[DO NOT MERGE] Phase A: stest x trond integration test (fork-only)

[warku123]

[fork-only test PR — DO NOT MERGE]

Validates the system-test integration end-to-end on this fork before opening upstream PRs. Will be closed (not merged) once CI is green.

Cross-repo dependencies (all on warku123 forks)

• warku123/tron-deployment v0.1.0 release — trond binary with embedded system-test HOCON template
• warku123/system-test:feat/trond-bridge — scripts/stest-up.sh and scripts/stest-down.sh
• warku123/java-tron:feat/system-test-trond (this branch) — .github/workflows/system-test.yml change

What this PR validates

The new node bring-up flow:

1. CI builds FullNode.jar from this PR's source (existing step, unchanged)
2. CI checks out warku123/system-test:feat/trond-bridge (Phase A temporary; Phase B will repoint to tronprotocol/system-test:release_workflow)
3. bash system-test/scripts/stest-up.sh:
   • downloads trond v0.1.0 from warku123/tron-deployment release (sha256-pinned)
   • pre-places FullNode.jar at /opt/tron/stest-singlenode/
   • runs trond recipe run system-test → systemd-managed node, ports 8090/50051/8545/18888
4. Existing gradle stest run targets the same testng.conf endpoints — zero changes to testcase/
5. stest-down.sh always runs to clean up systemd unit + install path

Phase B (after this is green)

• Flip actions/checkout's repository back to tronprotocol/system-test, ref back to release_workflow
• Flip TROND_RELEASE_URL default in stest-up.sh to tronprotocol/tron-deployment upstream release
• Open three upstream PRs (tron-deployment → system-test → java-tron) in dependency order

Linked

openspec change system-test-integration in tronprotocol/tron-deployment (Phase 5 — fork-side end-to-end validation)

---

Summary by cubic

Fork-only CI validation to run system tests using trond for node bring-up with deterministic teardown and structured logs. Uses warku123/system-test@feat/trond-bridge; ports and test endpoints remain unchanged.

• Refactors
  • Checkout warku123/system-test@feat/trond-bridge via actions/checkout.
  • Bring up with bash system-test/scripts/stest-up.sh using STEST_JAR; if the script is missing, fall back to legacy nohup java -jar (script-layer fallback inside stest-up.sh also remains).
  • Always run teardown: call system-test/scripts/stest-down.sh when present to ensure clean runs.
  • Capture logs: journalctl for tron-stest-singlenode, copy node.log (if present) and legacy fullnode.log, then upload as stest-node-logs.
  • Download trond v0.1.0 from warku123/tron-deployment (sha256-pinned); will flip to upstream in Phase B.

^{Written for commit f93be63. Summary will update on new commits.}

Summary by CodeRabbit

• Chores
  • Updated system test workflow to prefer standardized bring-up/teardown scripts with a fallback startup path.
  • Improved diagnostics: always capture and upload comprehensive node logs and system journal output from test runs.
  • Made teardown more reliable and ensured test data/state is cleared when appropriate.

[coderabbitai]

📝 Walkthrough

Walkthrough

The system-test workflow now checks out warku123/system-test@release_workflow, prefers running system-test/scripts/stest-up.sh with STEST_JAR to bring up the stest single-SR (falls back to java -jar start), always captures node logs into logs/ and uploads them as stest-node-logs, and always runs stest-down.sh for teardown when present.

Changes

System Test Workflow Restructuring

Layer / File(s)	Summary
Repository Selection .github/workflows/system-test.yml	Workflow checks out warku123/system-test at ref: release_workflow; Phase A/B comments added.
Bring-up (stest-up.sh preferred, fallback jar start) .github/workflows/system-test.yml	Adds "Bring up the stest single-SR" step preferring system-test/scripts/stest-up.sh with STEST_JAR set to the built FullNode.jar; falls back to copying config and starting java -jar FullNode.jar via nohup, polling HTTP :8090 for readiness if the script is absent.
Capture node logs .github/workflows/system-test.yml	Always-on step creates logs/, dumps journalctl -u tron-stest-singlenode, optionally copies /opt/tron/stest-singlenode/node.log, and copies java-tron/fullnode.log into logs/.
Teardown (stest-down.sh if present) .github/workflows/system-test.yml	Always-on teardown clears STEST_KEEP_DATA and runs system-test/scripts/stest-down.sh only when present, otherwise logs a skip message.
Artifact upload .github/workflows/system-test.yml	Uploads entire logs/ directory as stest-node-logs instead of the single java-tron/fullnode.log artifact.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped through CI fields today,
A script nudged nodes awake with a tap,
Journals gathered every scurry and say,
Logs tucked neat in a tidy little lap,
Teardown sighed — no crumbs left on the map.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title references 'Phase A: stest x trond integration test' which directly relates to the main change (system-test to trond integration workflow updates), but the '[DO NOT MERGE]' prefix and '(fork-only)' suffix indicate this is a temporary validation PR not intended for merging.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/system-test-trond

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/system-test.yml:
- Around line 42-43: The workflow currently checks out a mutable branch via
"ref: feat/trond-bridge", which is a TOCTOU risk; change the checkout step to
pin the fork to a specific commit SHA (replace "ref: feat/trond-bridge" with the
full 40‑char commit SHA) and update the Phase A comment above the job to record
that exact SHA so reviewers can verify the exact revision being tested; also
ensure the Phase A comment references the scripts stest-up.sh and stest-down.sh
to indicate why the SHA is pinned.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a9208ad9-d383-4ea7-8a16-12f717ae0bc2

📥 Commits

Reviewing files that changed from the base of the PR and between 22e0aa3 and dcd9076.

📒 Files selected for processing (1)

• .github/workflows/system-test.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin the fork checkout to a full commit SHA to prevent silent TOCTOU code-execution risk.

ref: feat/trond-bridge is a mutable branch. Any push to warku123/system-test after this PR is opened silently replaces stest-up.sh (line 71) and stest-down.sh (line 102) — both of which run as unrestricted bash on the CI runner — without triggering any review gate. Because stest-up.sh also downloads the trond binary (whose SHA256 pin lives inside the script itself), an attacker or accidental push to the fork branch can change both the verification logic and the executed code in a single unreviewed commit.

🔒 Proposed fix — pin to a specific commit SHA

-          repository: warku123/system-test
-          ref: feat/trond-bridge
+          repository: warku123/system-test
+          ref: <full-40-char-commit-sha>   # e.g. the HEAD of feat/trond-bridge at time of review

Record the pinned SHA in the Phase A comment above so reviewers can verify what exact revision is being tested.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/system-test.yml around lines 42 - 43, The workflow
currently checks out a mutable branch via "ref: feat/trond-bridge", which is a
TOCTOU risk; change the checkout step to pin the fork to a specific commit SHA
(replace "ref: feat/trond-bridge" with the full 40‑char commit SHA) and update
the Phase A comment above the job to record that exact SHA so reviewers can
verify the exact revision being tested; also ensure the Phase A comment
references the scripts stest-up.sh and stest-down.sh to indicate why the SHA is
pinned.

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/system-test.yml">

<violation number="1" location=".github/workflows/system-test.yml:43">
P2: Pin this checkout to a full commit SHA instead of a mutable branch name. Using `ref: feat/trond-bridge` means any subsequent push to that branch silently replaces the scripts (`stest-up.sh`, `stest-down.sh`) that execute as unrestricted bash on the runner — including the SHA256 verification logic for the `trond` binary download. This is a supply-chain risk even for a temporary fork-only workflow.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: Pin this checkout to a full commit SHA instead of a mutable branch name. Using ref: feat/trond-bridge means any subsequent push to that branch silently replaces the scripts (stest-up.sh, stest-down.sh) that execute as unrestricted bash on the runner — including the SHA256 verification logic for the trond binary download. This is a supply-chain risk even for a temporary fork-only workflow.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/system-test.yml, line 43:

<comment>Pin this checkout to a full commit SHA instead of a mutable branch name. Using `ref: feat/trond-bridge` means any subsequent push to that branch silently replaces the scripts (`stest-up.sh`, `stest-down.sh`) that execute as unrestricted bash on the runner — including the SHA256 verification logic for the `trond` binary download. This is a supply-chain risk even for a temporary fork-only workflow.</comment>

<file context>
@@ -27,11 +27,20 @@ jobs:
-          repository: tronprotocol/system-test
-          ref: release_workflow
+          repository: warku123/system-test
+          ref: feat/trond-bridge
           path: system-test
 
</file context>