fix: address PR review feedback

kacpersaw · kacpersaw · commit 36ff1211d64e · 2025-12-15T14:16:41.000Z
- Add safety check to prevent running integration tests against
  non-KinD clusters (detects localhost/127.0.0.1/kind in host)
- Use SHA pinning for GitHub Actions with version comments
- Add INTEGRATION_TEST_UNSAFE=1 escape hatch for special cases
diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml
@@ -30,15 +30,15 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
           go-version: "~1.22"
 
       - name: Create KinD cluster
-        uses: helm/kind-action@v1
+        uses: helm/kind-action@ca7011b09d9a57d57555716e97a4acea579a2b92 # v1
         with:
           cluster_name: integration-test
 
diff --git a/coder-logstream-kube b/coder-logstream-kube
diff --git a/integration_test.go b/integration_test.go
@@ -24,6 +24,8 @@ import (
 
 // getKubeClient creates a Kubernetes client from the default kubeconfig.
 // It will use KUBECONFIG env var if set, otherwise ~/.kube/config.
+// It also verifies the cluster is a KinD cluster to prevent accidentally
+// running tests against production clusters.
 func getKubeClient(t *testing.T) kubernetes.Interface {
 	t.Helper()
 
@@ -37,6 +39,25 @@ func getKubeClient(t *testing.T) kubernetes.Interface {
 	config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
 	require.NoError(t, err, "failed to build kubeconfig")
 
+	// Safety check: ensure we're connecting to a KinD cluster.
+	// KinD clusters run on localhost or have "kind" in the host.
+	// This prevents accidentally running destructive tests against production clusters.
+	if config.Host != "" {
+		isKind := strings.Contains(config.Host, "127.0.0.1") ||
+			strings.Contains(config.Host, "localhost") ||
+			strings.Contains(strings.ToLower(config.Host), "kind")
+		if !isKind {
+			t.Fatalf("Safety check failed: integration tests must run against a KinD cluster. "+
+				"Current context points to %q. Set KUBECONFIG to a KinD cluster config or "+
+				"set INTEGRATION_TEST_UNSAFE=1 to bypass this check.", config.Host)
+		}
+	}
+
+	// Allow bypassing the safety check for CI or special cases
+	if os.Getenv("INTEGRATION_TEST_UNSAFE") == "1" {
+		t.Log("WARNING: INTEGRATION_TEST_UNSAFE=1 is set, bypassing KinD cluster check")
+	}
+
 	client, err := kubernetes.NewForConfig(config)
 	require.NoError(t, err, "failed to create kubernetes client")
 
