refactor(api): update tests for AIP-compliant APIs and add private service tests (#1151)

**Because**

- Integration tests were using deprecated `*UserPipeline` APIs that have
been removed in favor of `*NamespacePipeline` APIs
- The `LookUpPipeline` endpoint was incorrectly exposed in public
service despite being marked as INTERNAL
- Private service APIs (LookUpPipelineAdmin, ListPipelinesAdmin) lacked
integration test coverage
- Several tests were skipped due to outdated API method references
- The `PipelineRun.name` field was returning empty namespace/pipeline
values

**This commit**

- Updates all gRPC and REST integration tests to use new Namespace APIs
(`CreateNamespacePipeline`, `TriggerNamespacePipeline`, etc.)
- Removes public `LookUpPipeline` handler since it was removed from the
public protobuf service
- Adds private service integration tests (`grpc-pipeline-private.js`)
with proper service-to-service authentication using `Instill-User-Uid`
and `Instill-Requester-Uid` headers
- Fixes `PipelineRun` to properly populate the `Pipeline` field before
conversion, ensuring correct resource name generation
- Updates `renamePipelineRequiredFields` to include `new_pipeline_id`
per AIP-136
- Adds database query helpers (`getNamespaceUidFromId`,
`getPipelineUidFromId`) for internal UID lookups
- Renames JWT auth test files to Basic Auth to reflect CE edition
authentication
- Updates integration test protobufs to match current API definitions

Author: pinglin

.github/workflows/golangci-lint.yml

@@ -42,7 +42,7 @@ jobs:
           echo "LD_RUN_PATH=${ONNXRUNTIME_ROOT_PATH}/lib" >> $GITHUB_ENV
           echo "LIBRARY_PATH=${ONNXRUNTIME_ROOT_PATH}/lib" >> $GITHUB_ENV
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v9
         with:
           version: v2.8.0
           args: --timeout=10m --build-tags onnx

go.mod

@@ -45,8 +45,8 @@ require (
 	github.com/h2non/filetype v1.1.3
 	github.com/iancoleman/strcase v0.3.0
 	github.com/influxdata/influxdb-client-go/v2 v2.14.0
-	github.com/instill-ai/protogen-go v0.3.3-alpha.0.20260118041154-8f06ba4d527d
-	github.com/instill-ai/x v0.10.1-alpha.0.20260118004501-5221537d0a1d
+	github.com/instill-ai/protogen-go v0.3.3-alpha.0.20260121105057-e8e7f1a4ac1f
+	github.com/instill-ai/x v0.10.1-alpha.0.20260121080139-2e854df73509
 	github.com/itchyny/gojq v0.12.17
 	github.com/jackc/pgx/v5 v5.7.6
 	github.com/jmoiron/sqlx v1.4.0

go.sum

@@ -513,10 +513,10 @@ github.com/influxdata/influxdb-client-go/v2 v2.14.0 h1:AjbBfJuq+QoaXNcrova8smSjw
 github.com/influxdata/influxdb-client-go/v2 v2.14.0/go.mod h1:Ahpm3QXKMJslpXl3IftVLVezreAUtBOTZssDrjZEFHI=
 github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf h1:7JTmneyiNEwVBOHSjoMxiWAqB992atOeepeFYegn5RU=
 github.com/influxdata/line-protocol v0.0.0-20210922203350-b1ad95c89adf/go.mod h1:xaLFMmpvUxqXtVkUJfg9QmT88cDaCJ3ZKgdZ78oO8Qo=
-github.com/instill-ai/protogen-go v0.3.3-alpha.0.20260118041154-8f06ba4d527d h1:nQTNxSL0sakFtObb6tnZqXcB/LF1dqGFoaRfX5ywDfA=
-github.com/instill-ai/protogen-go v0.3.3-alpha.0.20260118041154-8f06ba4d527d/go.mod h1:bCnBosofpaUxKBuTTJM3/I3thAK37kvfBnKByjnLsl4=
-github.com/instill-ai/x v0.10.1-alpha.0.20260118004501-5221537d0a1d h1:YUOzft7m56Jj+FUohdmn36d8gFnDcDo/tO2ij1zrzhw=
-github.com/instill-ai/x v0.10.1-alpha.0.20260118004501-5221537d0a1d/go.mod h1:NZwVnFLteR6JvV35pCYOOO75YMzTABefbrBC6YWDF/E=
+github.com/instill-ai/protogen-go v0.3.3-alpha.0.20260121105057-e8e7f1a4ac1f h1:8GYg7QC7zVQlYfDak63+z6F1qc6rvTASf8O97tPNBrI=
+github.com/instill-ai/protogen-go v0.3.3-alpha.0.20260121105057-e8e7f1a4ac1f/go.mod h1:bCnBosofpaUxKBuTTJM3/I3thAK37kvfBnKByjnLsl4=
+github.com/instill-ai/x v0.10.1-alpha.0.20260121080139-2e854df73509 h1:sVodrc+jwN/q1XOV0UJPv+DBoEDXep4IK5khxj+7hCI=
+github.com/instill-ai/x v0.10.1-alpha.0.20260121080139-2e854df73509/go.mod h1:YiJG0vfsXUZxDg9Fnc6wxVhpOXMpa/gR7ELaaQM+5tQ=
 github.com/itchyny/gojq v0.12.17 h1:8av8eGduDb5+rvEdaOO+zQUjA04MS0m3Ps8HiD+fceg=
 github.com/itchyny/gojq v0.12.17/go.mod h1:WBrEMkgAfAGO1LUcGOckBl5O726KPp+OlkKug0I/FEY=
 github.com/itchyny/timefmt-go v0.1.6 h1:ia3s54iciXDdzWzwaVKXZPbiXzxxnv1SPGFfM/myJ5Q=

integration-test/const.js

@@ -18,16 +18,20 @@ if (__ENV.API_GATEWAY_PROTOCOL) {
 // API Gateway URL (localhost:8080 from host, api-gateway:8080 from container)
 const apiGatewayUrl = __ENV.API_GATEWAY_URL || "localhost:8080";
 
+// Determine if running from host (localhost) or container
+export const isHostMode = apiGatewayUrl === "localhost:8080";
+
 // Public hosts (via API Gateway)
 export const pipelinePublicHost = `${proto}://${apiGatewayUrl}`;
 export const mgmtPublicHost = `${proto}://${apiGatewayUrl}`;
 export const pipelineGRPCPublicHost = apiGatewayUrl;
 export const mgmtGRPCPublicHost = apiGatewayUrl;
 
 // Private hosts (direct backend, for internal service calls)
-export const pipelinePrivateHost = `http://pipeline-backend:3081`;
-export const pipelineGRPCPrivateHost = `pipeline-backend:3081`;
-export const mgmtGRPCPrivateHost = `mgmt-backend:3084`;
+// Use localhost ports when running from host, container names when in container
+export const pipelinePrivateHost = isHostMode ? `http://localhost:3081` : `http://pipeline-backend:3081`;
+export const pipelineGRPCPrivateHost = isHostMode ? `localhost:3081` : `pipeline-backend:3081`;
+export const mgmtGRPCPrivateHost = isHostMode ? `localhost:3084` : `mgmt-backend:3084`;
 
 export const dogImg = encoding.b64encode(
   open(`${__ENV.TEST_FOLDER_ABS_PATH}/integration-test/data/dog.jpg`, "b")
@@ -60,18 +64,20 @@ export const paramsGrpc = {
   timeout: "300s",
 };
 
-const randomUUID = uuidv4();
-export const paramsGRPCWithJwt = {
+// Invalid Basic Auth credentials for testing unauthorized access
+const invalidBasicAuth = encoding.b64encode("invalid-user:invalid-password");
+
+export const paramsGRPCWithInvalidAuth = {
   metadata: {
     "Content-Type": "application/json",
-    "Instill-User-Uid": randomUUID,
+    "Authorization": `Basic ${invalidBasicAuth}`,
   },
 };
 
-export const paramsHTTPWithJwt = {
+export const paramsHTTPWithInvalidAuth = {
   headers: {
     "Content-Type": "application/json",
-    "Instill-User-Uid": randomUUID,
+    "Authorization": `Basic ${invalidBasicAuth}`,
   },
 };
 
@@ -116,7 +122,9 @@ if (__ENV.DB_HOST) {
   dbHost = __ENV.DB_HOST;
 }
 
-export const db = sql.open(driver, `postgresql://postgres:password@${dbHost}:5432/pipeline?sslmode=disable`);
+// Database connections - pipeline for pipeline data, mgmt for namespace/owner data
+export const pipelinedb = sql.open(driver, `postgresql://postgres:password@${dbHost}:5432/pipeline?sslmode=disable`);
+export const mgmtDb = sql.open(driver, `postgresql://postgres:password@${dbHost}:5432/mgmt?sslmode=disable`);
 
 // Since the tests rely on a pre-existing user, this prefix is used to clean
 // up only the resources generated by these tests.

integration-test/grpc-pipeline-private.js

@@ -0,0 +1,244 @@
+import grpc from "k6/net/grpc";
+import { check, group } from "k6";
+
+import * as constant from "./const.js";
+import * as helper from "./helper.js";
+
+const publicClient = new grpc.Client();
+const privateClient = new grpc.Client();
+
+publicClient.load(["proto"], "pipeline/v1beta/pipeline_public_service.proto");
+privateClient.load(["proto"], "pipeline/v1beta/pipeline_private_service.proto");
+
+// ============================================================================
+// Private Service API Tests
+// These tests cover admin/private service APIs (PipelinePrivateService)
+// that are only accessible internally (port 3081, not exposed externally)
+//
+// For service-to-service communication, we pass internal headers:
+// - Instill-User-Uid: The authenticated user's UUID
+// - Instill-Requester-Uid: The requester's UUID (namespace making the request)
+// ============================================================================
+
+/**
+ * Get internal service metadata with user/requester UIDs.
+ * This simulates what the API Gateway would inject after authentication.
+ */
+function getInternalServiceMetadata() {
+  // Get the admin user's UID from the database
+  var userUid = helper.getNamespaceUidFromId(constant.defaultUsername);
+  if (!userUid) {
+    console.log(`[WARN] Could not get user UID for ${constant.defaultUsername}, using fallback`);
+    return null;
+  }
+
+  return {
+    metadata: {
+      "Instill-User-Uid": userUid,
+      "Instill-Requester-Uid": userUid, // For admin user, requester is the same
+    },
+  };
+}
+
+/**
+ * Test LookUpPipelineAdmin (private service)
+ * This endpoint is admin-only and requires the internal UID
+ * NOTE: Private service port (3081) is not exposed outside container,
+ * so this test only runs when executing from within the container.
+ */
+export function CheckLookUpPipelineAdmin(data) {
+  // Skip if running from host - private service port not exposed
+  if (constant.isHostMode) {
+    group("Pipelines API: Look up a pipeline by UID (Admin) [SKIPPED - host mode]", () => {
+      console.log("SKIPPED: Private service tests require running inside container");
+    });
+    return;
+  }
+
+  group("Pipelines API: Look up a pipeline by UID (Admin)", () => {
+    publicClient.connect(constant.pipelineGRPCPublicHost, {
+      plaintext: true,
+    });
+    privateClient.connect(constant.pipelineGRPCPrivateHost, {
+      plaintext: true,
+    });
+
+    // Get internal service metadata (simulates what API Gateway injects)
+    var internalMeta = getInternalServiceMetadata();
+    if (!internalMeta) {
+      console.log("[SKIP] Could not get internal service metadata, skipping LookUpPipelineAdmin");
+      publicClient.close();
+      privateClient.close();
+      return;
+    }
+
+    var reqBody = Object.assign(
+      {},
+      constant.simplePipelineWithYAMLRecipe
+    );
+
+    // Create a pipeline via public API
+    var createRes = publicClient.invoke(
+      "pipeline.v1beta.PipelinePublicService/CreateNamespacePipeline",
+      {
+        parent: constant.namespace,
+        pipeline: reqBody,
+      },
+      data.metadata
+    );
+    check(createRes, {
+      "CreateNamespacePipeline response StatusOK": (r) => r.status === grpc.StatusOK,
+    });
+
+    if (createRes.status !== grpc.StatusOK || !createRes.message || !createRes.message.pipeline) {
+      console.log("Failed to create pipeline in CheckLookUpPipelineAdmin, skipping remaining tests");
+      publicClient.close();
+      privateClient.close();
+      return;
+    }
+
+    var pipelineId = createRes.message.pipeline.id;
+
+    // Get the internal UID from database
+    var pipelineUid = helper.getPipelineUidFromId(pipelineId);
+    check(pipelineUid, {
+      "Got pipeline UID from database": (uid) => uid !== null && uid !== undefined,
+    });
+
+    if (!pipelineUid) {
+      console.log(`Failed to get pipeline UID for id=${pipelineId}, skipping LookUpAdmin test`);
+      // Cleanup
+      publicClient.invoke(
+        "pipeline.v1beta.PipelinePublicService/DeleteNamespacePipeline",
+        { name: `${constant.namespace}/pipelines/${pipelineId}` },
+        data.metadata
+      );
+      publicClient.close();
+      privateClient.close();
+      return;
+    }
+
+    // LookUpPipelineAdmin by UID permalink (private service)
+    // Use internal service headers for service-to-service communication
+    var lookupRes = privateClient.invoke(
+      "pipeline.v1beta.PipelinePrivateService/LookUpPipelineAdmin",
+      {
+        permalink: `pipelines/${pipelineUid}`,
+      },
+      internalMeta // Use internal service-to-service headers
+    );
+    check(lookupRes, {
+      "LookUpPipelineAdmin response StatusOK": (r) => r.status === grpc.StatusOK,
+      "LookUpPipelineAdmin response has pipeline": (r) =>
+        r.message && r.message.pipeline,
+      "LookUpPipelineAdmin response pipeline has correct id": (r) =>
+        r.message && r.message.pipeline && r.message.pipeline.id === pipelineId,
+      "LookUpPipelineAdmin response pipeline has name": (r) =>
+        r.message && r.message.pipeline && r.message.pipeline.name &&
+        r.message.pipeline.name.includes("/pipelines/"),
+    });
+
+    // Delete the pipeline
+    publicClient.invoke(
+      "pipeline.v1beta.PipelinePublicService/DeleteNamespacePipeline",
+      {
+        name: `${constant.namespace}/pipelines/${pipelineId}`,
+      },
+      data.metadata
+    );
+
+    publicClient.close();
+    privateClient.close();
+  });
+}
+
+/**
+ * Test ListPipelinesAdmin (private service)
+ * This endpoint lists all pipelines across all namespaces (admin only)
+ * NOTE: Private service port (3081) is not exposed outside container,
+ * so this test only runs when executing from within the container.
+ */
+export function CheckListPipelinesAdmin(data) {
+  // Skip if running from host - private service port not exposed
+  if (constant.isHostMode) {
+    group("Pipelines API: List all pipelines (Admin) [SKIPPED - host mode]", () => {
+      console.log("SKIPPED: Private service tests require running inside container");
+    });
+    return;
+  }
+
+  group("Pipelines API: List all pipelines (Admin)", () => {
+    publicClient.connect(constant.pipelineGRPCPublicHost, {
+      plaintext: true,
+    });
+    privateClient.connect(constant.pipelineGRPCPrivateHost, {
+      plaintext: true,
+    });
+
+    // Get internal service metadata (simulates what API Gateway injects)
+    var internalMeta = getInternalServiceMetadata();
+    if (!internalMeta) {
+      console.log("[SKIP] Could not get internal service metadata, skipping ListPipelinesAdmin");
+      publicClient.close();
+      privateClient.close();
+      return;
+    }
+
+    var reqBody = Object.assign(
+      {},
+      constant.simplePipelineWithYAMLRecipe
+    );
+
+    // Create a pipeline via public API
+    var createRes = publicClient.invoke(
+      "pipeline.v1beta.PipelinePublicService/CreateNamespacePipeline",
+      {
+        parent: constant.namespace,
+        pipeline: reqBody,
+      },
+      data.metadata
+    );
+    check(createRes, {
+      "CreateNamespacePipeline response StatusOK": (r) => r.status === grpc.StatusOK,
+    });
+
+    if (createRes.status !== grpc.StatusOK || !createRes.message || !createRes.message.pipeline) {
+      console.log("Failed to create pipeline in CheckListPipelinesAdmin, skipping remaining tests");
+      publicClient.close();
+      privateClient.close();
+      return;
+    }
+
+    var pipelineId = createRes.message.pipeline.id;
+
+    // ListPipelinesAdmin (private service)
+    // Use internal service headers for service-to-service communication
+    var listRes = privateClient.invoke(
+      "pipeline.v1beta.PipelinePrivateService/ListPipelinesAdmin",
+      {
+        pageSize: 100,
+      },
+      internalMeta // Use internal service-to-service headers
+    );
+    check(listRes, {
+      "ListPipelinesAdmin response StatusOK": (r) => r.status === grpc.StatusOK,
+      "ListPipelinesAdmin response has pipelines": (r) =>
+        r.message && r.message.pipelines,
+      "ListPipelinesAdmin response contains created pipeline": (r) =>
+        r.message && r.message.pipelines &&
+        r.message.pipelines.some(p => p.id === pipelineId),
+    });
+
+    // Delete the pipeline
+    publicClient.invoke(
+      "pipeline.v1beta.PipelinePublicService/DeleteNamespacePipeline",
+      {
+        name: `${constant.namespace}/pipelines/${pipelineId}`,
+      },
+      data.metadata
+    );
+
+    publicClient.close();
+    privateClient.close();
+  });
+}