Skip to content

TEST: skip Azure key-auth-disabled integration tests#2229

Open
romanlutz wants to merge 1 commit into
microsoft:mainfrom
romanlutz:romanlutz-gate-azure-key-auth-tests
Open

TEST: skip Azure key-auth-disabled integration tests#2229
romanlutz wants to merge 1 commit into
microsoft:mainfrom
romanlutz:romanlutz-gate-azure-key-auth-tests

Conversation

@romanlutz

Copy link
Copy Markdown
Contributor

Description

In our CI Azure tenant, API-key (local) authentication is administratively disabled (Entra/AAD auth only). As a result, a batch of key/secret-auth integration tests fail with HTTP 403 AuthenticationTypeDisabled ("Key based authentication is disabled for this resource"). This is an environmental/policy condition, not a code regression, and it pollutes the integration signal on every full RUN_ALL_TESTS=true run.

This PR makes those tests skip cleanly by applying a plain static @pytest.mark.skip with a shared per-file reason constant:

Azure key-based (local) auth is disabled in our tenant; covered by the Entra-auth tests (test_entra_auth_targets.py).

Key points on scope and safety:

  • Scoped by the failure signature, not by name. Only the tests that demonstrably returned 403 AuthenticationTypeDisabled in the last full run are gated (35 nodes across 4 files), plus 2 adjacent score tests that fail on a missing-key self-assert for the same root cause.
  • Coverage is preserved. The same endpoints already have passing Entra/AAD coverage in test_entra_auth_targets.py and test_entra_auth_converters.py, so little to no functional coverage is lost.
  • Skip, not delete. Environments that DO have key auth enabled still run these tests.
  • Genuine failures are not masked. Tests failing for other reasons (missing env vars, provider quota, realtime wss-connect errors, etc.) are deliberately left untouched, as are the embeddings tests and all e2e tests.
  • In mixed parametrizations, only the in-scope Azure-routed params are marked; non-Azure params (GOOGLE_GEMINI, ANTHROPIC, AWS, PLATFORM_OPENAI, GROQ, OPEN_ROUTER, OLLAMA) remain active.

The 5 notebook cases are gated via the test's skip-list; the proper long-term fix is to switch those notebooks to Entra auth, which is out of scope here.

Tests and Documentation

Test-only change; no production code is touched.

Validation (uv only):

  • --collect-only across the 5 files: 70 collected, 0 errors, out-of-scope IDs still collected.
  • RUN_ALL_TESTS=true scoped runs: all gated nodes report SKIPPED with the reason, 0 failures, no network traffic.
  • ruff check, ruff format --check, and pre-commit run --files <changed> all green.

JupyText: N/A (no documentation or notebook code samples changed; the notebook test change only adds 5 notebooks to a skip-list).

Key-based (local) auth is administratively disabled in our Azure tenant (Entra/AAD only), so a batch of integration target tests fail with HTTP 403 AuthenticationTypeDisabled. These endpoints already have passing Entra-auth coverage (test_entra_auth_targets.py), so the key-auth variants are redundant functional coverage.

Apply a static @pytest.mark.skip with a shared per-file reason constant to the 35 confirmed AuthenticationTypeDisabled nodes across four files, plus two adjacent score tests that fail on the same missing-key root cause: test_targets_and_secrets.py (21), test_openai_responses_gpt5.py (5, module pytestmark), test_target_filters.py (4), test_notebooks_targets.py (5), score/test_azure_content_filter_integration.py (2).

Out-of-scope failures (missing env, quota, realtime wss, AML, DeepSeek, Phi4, non-Azure providers) are left untouched. Test-only change; no production code.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 127c6e28-016f-4a16-99aa-43780f8a3c22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants