
     if (sbomEntries.length > 0) {
         const reportJobSummary = core.getBooleanInput('report-job-summary');
         if (reportJobSummary) {
-            await writeSBOMSummary(sbomEntries);
+            await writeSBOMSummary(core, sbomEntries);
         }
     }
 
diff --git a/src/post/sbom-summary.js b/src/post/sbom-summary.js
@@ -0,0 +1,60 @@
+/**
+ * Pure helpers for parsing and displaying SBOM results in the
+ * GitHub Actions job summary.  Extracted so they can be unit-tested
+ * independently of the @actions/* runtime.
+ */
+
+/**
+ * Parses SBOM file entries from cimon agent stop output.
+ * Each JSON log line that contains `"SBOM files written"` is expected
+ * to carry `cyclonedx` and/or `spdx` path fields.
+ *
+ * @param {string} output - Combined stdout+stderr from `cimon agent stop`.
+ * @returns {Array<{cyclonedx: string, spdx: string}>}
+ */
+export function parseSBOMEntries(output) {
+    const entries = [];
+    for (const line of output.split('\n')) {
+        if (!line.includes('"SBOM files written"')) continue;
+        try {
+            const parsed = JSON.parse(line);
+            if (parsed.cyclonedx || parsed.spdx) {
+                entries.push({
+                    cyclonedx: parsed.cyclonedx || '',
+                    spdx: parsed.spdx || '',
+                });
+            }
+        } catch {
+            // Not valid JSON, skip.
+        }
+    }
+    return entries;
+}
+
+/**
+ * Builds a GitHub Actions job summary table from SBOM entries.
+ *
+ * @param {import('@actions/core')} core - The @actions/core module.
+ * @param {Array<{cyclonedx: string, spdx: string}>} sbomEntries
+ */
+export async function writeSBOMSummary(core, sbomEntries) {
+    if (sbomEntries.length === 0) return;
+
+    const rows = [['Format', 'Path']];
+    for (const entry of sbomEntries) {
+        if (entry.cyclonedx) {
+            rows.push(['CycloneDX', `\`${entry.cyclonedx}\``]);
+        }
+        if (entry.spdx) {
+            rows.push(['SPDX', `\`${entry.spdx}\``]);
+        }
+    }
+
+    await core.summary
+        .addHeading('Cimon SBOM Report', 2)
+        .addRaw(
+            `**${sbomEntries.length}** SBOM${sbomEntries.length > 1 ? 's' : ''} generated during build.\n\n`
+        )
+        .addTable(rows)
+        .write();
+}
diff --git a/src/post/sbom-summary.test.js b/src/post/sbom-summary.test.js
