mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-04-25 00:51:20 +00:00
d404849351
* test: make test env hermetic; enforce CI parity via scripts/run_tests.sh
Fixes the recurring 'works locally, fails in CI' (and vice versa) class
of flakes by making tests hermetic and providing a canonical local runner
that matches CI's environment.
## Layer 1 — hermetic conftest.py (tests/conftest.py)
Autouse fixture now unsets every credential-shaped env var before every
test, so developer-local API keys can't leak into tests that assert
'auto-detect provider when key present'.
Pattern: unset any var ending in _API_KEY, _TOKEN, _SECRET, _PASSWORD,
_CREDENTIALS, _ACCESS_KEY, _PRIVATE_KEY, etc. Plus an explicit list of
credential names that don't fit the suffix pattern (AWS_ACCESS_KEY_ID,
FAL_KEY, GH_TOKEN, etc.) and all the provider BASE_URL overrides that
change auto-detect behavior.
Also unsets HERMES_* behavioral vars (HERMES_YOLO_MODE, HERMES_QUIET,
HERMES_SESSION_*, etc.) that mutate agent behavior.
Also:
- Redirects HOME to a per-test tempdir (not just HERMES_HOME), so
code reading ~/.hermes/* directly can't touch the real dir.
- Pins TZ=UTC, LANG=C.UTF-8, LC_ALL=C.UTF-8, PYTHONHASHSEED=0 to
match CI's deterministic runtime.
The old _isolate_hermes_home fixture name is preserved as an alias so
any test that yields it explicitly still works.
## Layer 2 — scripts/run_tests.sh canonical runner
'Always use scripts/run_tests.sh, never call pytest directly' is the
new rule (documented in AGENTS.md). The script:
- Unsets all credential env vars (belt-and-suspenders for callers
who bypass conftest — e.g. IDE integrations)
- Pins TZ/LANG/PYTHONHASHSEED
- Uses -n 4 xdist workers (matches GHA ubuntu-latest; -n auto on
a 20-core workstation surfaces test-ordering flakes CI will never
see, causing the infamous 'passes in CI, fails locally' drift)
- Finds the venv in .venv, venv, or main checkout's venv
- Passes through arbitrary pytest args
Installs pytest-split on demand so the script can also be used to run
matrix-split subsets locally for debugging.
## Remove 3 module-level dotenv stubs that broke test isolation
tests/hermes_cli/test_{arcee,xiaomi,api_key}_provider.py each had a
module-level:
if 'dotenv' not in sys.modules:
fake_dotenv = types.ModuleType('dotenv')
fake_dotenv.load_dotenv = lambda *a, **kw: None
sys.modules['dotenv'] = fake_dotenv
This patches sys.modules['dotenv'] to a fake at import time with no
teardown. Under pytest-xdist LoadScheduling, whichever worker collected
one of these files first poisoned its sys.modules; subsequent tests in
the same worker that imported load_dotenv transitively (e.g.
test_env_loader.py via hermes_cli.env_loader) got the no-op lambda and
saw their assertions fail.
dotenv is a required dependency (python-dotenv>=1.2.1 in pyproject.toml),
so the defensive stub was never needed. Removed.
## Validation
- tests/hermes_cli/ alone: 2178 passed, 1 skipped, 0 failed (was 4
failures in test_env_loader.py before this fix)
- tests/test_plugin_skills.py, tests/hermes_cli/test_plugins.py,
tests/test_hermes_logging.py combined: 123 passed (the caplog
regression tests from PR #11453 still pass)
- Local full run shows no F/E clusters in the 0-55% range that were
previously present before the conftest hardening
## Background
See AGENTS.md 'Testing' section for the full list of drift sources
this closes. Matrix split (closed as #11566) will be re-attempted
once this foundation lands — cross-test pollution was the root cause
of the shard-3 hang in that PR.
* fix(conftest): don't redirect HOME — it broke CI subprocesses
PR #11577's autouse fixture was setting HOME to a per-test tempdir.
CI started timing out at 97% complete with dozens of E/F markers and
orphan python processes at cleanup — tests (or transitive deps)
spawn subprocesses that expect a stable HOME, and the redirect broke
them in non-obvious ways.
Env-var unsetting and TZ/LANG/hashseed pinning (the actual CI-drift
fixes) are unchanged and still in place. HERMES_HOME redirection is
also unchanged — that's the canonical way to isolate tests from
~/.hermes/, not HOME.
Any code in the codebase reading ~/.hermes/* via `Path.home() / ".hermes"`
instead of `get_hermes_home()` is a bug to fix at the callsite, not
something to paper over in conftest.
104 lines
4.7 KiB
Bash
Executable file
104 lines
4.7 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# Canonical test runner for hermes-agent. Run this instead of calling
|
|
# `pytest` directly to guarantee your local run matches CI behavior.
|
|
#
|
|
# What this script enforces:
|
|
# * -n 4 xdist workers (CI has 4 cores; -n auto diverges locally)
|
|
# * TZ=UTC, LANG=C.UTF-8, PYTHONHASHSEED=0 (deterministic)
|
|
# * Credential env vars blanked (conftest.py also does this, but this
|
|
# is belt-and-suspenders for anyone running `pytest` outside of
|
|
# our conftest path — e.g. calling pytest on a single file)
|
|
# * Proper venv activation
|
|
#
|
|
# Usage:
|
|
# scripts/run_tests.sh # full suite
|
|
# scripts/run_tests.sh tests/agent/ # one directory
|
|
# scripts/run_tests.sh tests/agent/test_foo.py::TestClass::test_method
|
|
# scripts/run_tests.sh --tb=long -v # pass-through pytest args
|
|
|
|
set -euo pipefail
|
|
|
|
# ── Locate repo root ────────────────────────────────────────────────────────
|
|
# Works whether this is the main checkout or a worktree.
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
|
|
|
|
# ── Activate venv ───────────────────────────────────────────────────────────
|
|
# Prefer a .venv in the current tree, fall back to the main checkout's venv
|
|
# (useful for worktrees where we don't always duplicate the venv).
|
|
VENV=""
|
|
for candidate in "$REPO_ROOT/.venv" "$REPO_ROOT/venv" "$HOME/.hermes/hermes-agent/venv"; do
|
|
if [ -f "$candidate/bin/activate" ]; then
|
|
VENV="$candidate"
|
|
break
|
|
fi
|
|
done
|
|
|
|
if [ -z "$VENV" ]; then
|
|
echo "error: no virtualenv found in $REPO_ROOT/.venv or $REPO_ROOT/venv" >&2
|
|
exit 1
|
|
fi
|
|
|
|
PYTHON="$VENV/bin/python"
|
|
|
|
# ── Ensure pytest-split is installed (required for shard-equivalent runs) ──
|
|
if ! "$PYTHON" -c "import pytest_split" 2>/dev/null; then
|
|
echo "→ installing pytest-split into $VENV"
|
|
"$PYTHON" -m pip install --quiet "pytest-split>=0.9,<1"
|
|
fi
|
|
|
|
# ── Hermetic environment ────────────────────────────────────────────────────
|
|
# Mirror what CI does in .github/workflows/tests.yml + what conftest.py does.
|
|
# Unset every credential-shaped var currently in the environment.
|
|
while IFS='=' read -r name _; do
|
|
case "$name" in
|
|
*_API_KEY|*_TOKEN|*_SECRET|*_PASSWORD|*_CREDENTIALS|*_ACCESS_KEY| \
|
|
*_SECRET_ACCESS_KEY|*_PRIVATE_KEY|*_OAUTH_TOKEN|*_WEBHOOK_SECRET| \
|
|
*_ENCRYPT_KEY|*_APP_SECRET|*_CLIENT_SECRET|*_CORP_SECRET|*_AES_KEY| \
|
|
AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|AWS_SESSION_TOKEN|FAL_KEY| \
|
|
GH_TOKEN|GITHUB_TOKEN)
|
|
unset "$name"
|
|
;;
|
|
esac
|
|
done < <(env)
|
|
|
|
# Unset HERMES_* behavioral vars too.
|
|
unset HERMES_YOLO_MODE HERMES_INTERACTIVE HERMES_QUIET HERMES_TOOL_PROGRESS \
|
|
HERMES_TOOL_PROGRESS_MODE HERMES_MAX_ITERATIONS HERMES_SESSION_PLATFORM \
|
|
HERMES_SESSION_CHAT_ID HERMES_SESSION_CHAT_NAME HERMES_SESSION_THREAD_ID \
|
|
HERMES_SESSION_SOURCE HERMES_SESSION_KEY HERMES_GATEWAY_SESSION \
|
|
HERMES_PLATFORM HERMES_INFERENCE_PROVIDER HERMES_MANAGED HERMES_DEV \
|
|
HERMES_CONTAINER HERMES_EPHEMERAL_SYSTEM_PROMPT HERMES_TIMEZONE \
|
|
HERMES_REDACT_SECRETS HERMES_BACKGROUND_NOTIFICATIONS HERMES_EXEC_ASK \
|
|
HERMES_HOME_MODE 2>/dev/null || true
|
|
|
|
# Pin deterministic runtime.
|
|
export TZ=UTC
|
|
export LANG=C.UTF-8
|
|
export LC_ALL=C.UTF-8
|
|
export PYTHONHASHSEED=0
|
|
|
|
# ── Worker count ────────────────────────────────────────────────────────────
|
|
# CI uses `-n auto` on ubuntu-latest which gives 4 workers. A 20-core
|
|
# workstation with `-n auto` gets 20 workers and exposes test-ordering
|
|
# flakes that CI will never see. Pin to 4 so local matches CI.
|
|
WORKERS="${HERMES_TEST_WORKERS:-4}"
|
|
|
|
# ── Run pytest ──────────────────────────────────────────────────────────────
|
|
cd "$REPO_ROOT"
|
|
|
|
# If the first argument starts with `-` treat all args as pytest flags;
|
|
# otherwise treat them as test paths.
|
|
ARGS=("$@")
|
|
|
|
echo "▶ running pytest with $WORKERS workers, hermetic env, in $REPO_ROOT"
|
|
echo " (TZ=UTC LANG=C.UTF-8 PYTHONHASHSEED=0; all credential env vars unset)"
|
|
|
|
# -o "addopts=" clears pyproject.toml's `-n auto` so our -n wins.
|
|
exec "$PYTHON" -m pytest \
|
|
-o "addopts=" \
|
|
-n "$WORKERS" \
|
|
--ignore=tests/integration \
|
|
--ignore=tests/e2e \
|
|
-m "not integration" \
|
|
"${ARGS[@]}"
|