test(e2e): keep the spawned entire binary off the real OS keychain

[Soph]

https://entire.io/gh/entireio/cli/trails/519

Problem

1ea54e2 added keyring.MockInit() to the cli package TestMain so in-process tests don't read the developer's keychain. But that's process-local — the e2e suite drives the real entire binary as a subprocess (via E2E_ENTIRE_BIN), which MockInit cannot touch. So mise run test:ci (which runs the canary) and mise run test:e2e still trigger a macOS keychain unlock prompt whenever a canary flow resolves credentials (e.g. the pre-push hook).

Two stores are reachable from the spawned binary:

• internal/entireclient/tokenstore (always compiled).
• the auth package's legacy keyring store — auth.NewStore().GetToken() fallback in contexts.go, which queries the keychain even when no token is present.

This was never a regression of 1ea54e2 (its MockInit is intact and only ever covered in-process tests) and is unrelated to the path-traversal work in #1365.

Fix

Neutralize both stores in the e2e environment:

• build:e2e task builds entire with -tags=authfilestore (compiles in the auth file backend). The canary, roger-roger, and default e2e tasks now use it. Production mise run build stays untagged.
• e2e TestMain sets, pointing into the run's artifact dir (inherited by the binary and the git hooks it spawns):
  • ENTIRE_TOKEN_STORE=file + ENTIRE_TOKEN_STORE_PATH — covers tokenstore (no tag needed).
  • ENTIRE_TEST_AUTH_STORE_FILE — covers the auth keyring store (honored only under authfilestore).

With these set, resolveBackendLocked returns a fileStore and chooseBackend returns the file backend, so no keyring/keychain call can occur.

Testing

• mise run test:e2e:canary green (vogon + roger-roger), now keychain-free by construction.
• Production build untouched; only e2e build/test paths use the tag + env.

🤖 Generated with Claude Code

---

Note

^{Cursor Bugbot is generating a summary for commit 2965add. Configure here.}

[Copilot]

Pull request overview

This PR updates the e2e build/test path so that the entire binary executed as a subprocess (and any git hooks it spawns) uses file-backed credential storage instead of the OS keychain, preventing macOS keychain unlock prompts during e2e runs.

Changes:

• Add a build:e2e mise task that builds entire with -tags=authfilestore for e2e usage.
• Update e2e mise task scripts to use build:e2e instead of the default build.
• Set e2e TestMain environment variables to force file-backed token/auth stores under the e2e artifact/run directory.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
mise.toml	Adds build:e2e task to build an e2e-friendly binary using the file-backed auth store tag.
mise-tasks/test/e2e/roger-roger	Switches e2e build step to build:e2e.
mise-tasks/test/e2e/canary	Switches e2e build step to build:e2e.
mise-tasks/test/e2e/_default	Switches default e2e build path to build:e2e when E2E_ENTIRE_BIN isn’t provided.
e2e/tests/main_test.go	Sets env vars in TestMain to route spawned binaries/hooks to file-backed token/auth stores.