Skip to content

Added optional HTTP basic auth credentials to Diffy visual regression workflow.#2536

Merged
AlexSkrypnyk merged 4 commits into
mainfrom
feature/vr-http-auth
Jun 1, 2026
Merged

Added optional HTTP basic auth credentials to Diffy visual regression workflow.#2536
AlexSkrypnyk merged 4 commits into
mainfrom
feature/vr-http-auth

Conversation

@AlexSkrypnyk

@AlexSkrypnyk AlexSkrypnyk commented Jun 1, 2026

Copy link
Copy Markdown
Member

Summary

The Diffy project:compare CLI command supports --env1User/--env1Pass and --env2User/--env2Pass flags for HTTP basic auth, but they must only be passed when both the user and password are non-empty. The upstream PHP SDK uses isset() to check for presence - an empty string passes that check and causes Diffy to attempt basic-auth with empty credentials, which then fails against servers protected by Acquia Shield or htpasswd. This change conditionally builds an auth_args bash array and splices it into the diffy.phar project:compare call only when both halves of a credential pair are present.

Four optional GitHub Actions secrets (VR_SOURCE_HTTP_USER, VR_SOURCE_HTTP_PASS, VR_TARGET_HTTP_USER, VR_TARGET_HTTP_PASS) are wired into the comparison step. When unset (the common case for public environments) the auth_args array stays empty and the call is identical to the previous behaviour. The docs and installer fixture are updated to match.

Changes

  • .github/workflows/test-vr.yml - Added four optional env bindings for the new secrets; introduced an auth_args=() bash array that is populated only when both halves of a credential pair are non-empty; merged the array into the diffy.phar project:compare call using the ${arr[@]+"${arr[@]}"} safe-expansion idiom (no-op when the array is empty, safe under set -u).
  • .vortex/installer/tests/Fixtures/handler_process/visual_regression_enabled/.github/workflows/test-vr.yml - Regenerated fixture to match the template above.
  • .vortex/docs/content/development/visual-regression.mdx - Documented the four new optional secrets in the credentials table and added a paragraph explaining the conditional-passing behaviour and when the secrets are needed.
  • .vortex/docs/cspell.json - Added htpasswd to the spell-check dictionary.

Before / After

# BEFORE - credentials not supported; call is always unconditional
diffy.phar project:compare \
  "${PROJECT_ID}" "${SOURCE_ENV}" custom \
  --env2Url="${TARGET_URL}" \
  --name="${LABEL}"

# AFTER - auth_args array built conditionally; empty array expands to nothing
auth_args=()
if [ -n "${SOURCE_HTTP_USER}" ] && [ -n "${SOURCE_HTTP_PASS}" ]; then
  auth_args+=(--env1User="${SOURCE_HTTP_USER}" --env1Pass="${SOURCE_HTTP_PASS}")
fi
if [ -n "${TARGET_HTTP_USER}" ] && [ -n "${TARGET_HTTP_PASS}" ]; then
  auth_args+=(--env2User="${TARGET_HTTP_USER}" --env2Pass="${TARGET_HTTP_PASS}")
fi

#  secrets unset (public env) --> auth_args is empty
diffy.phar project:compare \
  "${PROJECT_ID}" "${SOURCE_ENV}" custom \
  --env2Url="${TARGET_URL}" \
  --name="${LABEL}"
  # (no auth flags)

#  secrets set (Shield / htpasswd env) --> auth_args carries the flags
diffy.phar project:compare \
  "${PROJECT_ID}" "${SOURCE_ENV}" custom \
  --env2Url="${TARGET_URL}" \
  --name="${LABEL}" \
  --env1User="alice" --env1Pass="s3cr3t" \
  --env2User="alice" --env2Pass="s3cr3t"

Summary by CodeRabbit

  • New Features

    • Visual regression testing now supports optional HTTP basic authentication for protected source and target environments.
  • Documentation

    • Added guidance on configuring authentication secrets for visual regression, noting they can be left unset for public environments and that project settings may alternatively provide credentials.

@coderabbitai

coderabbitai Bot commented Jun 1, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

This PR adds optional HTTP basic authentication to the Diffy visual regression workflow by introducing four new GitHub Actions secrets for source/target credentials and conditionally passing them to the diffy.phar project:compare command; docs and spell-check are updated accordingly.

Changes

Visual Regression Authentication

Layer / File(s) Summary
Diffy comparison with conditional auth credentials
.github/workflows/test-vr.yml
New secret-backed env vars VR_SOURCE_HTTP_USER, VR_SOURCE_HTTP_PASS, VR_TARGET_HTTP_USER, and VR_TARGET_HTTP_PASS are added to the "Start Diffy comparison" step. An auth_args array conditionally appends --env1User/--env1Pass and/or --env2User/--env2Pass to diffy.phar project:compare only when both username and password are present for each environment.
Authentication documentation and spell check
.vortex/docs/content/development/visual-regression.mdx, .vortex/docs/cspell.json
Documentation documents the four optional secrets and advises leaving them unset for publicly reachable environments; notes that Diffy project settings can provide credentials and the CLI flags act as overrides. cspell.json adds "htpasswd" to the word list.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

A rabbit tweaks the workflow's art,
Secrets tucked where branches start,
User and pass must both arrive,
Then Diffy compares and tests survive,
🐰 Hops of green across the chart.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Added optional HTTP basic auth credentials to Diffy visual regression workflow' directly and clearly summarizes the main change: introducing optional HTTP basic authentication support to the Diffy visual regression workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/vr-http-auth

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

This comment has been minimized.

@AlexSkrypnyk

This comment has been minimized.

@AlexSkrypnyk

This comment has been minimized.

1 similar comment
@AlexSkrypnyk

This comment has been minimized.

@codecov

codecov Bot commented Jun 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.11%. Comparing base (88fb76f) to head (93ea584).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2536      +/-   ##
==========================================
- Coverage   86.56%   86.11%   -0.46%     
==========================================
  Files          94       87       -7     
  Lines        4660     4501     -159     
  Branches       47        3      -44     
==========================================
- Hits         4034     3876     -158     
+ Misses        626      625       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/test-vr.yml:
- Around line 186-191: The current shell snippet silently ignores partial
credential pairs and should instead fail fast: add guards around the
VR_SOURCE_HTTP_USER/VR_SOURCE_HTTP_PASS pair and the
VR_TARGET_HTTP_USER/VR_TARGET_HTTP_PASS pair to detect when only one of the
variables is set and exit with a clear error; keep the existing behavior of
appending to auth_args only when both variables are non-empty (the existing
auth_args+=(...) logic), but before that check use tests like -n for one and -z
for the other (or combine tests) and call echo >&2 with a descriptive message
and exit 1 if a half-configured pair is found so the workflow fails early and
clearly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: cd0e4934-3fca-43e6-aee5-2074221411e7

📥 Commits

Reviewing files that changed from the base of the PR and between faee452 and 93ea584.

⛔ Files ignored due to path filters (1)
  • .vortex/installer/tests/Fixtures/handler_process/visual_regression_enabled/.github/workflows/test-vr.yml is excluded by !.vortex/installer/tests/Fixtures/**
📒 Files selected for processing (1)
  • .github/workflows/test-vr.yml

Comment on lines +186 to +191
auth_args=()
if [ -n "${VR_SOURCE_HTTP_USER}" ] && [ -n "${VR_SOURCE_HTTP_PASS}" ]; then
auth_args+=(--env1User="${VR_SOURCE_HTTP_USER}" --env1Pass="${VR_SOURCE_HTTP_PASS}")
fi
if [ -n "${VR_TARGET_HTTP_USER}" ] && [ -n "${VR_TARGET_HTTP_PASS}" ]; then
auth_args+=(--env2User="${VR_TARGET_HTTP_USER}" --env2Pass="${VR_TARGET_HTTP_PASS}")

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fail fast on half-configured credential pairs.

If only one of the *_HTTP_USER / *_HTTP_PASS secrets is set, this step silently drops auth and turns a secrets misconfiguration into a later Diffy failure. Reject partial pairs here so the workflow fails with a clear error.

Suggested guard
           auth_args=()
+          if { [ -n "${VR_SOURCE_HTTP_USER}" ] || [ -n "${VR_SOURCE_HTTP_PASS}" ]; } &&
+             { [ -z "${VR_SOURCE_HTTP_USER}" ] || [ -z "${VR_SOURCE_HTTP_PASS}" ]; }; then
+            echo "::error::VR_SOURCE_HTTP_USER and VR_SOURCE_HTTP_PASS must both be set or both be unset."
+            exit 1
+          fi
+          if { [ -n "${VR_TARGET_HTTP_USER}" ] || [ -n "${VR_TARGET_HTTP_PASS}" ]; } &&
+             { [ -z "${VR_TARGET_HTTP_USER}" ] || [ -z "${VR_TARGET_HTTP_PASS}" ]; }; then
+            echo "::error::VR_TARGET_HTTP_USER and VR_TARGET_HTTP_PASS must both be set or both be unset."
+            exit 1
+          fi
           if [ -n "${VR_SOURCE_HTTP_USER}" ] && [ -n "${VR_SOURCE_HTTP_PASS}" ]; then
             auth_args+=(--env1User="${VR_SOURCE_HTTP_USER}" --env1Pass="${VR_SOURCE_HTTP_PASS}")
           fi
           if [ -n "${VR_TARGET_HTTP_USER}" ] && [ -n "${VR_TARGET_HTTP_PASS}" ]; then
             auth_args+=(--env2User="${VR_TARGET_HTTP_USER}" --env2Pass="${VR_TARGET_HTTP_PASS}")
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-vr.yml around lines 186 - 191, The current shell
snippet silently ignores partial credential pairs and should instead fail fast:
add guards around the VR_SOURCE_HTTP_USER/VR_SOURCE_HTTP_PASS pair and the
VR_TARGET_HTTP_USER/VR_TARGET_HTTP_PASS pair to detect when only one of the
variables is set and exit with a clear error; keep the existing behavior of
appending to auth_args only when both variables are non-empty (the existing
auth_args+=(...) logic), but before that check use tests like -n for one and -z
for the other (or combine tests) and call echo >&2 with a descriptive message
and exit 1 if a half-configured pair is found so the workflow fails early and
clearly.

@github-actions

github-actions Bot commented Jun 1, 2026

Copy link
Copy Markdown

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   98.53% (201/204)
Per-class coverage
Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)

@AlexSkrypnyk

This comment has been minimized.

2 similar comments
@AlexSkrypnyk

This comment has been minimized.

@AlexSkrypnyk

Copy link
Copy Markdown
Member Author

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   98.53% (201/204)
Per-class coverage
Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)

@AlexSkrypnyk AlexSkrypnyk merged commit 40cdb1b into main Jun 1, 2026
31 checks passed
@AlexSkrypnyk AlexSkrypnyk deleted the feature/vr-http-auth branch June 1, 2026 03:39
@github-project-automation github-project-automation Bot moved this from BACKLOG to Release queue in Vortex 1.x Jun 1, 2026
@AlexSkrypnyk AlexSkrypnyk added this to the 1.39.0 milestone Jun 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Released in 1.39.0

Development

Successfully merging this pull request may close these issues.

1 participant