feat: test-isolation env var interpolation (#3977)

* add ci-setup file

* use script file

* ignore scripts

* add PROJECT_ID

* test name

* have local testing package

* change to es module

* separate entrypoint

* fix import path

* fix import syntax

* support variable interpolation

* file renames

* add unit tests

* add test workflow for scripts

* install before testing

* fix install

* add quotes to string

* remove dlp changes

* do not make auth configurable

* add RUN_ID

* simplify code

* rename to camelCase

* fix name

* fix tests

* do not ignore scripts directory

* use project env var

* ignore scripts directory

* do not ignore workflows directory

* use node 16 for healthcare/dicom

* changes to the config files should trigger all tests

* increased timeout for these tests

* fix flaky test

Author: davidcavazos

.github/config/nodejs-dev.jsonc

@@ -13,20 +13,15 @@
  See the License for the specific language governing permissions and
  limitations under the License.
 */
+
 {
-  "package-file": [
-    "package.json"
-  ],
+  "package-file": [ "package.json" ],
   "ci-setup-filename": "ci-setup.json",
   "ci-setup-defaults": {
     "node-version": 20,
     "timeout-minutes": 10,
-    "project-id": "long-door-651",
-    "workload-identity-provider": "projects/1046198160504/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider",
-    "service-account": "[email protected]",
-    "access-token-lifetime": "600s", // 10 minutes
-    "env": {},
-    "secrets": {}
+    "env": { },
+    "secrets": { }
   },
   "ignore": [
     ".eslintignore",
@@ -38,12 +33,11 @@
     ".github/auto-label.yaml",
     ".github/blunderbuss.yaml",
     ".github/cloud-samples-tools/",
-    ".github/config/",
     ".github/flakybot.yaml",
     ".github/header-checker-lint.yaml",
+    ".github/scripts/",
     ".github/snippet-bot.yml",
     ".github/trusted-contribution.yml",
-    ".github/workflows/",
     ".gitignore",
     ".kokoro/",
     ".prettierignore",
@@ -200,4 +194,4 @@
     "tpu",
     "workflows/invoke-private-endpoint"
   ]
-}
+}

.github/config/nodejs-prod.jsonc

@@ -20,10 +20,6 @@
   "ci-setup-defaults": {
     "node-version": 20,
     "timeout-minutes": 10,
-    "project-id": "long-door-651",
-    "workload-identity-provider": "projects/1046198160504/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider",
-    "service-account": "[email protected]",
-    "access-token-lifetime": "600s", // 10 minutes
     "env": { },
     "secrets": { }
   },
@@ -37,12 +33,11 @@
     ".github/auto-label.yaml",
     ".github/blunderbuss.yaml",
     ".github/cloud-samples-tools/",
-    ".github/config/",
     ".github/flakybot.yaml",
     ".github/header-checker-lint.yaml",
+    ".github/scripts/",
     ".github/snippet-bot.yml",
     ".github/trusted-contribution.yml",
-    ".github/workflows/",
     ".gitignore",
     ".kokoro/",
     ".prettierignore",

.github/scripts/cli/vars.js

@@ -0,0 +1,41 @@
+/*
+ Copyright 2025 Google LLC
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+      https://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+import setupVars from '../setup-vars.js';
+
+const project_id = process.env.PROJECT_ID;
+if (!project_id) {
+  console.error(
+    'Please set the PROJECT_ID environment variable to your Google Cloud project.'
+  );
+  process.exit(1);
+}
+
+const core = {
+  exportVariable: (_key, _value) => null,
+};
+
+const setupFile = process.argv[2];
+if (!setupFile) {
+  console.error('Please provide the path to a setup file.');
+  process.exit(1);
+}
+const data = fs.readFileSync(path.join('..', '..', setupFile), 'utf8');
+const setup = JSON.parse(data);
+
+setupVars({project_id, core, setup});

.github/scripts/nodejs-test.sh

@@ -0,0 +1,14 @@
+{
+  "name": "aritest",
+  "version": "1.0.0",
+  "type": "module",
+  "license": "Apache-2.0",
+  "private": true,
+  "scripts": {
+    "vars": "node cli/vars.js",
+    "test": "mocha -p -j 2 **/*.test.js"
+  },
+  "devDependencies": {
+    "mocha": "^11.1.0"
+  }
+}

.github/scripts/package.json

@@ -0,0 +1,72 @@
+/*
+ Copyright 2025 Google LLC
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+      https://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+export default function setupVars({projectId, core, setup}, runId = null) {
+  // Define automatic variables plus custom variables.
+  const vars = {
+    PROJECT_ID: projectId,
+    RUN_ID: runId || uniqueId(),
+    ...(setup.env || {}),
+  };
+
+  // Apply variable interpolation.
+  const env = Object.fromEntries(
+    Object.keys(vars).map(key => [key, substituteVars(vars[key], vars)])
+  );
+
+  // Export environment variables.
+  console.log('env:');
+  for (const key in env) {
+    const value = env[key];
+    console.log(`  ${key}: ${value}`);
+    core.exportVariable(key, value);
+  }
+
+  // Show exported secrets, for logging purposes.
+  // TODO: We might want to fetch the secrets here and export them directly.
+  //       https://cloud.google.com/secret-manager/docs/create-secret-quickstart#secretmanager-quickstart-nodejs
+  console.log('secrets:');
+  for (const key in setup.secrets || {}) {
+    // This is the Google Cloud Secret Manager secret ID.
+    // NOT the secret value, so it's ok to show.
+    console.log(`  ${key}: ${setup.secrets[key]}`);
+  }
+
+  // Return env and secrets to use for further steps.
+  return {
+    env: env,
+    // Transform secrets into the format needed for the GHA secret manager step.
+    secrets: Object.keys(setup.secrets || {})
+      .map(key => `${key}:${setup.secrets[key]}`)
+      .join('\n'),
+  };
+}
+
+export function substituteVars(value, env) {
+  for (const key in env) {
+    let re = new RegExp(`\\$(${key}\\b|\\{\\s*${key}\\s*\\})`, 'g');
+    value = value.replaceAll(re, env[key]);
+  }
+  return value;
+}
+
+export function uniqueId(length = 6) {
+  const min = 2 ** 32;
+  const max = 2 ** 64;
+  return Math.floor(Math.random() * max + min)
+    .toString(36)
+    .slice(0, length);
+}

.github/scripts/setup-vars.js

@@ -0,0 +1,154 @@
+/*
+ Copyright 2025 Google LLC
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+      https://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+import {deepStrictEqual} from 'assert';
+import setupVars from './setup-vars.js';
+import {substituteVars, uniqueId} from './setup-vars.js';
+
+const projectId = 'my-test-project';
+const core = {
+  exportVariable: (_key, _value) => null,
+};
+
+const autovars = {PROJECT_ID: projectId, RUN_ID: 'run-id'};
+
+describe('setupVars', () => {
+  describe('env', () => {
+    it('empty', () => {
+      const setup = {};
+      const vars = setupVars({projectId, core, setup}, 'run-id');
+      const expected = autovars;
+      deepStrictEqual(vars.env, expected);
+    });
+
+    it('zero vars', () => {
+      const setup = {env: {}};
+      const vars = setupVars({projectId, core, setup}, 'run-id');
+      const expected = autovars;
+      deepStrictEqual(vars.env, expected);
+    });
+
+    it('one var', () => {
+      const setup = {env: {A: 'x'}};
+      const vars = setupVars({projectId, core, setup}, 'run-id');
+      const expected = {...autovars, A: 'x'};
+      deepStrictEqual(vars.env, expected);
+    });
+
+    it('three vars', () => {
+      const setup = {env: {A: 'x', B: 'y', C: 'z'}};
+      const vars = setupVars({projectId, core, setup}, 'run-id');
+      const expected = {...autovars, A: 'x', B: 'y', C: 'z'};
+      deepStrictEqual(vars.env, expected);
+    });
+
+    it('should override automatic variables', () => {
+      const setup = {env: {PROJECT_ID: 'custom-value'}};
+      const vars = setupVars({projectId, core, setup}, 'run-id');
+      const expected = {PROJECT_ID: 'custom-value', RUN_ID: 'run-id'};
+      deepStrictEqual(vars.env, expected);
+    });
+
+    it('should interpolate variables', () => {
+      const setup = {env: {A: 'x', B: 'y', C: '$A/${B}'}};
+      const vars = setupVars({projectId, core, setup}, 'run-id');
+      const expected = {...autovars, A: 'x', B: 'y', C: 'x/y'};
+      deepStrictEqual(vars.env, expected);
+    });
+
+    it('should not interpolate secrets', () => {
+      const setup = {
+        env: {C: '$x/$y'},
+        secrets: {A: 'x', B: 'y'},
+      };
+      const vars = setupVars({projectId, core, setup}, 'run-id');
+      const expected = {...autovars, C: '$x/$y'};
+      deepStrictEqual(vars.env, expected);
+    });
+  });
+
+  describe('secrets', () => {
+    it('zero secrets', () => {
+      const setup = {secrets: {}};
+      const vars = setupVars({projectId, core, setup}, 'run-id');
+      deepStrictEqual(vars.secrets, '');
+    });
+
+    it('one secret', () => {
+      const setup = {secrets: {A: 'x'}};
+      const vars = setupVars({projectId, core, setup}, 'run-id');
+      const expected = 'A:x';
+      deepStrictEqual(vars.secrets, expected);
+    });
+
+    it('three secrets', () => {
+      const setup = {secrets: {A: 'x', B: 'y', C: 'z'}};
+      const vars = setupVars({projectId, core, setup}, 'run-id');
+      const expected = 'A:x\nB:y\nC:z';
+      deepStrictEqual(vars.secrets, expected);
+    });
+
+    it('should not interpolate variables', () => {
+      const setup = {
+        env: {A: 'x', B: 'y'},
+        secrets: {C: '$A/$B'},
+      };
+      const vars = setupVars({projectId, core, setup}, 'run-id');
+      const expected = 'C:$A/$B';
+      deepStrictEqual(vars.secrets, expected);
+    });
+
+    it('should not interpolate secrets', () => {
+      const setup = {secrets: {A: 'x', B: 'y', C: '$A/$B'}};
+      const vars = setupVars({projectId, core, setup}, 'run-id');
+      const expected = 'A:x\nB:y\nC:$A/$B';
+      deepStrictEqual(vars.secrets, expected);
+    });
+  });
+});
+
+describe('substituteVars', () => {
+  it('should interpolate $VAR', () => {
+    const got = substituteVars('$A-$B', {A: 'x', B: 'y'});
+    const expected = 'x-y';
+    deepStrictEqual(got, expected);
+  });
+
+  it('should interpolate ${VAR}', () => {
+    const got = substituteVars('${A}-${B}', {A: 'x', B: 'y'});
+    const expected = 'x-y';
+    deepStrictEqual(got, expected);
+  });
+
+  it('should interpolate ${ VAR }', () => {
+    const got = substituteVars('${ A }-${ \tB\t }', {A: 'x', B: 'y'});
+    const expected = 'x-y';
+    deepStrictEqual(got, expected);
+  });
+
+  it('should not interpolate on non-word boundary', () => {
+    const got = substituteVars('$Ab', {A: 'x'});
+    const expected = '$Ab';
+    deepStrictEqual(got, expected);
+  });
+});
+
+describe('uniqueId', () => {
+  it('should match length', () => {
+    const n = 6;
+    deepStrictEqual(uniqueId(n).length, n);
+  });
+});