Add integration-auth workflow.

[whisper67265]

Close #63

Summary by CodeRabbit

• Tests

  • Added integration tests covering authentication and authorization for boost endpoints, including valid/invalid/missing token scenarios and a public health ping.

• Chores

  • Added a CI workflow to run integration tests on push and pull requests; failed runs upload logs for diagnosis.
  • Added an "integration" test dependency group for running the suite.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e3a772dd-abed-42f2-a3a4-177a9d47fec5

📥 Commits

Reviewing files that changed from the base of the PR and between e006995 and cbe2379.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• .github/workflows/integration-auth.yml
• pyproject.toml
• scripts/integration-auth.sh

✅ Files skipped from review due to trivial changes (1)

• pyproject.toml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/integration-auth.yml
• scripts/integration-auth.sh

---

📝 Walkthrough

Walkthrough

This PR adds complete integration testing infrastructure for Boost endpoint authentication. A new GitHub Actions workflow triggers on push and PR events, executes a test orchestration script that manages Docker stack setup and teardown, and runs pytest against a new integration test suite validating API token requirements and public endpoint accessibility.

Changes

Boost Endpoint Authentication Testing

Layer / File(s)	Summary
CI Workflow Configuration .github/workflows/integration-auth.yml	GitHub Actions workflow Integration auth runs on main/develop pushes and PRs, sets up Python 3.12, executes the integration-auth test script, and conditionally uploads compose logs as an artifact on failure.
Test Infrastructure and Execution Script scripts/integration-auth.sh, pyproject.toml	Bash entrypoint sources shared stack helpers, registers an EXIT trap for cleanup and log collection, builds and health-checks the Weblate stack, creates an admin API token and exports environment variables (token, base URL, compose config), installs pytest, and runs the integration auth test suite. pyproject.toml adds an integration dependency group with pytest and pytest-timeout.
Boost Endpoint Authentication Test Suite tests/integration/test_auth.py	Integration test class TestBoostEndpointAuth verifies that GET /boost-endpoint/info/ and POST /boost-endpoint/add-or-update/ succeed with valid tokens (202 for POST with accepted status), reject requests with invalid or missing tokens (401/403), and that GET /boost-endpoint/plugin-ping/ is accessible without authentication.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• cppalliance/cppa-weblate-plugin#72: Introduces the integration-smoke workflow and Weblate stack infrastructure that this PR's integration-auth workflow and test orchestration script extend for auth-specific testing.

Suggested reviewers

• henry0816191
• wpak-ai

🐰 A new test suite hops into view,
Auth checks make sure tokens ring true,
CI workflows run,
Integration's more fun,
With endpoints now covered right through! 🔐✅

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add integration-auth workflow' accurately reflects the main change in the pull request—adding a new GitHub Actions workflow file for integration authentication testing.
Linked Issues check	✅ Passed	The pull request implements all acceptance criteria from issue #63: API token auth on protected endpoints is tested, unauthenticated requests are verified to be rejected with 401/403, and the test is integrated into integration-auth.yml.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing integration authentication testing as specified in issue #63; no out-of-scope modifications are present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/integration-auth.yml (1)

13-17: ⚡ Quick win

Set least-privilege GITHUB_TOKEN permissions explicitly.

This workflow does not define permissions, so token scope depends on repo/org defaults. Lock it down for CI safety.

🔐 Proposed hardening

 name: Integration auth
 
 on:
   push:
     branches: [main, develop]
   pull_request:
     branches: [main, develop]
 
+permissions:
+  contents: read
+
 jobs:
   integration-auth:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/integration-auth.yml around lines 13 - 17, Add an explicit
least-privilege GITHUB_TOKEN permissions block for the workflow/job so the token
scope is not inherited from repo defaults: in the workflow containing the job
named "integration-auth" add a permissions: mapping (at top-level or scoped to
that job) that lists only the minimal scopes the CI needs (e.g., read-only for
contents, packages, actions, or write only for specific items if required);
update the "integration-auth" job to use that permissions block to lock down the
token.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/integration-auth.sh`:
- Line 43: Update the install command in scripts/integration-auth.sh (and the
same occurrence in scripts/integration-smoke.sh) to pin pytest to the version
from uv.lock and invoke pip via the Python module; replace the unpinned `pip
install --quiet pytest` invocation with `python -m pip install --quiet
"pytest==9.0.3"` so CI runs are reproducible.

---

Nitpick comments:
In @.github/workflows/integration-auth.yml:
- Around line 13-17: Add an explicit least-privilege GITHUB_TOKEN permissions
block for the workflow/job so the token scope is not inherited from repo
defaults: in the workflow containing the job named "integration-auth" add a
permissions: mapping (at top-level or scoped to that job) that lists only the
minimal scopes the CI needs (e.g., read-only for contents, packages, actions, or
write only for specific items if required); update the "integration-auth" job to
use that permissions block to lock down the token.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fa6f7615-4157-4494-b88e-1f710150aea7

📥 Commits

Reviewing files that changed from the base of the PR and between 8ca9cdf and e006995.

📒 Files selected for processing (3)

• .github/workflows/integration-auth.yml
• scripts/integration-auth.sh
• tests/integration/test_auth.py

[coderabbitai]

Actionable comments posted: 0