[Test Coverage] Add comprehensive tests for image-tag module

[github-actions]

Summary

Adds a new test file src/image-tag.test.ts covering the previously-untested image-tag.ts module. This module validates and parses --image-tag CLI argument values, including digest pinning for supply-chain security.

Coverage Improvement

Before: image-tag.ts — 80.64% statements, 66.66% branches, 100% functions
After: image-tag.ts — 100% statements, 100% branches, 100% functions

Previously uncovered lines:

Line	Code	Test Added
18	throw when raw tag is empty string/whitespace	✅
24	throw when tag portion before first comma is empty	✅
33	continue for empty digest entry (e.g. trailing comma)	✅
38	throw for malformed entry (no =, empty key, empty value)	✅
47	throw for unrecognized digest key	✅
70	throw in buildRuntimeImageRef for invalid image name	✅

Security-Critical Paths Covered

The image-tag module is security-relevant because it validates digest pinning for container images. The new tests verify:

• Input validation — empty/whitespace-only tags are rejected
• Digest format enforcement — only lowercase sha256:<64-hex> digests accepted; uppercase hex, wrong lengths, and non-sha256 schemes all rejected
• Key allowlisting — only known image names (squid, agent, agent-act, api-proxy, cli-proxy) accepted as digest keys
• Entry format validation — malformed key=value entries throw with clear error messages
• buildRuntimeImageRef name validation — invalid image names rejected with the list of supported names

Tests Added (24 tests)

• 6 positive tests for valid inputs (legacy format, single digest, multiple digests, all keys, whitespace trimming, trailing comma)
• 12 negative tests for parseImageTag error paths
• 6 tests for buildRuntimeImageRef (with/without digests, per-image selection, error cases)

Validation

• ✅ Lint: 0 errors (only pre-existing warnings in other files)
• ✅ Build: TypeScript compiles cleanly
• ✅ All existing tests continue to pass (no regressions)

Generated by Weekly Test Coverage Improver · ● 2.2M · ◷

[Copilot]

Pull request overview

Adds missing unit test coverage for the src/image-tag.ts parsing/validation logic used to process --image-tag values (including digest pinning for runtime image references).

Changes:

• Added a new Jest test suite covering parseImageTag success cases and validation/error branches.
• Added tests for buildRuntimeImageRef to verify digest selection behavior and invalid image-name handling.

Show a summary per file

File	Description
src/image-tag.test.ts	New comprehensive tests for parseImageTag and buildRuntimeImageRef, including digest allowlisting and sha256 format validation.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 1

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	85.86%	86.10%	📈 +0.24%
Statements	85.86%	86.10%	📈 +0.24%
Functions	88.04%	88.04%	➡️ +0.00%
Branches	79.95%	80.24%	📈 +0.29%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	87.2% → 87.5% (+0.29%)	86.8% → 87.1% (+0.28%)
src/image-tag.ts	80.6% → 100.0% (+19.36%)	80.6% → 100.0% (+19.36%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	⚠️ (pre-step data not injected)
File write/read	⚠️ (file not found at expected path)
BYOK inference (this response)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

PR: [Test Coverage] Add comprehensive tests for image-tag module · author: @github-actions[bot] · reviewer: @Mossaka

Overall: PARTIAL PASS (MCP + BYOK inference confirmed; pre-step outputs not injected into prompt)

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test Results
✅ GitHub MCP: chore: optimize test-coverage-improver workflow for ~50% token reduction
✅ GitHub MCP: feat: optimize Pelis Agent Factory Advisor to reduce token usage ~50%
✅ Playwright: GitHub homepage title verified
✅ File Write: /tmp/gh-aw/agent/smoke-test-claude-25008506505.txt created
✅ Bash: File content verified

Status: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	✅
GitHub.com HTTP	⚠️ N/A (template vars not substituted)
File write/read	⚠️ N/A (template vars not substituted)

PR: [Test Coverage] Add comprehensive tests for image-tag module
Author: @github-actions[bot] · No assignees

Overall: PARTIAL — MCP ✅, pre-step outputs not injected into prompt.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test

• chore: optimize test-coverage-improver workflow for ~50% token reduction
• feat: optimize Pelis Agent Factory Advisor to reduce token usage ~50%
• GitHub merged PR review ✅
• safeinputs-gh PR query ❌
• Playwright GitHub title ✅
• Tavily search ❌
• File write/read ✅
• Discussion comment ✅
• Build (npm ci && npm run build) ✅
• Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🔍 Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.14.1	v20.20.2	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ Not all versions match — Python and Node.js differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Note (Java): The default ~/.m2/repository directory was owned by root (no write permission for runner). Used -Dmaven.repo.local=/tmp/gh-aw/agent/.m2/repository to work around the permission issue. Both gson and caffeine compiled and tested successfully.

Generated by Build Test Suite for issue #2232 · ● 406.3K · ◷

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

Check	Result
Redis PING	❌ timeout (no response)
PostgreSQL pg_isready	❌ no response
PostgreSQL SELECT 1	❌ timeout

Overall: FAIL — host.docker.internal is not reachable from this runner environment. Service containers may not be configured or the network bridge is unavailable.

🔌 Service connectivity validated by Smoke Services