test(e2e): harden push runtime guards

e2e/suites/provider/cases/common/provider_runtime_test.go

@@ -16,7 +16,10 @@ limitations under the License.
 
 package common
 
-import "testing"
+import (
+	"strings"
+	"testing"
+)
 
 func TestClusterProviderExternalSecretRuntimeSupportsAuthLifecycle(t *testing.T) {
 	runtimeWithoutHooks := &ClusterProviderExternalSecretRuntime{}
@@ -103,3 +106,21 @@ func TestClusterProviderPushRuntimeSupportsRemoteNamespaceOverrides(t *testing.T
 		t.Fatalf("expected SupportsRemoteNamespaceOverrides to return true when CreateWritableRemoteScope is present")
 	}
 }
+
+func TestApplyClusterProviderPushSecretPanicsWithClearMessageWhenRuntimeNil(t *testing.T) {
+	defer func() {
+		recovered := recover()
+		if recovered == nil {
+			t.Fatalf("expected panic when runtime is nil")
+		}
+		message, ok := recovered.(string)
+		if !ok {
+			t.Fatalf("expected panic message to be string, got %T", recovered)
+		}
+		if !strings.Contains(message, "cluster provider push harness returned nil runtime") {
+			t.Fatalf("expected panic message to mention nil runtime guard, got %q", message)
+		}
+	}()
+
+	applyClusterProviderPushSecret(nil, nil, "remote-secret")
+}

e2e/suites/provider/cases/common/push_secret.go

@@ -236,12 +236,11 @@ func ClusterProviderPushAllowsRemoteNamespaceOverride(f *framework.Framework, ha
 				Name:      "push-remote-override",
 				AuthScope: esv1.AuthenticationScopeManifestNamespace,
 			})
-			Expect(runtime).NotTo(BeNil(), "cluster provider push harness returned nil runtime")
+			applyClusterProviderPushSecret(tc, runtime, "push-remote-override-remote")
 			if !runtime.SupportsRemoteNamespaceOverrides() {
 				Skip(fmt.Sprintf("provider %q does not support remote namespace override hooks", runtime.ClusterProviderName))
 			}
 			overrideNamespace := runtime.CreateWritableRemoteScope("push-remote-override-target")
-			applyClusterProviderPushSecret(tc, runtime, "push-remote-override-remote")
 			tc.PushSecret.Spec.Data[0].Metadata = pushSecretMetadataWithRemoteNamespace(overrideNamespace)
 			tc.VerifyPushSecretOutcome = func(ps *esv1alpha1.PushSecret, _ esv1.SecretsClient) {
 				waitForPushSecretStatus(tc.Framework, ps.Namespace, ps.Name, corev1.ConditionTrue)
@@ -332,11 +331,10 @@ func clusterProviderPushRecoveryCase(f *framework.Framework, harness ClusterProv
 				Name:      name,
 				AuthScope: authScope,
 			})
-			Expect(runtime).NotTo(BeNil(), "cluster provider push harness returned nil runtime")
+			applyClusterProviderPushSecret(tc, runtime, fmt.Sprintf("%s-remote", name))
 			if !runtime.SupportsAuthLifecycle() {
 				Skip(fmt.Sprintf("provider %q does not support auth lifecycle recovery hooks", runtime.ClusterProviderName))
 			}
-			applyClusterProviderPushSecret(tc, runtime, fmt.Sprintf("%s-remote", name))
 			tc.PushSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Hour}
 			runtime.BreakAuth()
 		}
@@ -353,6 +351,10 @@ func clusterProviderPushRecoveryCase(f *framework.Framework, harness ClusterProv
 }
 
 func applyClusterProviderPushSecret(tc *framework.TestCase, runtime *ClusterProviderPushRuntime, remoteSecretName string) {
+	if runtime == nil {
+		panic("cluster provider push harness returned nil runtime")
+	}
+
 	tc.PushSecret.ObjectMeta.Name = fmt.Sprintf("%s-push-secret", remoteSecretName)
 	tc.PushSecret.Spec.SecretStoreRefs = []esv1alpha1.PushSecretStoreRef{{
 		Name:       runtime.ClusterProviderName,