keystone/tests/Feature/RepositoryAccessTest.php

<?php

use App\Actions\Applications\GenerateDeployKey;
use App\Actions\Applications\VerifyRepositoryAccess;
use App\Models\Application;
use Illuminate\Support\Facades\Process;

it('stores generated deploy keys on the application without marking them installed', function () {
    $application = Application::factory()->create([
        'deploy_key_installed_at' => now(),
    ]);

    app(GenerateDeployKey::class)->execute($application, [
        'public' => 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAITestPublicKey keystone',
        'private' => "-----BEGIN OPENSSH PRIVATE KEY-----\ntest\n-----END OPENSSH PRIVATE KEY-----",
        'fingerprint' => 'SHA256:test-fingerprint',
    ]);

    expect($application->refresh())
        ->deploy_key_public->toStartWith('ssh-ed25519')
        ->deploy_key_private->toContain('OPENSSH PRIVATE KEY')
        ->deploy_key_fingerprint->toBe('SHA256:test-fingerprint')
        ->deploy_key_installed_at->toBeNull();
});

it('verifies repository access with git ls-remote and a temporary ssh command', function () {
    Process::fake([
        '*' => Process::result(output: "abc123\trefs/heads/main\n"),
    ]);

    $application = Application::factory()->create([
        'repository_url' => 'git@example.com:org/repo.git',
        'default_branch' => 'main',
    ]);
    app(GenerateDeployKey::class)->execute($application, [
        'public' => 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAITestPublicKey keystone',
        'private' => "-----BEGIN OPENSSH PRIVATE KEY-----\ntest\n-----END OPENSSH PRIVATE KEY-----",
        'fingerprint' => 'SHA256:test-fingerprint',
    ]);

    $verified = app(VerifyRepositoryAccess::class)->execute($application->refresh());

    expect($verified)->toBeTrue()
        ->and($application->refresh()->deploy_key_installed_at)->not->toBeNull();

    Process::assertRan(function ($process): bool {
        $command = is_array($process->command) ? implode(' ', $process->command) : $process->command;

        return str_contains($command, 'git')
            && str_contains($command, 'ls-remote')
            && str_contains($command, 'git@example.com:org/repo.git')
            && ($process->environment['GIT_SSH_COMMAND'] ?? null) !== null;
    });
});