Skip to content

ROX-33599: Migrate sensitive Cypress.env() to cy.env()#19965

Draft
sachaudh wants to merge 4 commits intomasterfrom
worktree-ROX-33599
Draft

ROX-33599: Migrate sensitive Cypress.env() to cy.env()#19965
sachaudh wants to merge 4 commits intomasterfrom
worktree-ROX-33599

Conversation

@sachaudh
Copy link
Copy Markdown
Contributor

@sachaudh sachaudh commented Apr 13, 2026
edited
Loading

Description

Jira: ROX-33599

Cypress 15.10.0 deprecated Cypress.env() for sensitive values in favor of cy.env(), which avoids hydrating secrets into the browser context. This PR migrates all sensitive Cypress.env() calls (auth tokens, OCP credentials) to the new async cy.env() API.

  • Moved ROX_AUTH_TOKEN reads inside cy.env().then() across 8 helper files
  • Batched OCP credential reads (OCP_BRIDGE_AUTH_DISABLED, OPENSHIFT_CONSOLE_USERNAME, OPENSHIFT_CONSOLE_PASSWORD) into a single cy.env() call in ocpAuth.ts
  • Restructured basicAuth.js to always register beforeEach (no-op when token is absent)
  • Deleted dead tryDeleteIntegration function from integrations.helpers.js
  • Typed the CRS response object in the Cypress helper to replace any
  • Hid OCP password from Cypress command log output (log: false)
  • Added cy.log warning in basicAuth when ROX_AUTH_TOKEN is absent

Non-sensitive values (ORCHESTRATOR_FLAVOR, feature flags, AXE_CORE_PATH) remain on Cypress.env() and will be migrated to Cypress.expose() in ROX-33598.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

  • Verified ESLint passes on all 9 changed files
  • Confirmed zero Cypress.env('ROX_AUTH_TOKEN') and OCP credential calls remain
  • Remaining Cypress.env() calls are only non-sensitive values (out of scope, ROX-33598)
  • Full validation requires running Cypress E2E tests against a cluster (CI)

@sachaudh
ROX-33599: Migrate sensitive Cypress.env() to cy.env()
bb3cfb6 
Cypress 15.10.0 deprecated Cypress.env() for sensitive values in favor
of cy.env(), which avoids hydrating secrets into the browser context.

Migrate all ROX_AUTH_TOKEN and OCP credential reads to the async
cy.env() API. Restructure basicAuth.js to read the token inside
beforeEach instead of at describe-level scope. Delete unused
tryDeleteIntegration helper.

Non-sensitive values remain on Cypress.env() for ROX-33598.

Partially generated by AI.

Signed-off-by: Saif Chaudhry <schaudhr@redhat.com>
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Apr 13, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 13, 2026
edited
Loading

🚀 Build Images Ready

Images are ready for commit 08711da. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-636-g08711da9b0

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 13, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.56%. Comparing base (64a3524) to head (bb3cfb6).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #19965   +/-   ##
=======================================
  Coverage   49.56%   49.56%           
=======================================
  Files        2764     2764           
  Lines      208357   208422   +65     
=======================================
+ Hits       103276   103310   +34     
- Misses      97430    97457   +27     
- Partials     7651     7655    +4
Flag Coverage Δ
go-unit-tests 49.56% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

sachaudh added 3 commits April 13, 2026 10:21
@sachaudh
ROX-33599: Type CRS response in Cypress helper to replace any
f23870f 
Replace `res: any` with `Cypress.Response<{ items: ClusterRegistrationSecret[] }>`
using the existing type from ClustersService, restoring type safety for
downstream destructured variables.

Note: partially generated by AI
Signed-off-by: Saif Chaudhry <schaudhr@redhat.com>
@sachaudh
ROX-33599: Hide OCP password from Cypress command log
ed4ff09 
Suppress password input from Cypress command log, screenshots,
and video recordings by passing `{ log: false }` to `.type()`.

Note: this change was partially generated by AI.
Signed-off-by: Saif Chaudhry <schaudhr@redhat.com>
@sachaudh
ROX-33599: Log warning when ROX_AUTH_TOKEN is missing in basicAuth
08711da 
Without this, a missing token causes the beforeEach hook to silently
skip auth setup, leading to confusing "unauthorized" test failures
that don't point to the actual root cause.

Note: this change was partially generated by AI.
Signed-off-by: Saif Chaudhry <schaudhr@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/ui do-not-merge/work-in-progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sachaudh