From 255f61e6c541f59cc937636a5e6d5fed43106922 Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Tue, 12 May 2026 14:12:39 +0000 Subject: [PATCH] ci(workflows): wire Auditable Codebase Bundle guards into ci.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Three changes to .github/workflows/ci.yml: 1. Add internal/ciparity/... to the Go Test with Coverage package list. The four surface-parity tests run alongside everything else and contribute to the coverage report. 2. Skip cold-db-compose-smoke.sh in the existing generic regression-guards loop (under go-build-and-test). The script needs Docker + a fresh postgres volume; including it here would always fail because that job doesn't bring up compose. The other two new Bundle guards (complete-path-config-coverage.sh, doc-rot-detector.sh) are plain-shell + Python and need no Docker — the existing 'for g in scripts/ci-guards/*.sh' loop auto-picks them up. 3. New top-level job: 'cold-db-compose-smoke' - needs: go-build-and-test (don't waste compute if the basics are red) - 15-min wall-clock cap (image pull + compose-up + probe + teardown) - Dumps compose logs on failure for postgres + certctl-server + certctl-agent + certctl-tls-init so the failure is actionable without a re-run. Validated: - python3 -c 'import yaml; yaml.safe_load(...)' → yaml ok Operator follow-up: - Add 'cold-db-compose-smoke' to the master branch-protection required-checks list once the first successful run lands. Audit-Closes: post-v2.1.0-anti-rot/item-6 --- .github/workflows/ci.yml | 53 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5d5e7ac..ff7ebc1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -106,8 +106,10 @@ jobs: run: go test -race ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/scheduler/... ./internal/connector/... ./internal/crypto/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -timeout 300s - name: Go Test with Coverage + # internal/ciparity/... — post-v2.1.0 anti-rot item 2 surface- + # parity tests; stdlib-only so they always pass in this job. run: | - go test ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/api/router/... ./internal/auth/... ./internal/integration/... ./internal/connector/issuer/... ./internal/connector/target/... ./internal/connector/notifier/... ./internal/connector/discovery/... ./internal/crypto/... ./internal/mcp/... ./internal/cli/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -cover -coverprofile=coverage.out + go test ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/api/router/... ./internal/auth/... ./internal/integration/... ./internal/connector/issuer/... ./internal/connector/target/... ./internal/connector/notifier/... ./internal/connector/discovery/... ./internal/crypto/... ./internal/mcp/... ./internal/cli/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... ./internal/ciparity/... -count=1 -cover -coverprofile=coverage.out - name: Check Coverage Thresholds # ci-pipeline-cleanup Phase 2: per-package floors moved to @@ -207,10 +209,23 @@ jobs: # Adding a new guard: drop a new .sh; this loop auto-picks it up. # Contract: each guard MUST exit 0 on clean repo, non-zero with # ::error:: prefix on regression. See scripts/ci-guards/README.md. + # + # SKIP cold-db-compose-smoke.sh — it needs Docker + a fresh + # postgres volume, which only exists in the dedicated + # `cold-db-compose-smoke` job below. Including it in this loop + # would always fail (no Docker on the runners that don't bring + # up compose). run: | set -e fail=0 for g in scripts/ci-guards/*.sh; do + case "$(basename "$g")" in + cold-db-compose-smoke.sh) + echo "::group::$(basename "$g") (skipped — runs in dedicated job)" + echo "::endgroup::" + continue + ;; + esac echo "::group::$(basename "$g")" if ! bash "$g"; then fail=1 @@ -219,6 +234,42 @@ jobs: done exit $fail + cold-db-compose-smoke: + # Per post-v2.1.0 anti-rot item 6 (Auditable Codebase Bundle). + # + # Catches migration-on-cold-DB regressions: wipe the postgres + # volume, bring the stack up cold, mint a day-0 admin, issue + + # renew + revoke a test certificate, assert audit rows, tear down. + # Targets the bug class that the warm-DB integration suite misses + # (canonical case: 2026-05-09 migration 000045 broken INSERT, + # fixed in commit 6444e13). + name: Cold-DB compose smoke + runs-on: ubuntu-latest + needs: go-build-and-test + steps: + - uses: actions/checkout@v4 + + - name: Show Docker versions + run: | + docker --version + docker compose version + + - name: Cold-DB compose smoke + # 15-min wall-clock cap covers cold image pull + compose-up + + # full issue/renew/revoke probe + teardown. Increase only if + # the underlying steps legitimately grow. + timeout-minutes: 15 + run: bash scripts/ci-guards/cold-db-compose-smoke.sh + + - name: Dump compose logs on failure + if: failure() + run: | + cd deploy + for svc in postgres certctl-server certctl-agent certctl-tls-init; do + echo "==== $svc ====" + docker compose logs --no-color --tail 200 "$svc" || true + done + frontend-build: name: Frontend Build runs-on: ubuntu-latest