fix(cli): only include root steps with authorization in childIngestionSources

gastonyelmini · gastonyelmini · commit cb720f7e712f · 2026-04-09T13:10:31.000-03:00
Refine the previous fix to only add matched root steps when they carry
authorization metadata, avoiding unnecessary size increase in the
generated config files.
diff --git a/packages/integration-sdk-cli/src/commands/generate-ingestion-sources-config.test.ts b/packages/integration-sdk-cli/src/commands/generate-ingestion-sources-config.test.ts
@@ -26,7 +26,7 @@ describe('#generateIngestionSourcesConfig', () => {
     },
   };
 
-  it('should include the matched step itself in childIngestionSources even when no dependents exist', () => {
+  it('should not include matched steps without authorization in childIngestionSources', () => {
     const integrationSteps: IntegrationStep<IntegrationInstanceConfig>[] = [
       {
         id: 'fetch-vulnerability-alerts',
@@ -51,16 +51,11 @@ describe('#generateIngestionSourcesConfig', () => {
     expect(
       ingestionSourcesConfig[INGESTION_SOURCE_IDS.FINDING_ALERTS],
     ).toMatchObject(ingestionConfig[INGESTION_SOURCE_IDS.FINDING_ALERTS]);
-    // childIngestionSources includes the matched step itself
+    // childIngestionSources is empty because the matched step has no authorization
     expect(
       ingestionSourcesConfig[INGESTION_SOURCE_IDS.FINDING_ALERTS]
         .childIngestionSources,
-    ).toEqual([
-      expect.objectContaining({
-        id: 'fetch-vulnerability-alerts',
-        name: 'Fetch Vulnerability Alerts',
-      }),
-    ]);
+    ).toBeEmpty();
     // ingestionSourcesConfig[INGESTION_SOURCE_IDS.FETCH_REPOS] is undefined because there are no steps using that ingestionSourceId
     expect(
       ingestionSourcesConfig[INGESTION_SOURCE_IDS.FETCH_REPOS],
@@ -142,16 +137,12 @@ describe('#generateIngestionSourcesConfig', () => {
     expect(
       ingestionSourcesConfig[INGESTION_SOURCE_IDS.FETCH_REPOS],
     ).toMatchObject(ingestionConfig[INGESTION_SOURCE_IDS.FETCH_REPOS]);
-    // New property added — includes the matched root step and its dependents
-    const childSources =
+    // Only includes dependents (fetch-repos has no authorization so it's excluded)
+    expect(
       ingestionSourcesConfig[INGESTION_SOURCE_IDS.FETCH_REPOS]
-        .childIngestionSources;
-    expect(childSources).toEqual(
-      expect.arrayContaining([
-        expect.objectContaining({ id: 'fetch-repos', name: 'Fetch Repos' }),
-        stepFetchVulnerabilityAlerts,
-        stepFetchIssues,
-      ]),
+        .childIngestionSources,
+    ).toEqual(
+      expect.arrayContaining([stepFetchVulnerabilityAlerts, stepFetchIssues]),
     );
     // For FINDING_ALERTS the ingestionConfig keep exactly the same
     expect(
@@ -199,4 +190,62 @@ describe('#generateIngestionSourcesConfig', () => {
       ingestionSourcesConfig[INGESTION_SOURCE_IDS.TEST_SOURCE],
     ).toBeUndefined();
   });
+
+  it('should include matched root steps that have authorization', () => {
+    const integrationSteps: IntegrationStep<IntegrationInstanceConfig>[] = [
+      {
+        id: 'fetch-repos',
+        name: 'Fetch Repos',
+        entities: [
+          {
+            resourceName: 'Github Repo',
+            _type: 'github_repo',
+            _class: ['CodeRepo'],
+          },
+        ],
+        relationships: [],
+        dependsOn: ['fetch-account'],
+        ingestionSourceId: INGESTION_SOURCE_IDS.FETCH_REPOS,
+        authorization: {
+          permissions: ['repo:read'],
+          endpoints: ['https://api.example.com/repos'],
+        },
+        executionHandler: jest.fn(),
+      },
+      {
+        id: 'fetch-issues',
+        name: 'Fetch Issues',
+        entities: [
+          {
+            resourceName: 'GitHub Issue',
+            _type: 'github_issue',
+            _class: ['Issue'],
+          },
+        ],
+        relationships: [],
+        dependsOn: ['fetch-repos'],
+        executionHandler: jest.fn(),
+      },
+    ];
+    const ingestionSourcesConfig = generateIngestionSourcesConfig(
+      ingestionConfig,
+      integrationSteps,
+    );
+    const children =
+      ingestionSourcesConfig[INGESTION_SOURCE_IDS.FETCH_REPOS]
+        .childIngestionSources;
+    // Root step with authorization is included
+    expect(children).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({
+          id: 'fetch-repos',
+          authorization: {
+            permissions: ['repo:read'],
+            endpoints: ['https://api.example.com/repos'],
+          },
+        }),
+        expect.objectContaining({ id: 'fetch-issues' }),
+      ]),
+    );
+  });
 });
diff --git a/packages/integration-sdk-cli/src/commands/generate-ingestion-sources-config.ts b/packages/integration-sdk-cli/src/commands/generate-ingestion-sources-config.ts
@@ -110,10 +110,13 @@ export function generateIngestionSourcesConfig<
           matchedIntegrationStepIds.includes(value),
         ),
       );
-      // Include both the matched steps and their dependents, deduplicating by id
+      // Include matched steps that carry authorization and all dependents, deduplicating by id
       const seenIds = new Set<string>();
+      const matchedStepsWithAuth = matchedIntegrationSteps.filter(
+        (step) => step.authorization,
+      );
       const childIngestionSources = [
-        ...matchedIntegrationSteps,
+        ...matchedStepsWithAuth,
         ...dependentSteps,
       ].filter((step) => {
         if (seenIds.has(step.id)) return false;
