gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 14:21:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(scripts): move CI helpers out of scripts/ci-guards/

Browse Source 
The 'Regression guards' loop step in ci.yml runs:
    for g in scripts/ci-guards/*.sh; do bash "$g"; done

Per the directory's own contract (scripts/ci-guards/README.md), every
script there MUST be runnable bare with no args / no env. Three files
violated that contract — they're helpers consumed by specific CI job
steps with arguments, not regression guards. They were misplaced.

Moved (git mv):
  scripts/ci-guards/vendor-e2e-skip-check.sh         → scripts/
  scripts/ci-guards/vendor-e2e-skip-allowlist.txt    → scripts/
  scripts/ci-guards/coverage-pr-comment.sh           → scripts/

Updated ci.yml call sites:
  - deploy-vendor-e2e job: bash scripts/vendor-e2e-skip-check.sh $LOG
  - go-build-and-test job: bash scripts/coverage-pr-comment.sh

Tightened scripts/vendor-e2e-skip-check.sh arg parse from a silent
default ('LOG=${1:-test-output.log}') to a mandatory-arg form
('LOG=${1:?usage: ...}') so misuse fails loud at parse time rather
than at the missing-file check.

Updated scripts/ci-guards/README.md contract to spell out the
guard-vs-helper distinction explicitly; lists current helpers under
scripts/ for future-author guidance.

Verified locally: 'for g in scripts/ci-guards/*.sh; do bash $g; done'
returns clean (22 guards pass) on HEAD post-move.

Closes the regression-guards-loop failure that surfaced in CI run
25192163943 (job 73864471346 'Frontend Build').
This commit is contained in:
shankar0123
2026-04-30 22:37:12 +00:00
parent 7cb453a336
commit 7b8cadcd02
5 changed files with 44 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/ci.yml
+3 -3
View File
@@ -133,7 +133,7 @@ jobs:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.number }} PR_NUMBER: ${{ github.event.number }}
GITHUB_REPOSITORY: ${{ github.repository }} GITHUB_REPOSITORY: ${{ github.repository }}
run: bash scripts/ci-guards/coverage-pr-comment.sh run: bash scripts/coverage-pr-comment.sh
# Bundle P / Strengthening #6 — QA-doc drift guards. Forces every PR # Bundle P / Strengthening #6 — QA-doc drift guards. Forces every PR
# that adds a Part to docs/testing-guide.md OR a seed row to # that adds a Part to docs/testing-guide.md OR a seed row to
@@ -327,7 +327,7 @@ jobs:
# placeholders). Collapsed to one job that brings up all 11 sidecars # placeholders). Collapsed to one job that brings up all 11 sidecars
# at once and runs the full VendorEdge_ test set. # at once and runs the full VendorEdge_ test set.
# #
# Skip-detection guard (scripts/ci-guards/vendor-e2e-skip-check.sh) # Skip-detection guard (scripts/vendor-e2e-skip-check.sh)
# enforces that no test SKIPs except the documented allowlist # enforces that no test SKIPs except the documented allowlist
# (windows-iis-requiring tests on Linux). If a sidecar fails to come # (windows-iis-requiring tests on Linux). If a sidecar fails to come
# up, requireSidecar() in deploy/test/vendor_e2e_helpers.go calls # up, requireSidecar() in deploy/test/vendor_e2e_helpers.go calls
@@ -387,7 +387,7 @@ jobs:
# lines in the test output and fails the build if it exceeds the # lines in the test output and fails the build if it exceeds the
# allowlist (windows-iis-requiring tests; legitimately skipped # allowlist (windows-iis-requiring tests; legitimately skipped
# on Linux per Phase 6 / frozen decision 0.5). # on Linux per Phase 6 / frozen decision 0.5).
run: bash scripts/ci-guards/vendor-e2e-skip-check.sh test-output.log run: bash scripts/vendor-e2e-skip-check.sh test-output.log
- name: Tear down sidecars - name: Tear down sidecars
if: always() if: always()
scripts/ci-guards/README.md
+21 -2
View File
@@ -16,8 +16,11 @@ Every script in this directory MUST:
1. Be exit-code 0 on a clean repo (no regression present). 1. Be exit-code 0 on a clean repo (no regression present).
2. Be exit-code non-zero on regression, with a `::error::` annotation 2. Be exit-code non-zero on regression, with a `::error::` annotation
prefix so PR reviewers see the failing line in the GitHub Actions UI. prefix so PR reviewers see the failing line in the GitHub Actions UI.
3. Be runnable from repo root via `bash scripts/ci-guards/<id>.sh` 3. **Be runnable from repo root via `bash scripts/ci-guards/<id>.sh`
no implicit `cd` requirement, no env-var requirement. with NO arguments and NO env-var requirements.** The CI loop step
(`for g in scripts/ci-guards/*.sh; do bash "$g"; done`) iterates
every `.sh` here without args; any script that requires an arg or
env var WILL fail in that loop.
4. Carry a head-comment block matching the in-source justification 4. Carry a head-comment block matching the in-source justification
from the original ci.yml entry: the audit-finding reference, the from the original ci.yml entry: the audit-finding reference, the
closure rationale, the exempt-surface list (if any). closure rationale, the exempt-surface list (if any).
@@ -25,6 +28,22 @@ Every script in this directory MUST:
6. Produce no output on the happy path beyond a final 6. Produce no output on the happy path beyond a final
`echo "<id>: clean."` confirmation line. `echo "<id>: clean."` confirmation line.
### Helpers vs guards
Scripts that consume input artifacts (a test-output log, a
`coverage.out` file) or env vars (`PR_NUMBER`, `GH_TOKEN`) are
HELPERS, not guards. They live in `scripts/`, NOT `scripts/ci-guards/`.
Current helpers:
- `scripts/vendor-e2e-skip-check.sh` — consumes `test-output.log`
arg from the deploy-vendor-e2e job
- `scripts/coverage-pr-comment.sh` — consumes `coverage.out` +
`PR_NUMBER` + `GH_TOKEN` env from the go-build-and-test job
- `scripts/check-coverage-thresholds.sh` — consumes `coverage.out`
+ `.github/coverage-thresholds.yml`
- `scripts/qa-doc-part-count.sh` + `scripts/qa-doc-seed-count.sh`
invoked via `make verify-docs` pre-tag, not in CI
## Adding a new guard ## Adding a new guard
1. Drop a new `<id>.sh` in this directory with the head-comment block 1. Drop a new `<id>.sh` in this directory with the head-comment block
scripts/ci-guards/coverage-pr-comment.sh → scripts/coverage-pr-comment.sh
+6 -1
View File
@@ -1,5 +1,5 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# scripts/ci-guards/coverage-pr-comment.sh # scripts/coverage-pr-comment.sh
# #
# Post a per-package coverage table as a PR comment on every PR. # Post a per-package coverage table as a PR comment on every PR.
# Self-hosted alternative to Codecov / Coveralls (per ci-pipeline-cleanup # Self-hosted alternative to Codecov / Coveralls (per ci-pipeline-cleanup
@@ -9,6 +9,11 @@
# in place if one already exists (avoids duplicate noise on subsequent # in place if one already exists (avoids duplicate noise on subsequent
# pushes to the same PR). # pushes to the same PR).
# #
# Lives in scripts/ (not scripts/ci-guards/) because it's a helper that
# consumes coverage.out + GH env vars — not a regression guard runnable
# bare. The scripts/ci-guards/ contract requires bare-callable, no-arg,
# no-env scripts. See scripts/ci-guards/README.md.
#
# Required env: # Required env:
# GH_TOKEN — secrets.GITHUB_TOKEN # GH_TOKEN — secrets.GITHUB_TOKEN
# PR_NUMBER — github.event.number # PR_NUMBER — github.event.number
scripts/ci-guards/vendor-e2e-skip-allowlist.txt → scripts/vendor-e2e-skip-allowlist.txt
+1 -1
View File
@@ -1,4 +1,4 @@
# scripts/ci-guards/vendor-e2e-skip-allowlist.txt # scripts/vendor-e2e-skip-allowlist.txt
# #
# Test names that are EXPECTED to skip on Linux ubuntu-latest CI runners. # Test names that are EXPECTED to skip on Linux ubuntu-latest CI runners.
# Each entry: one Go test function name per line. Lines starting with `#` # Each entry: one Go test function name per line. Lines starting with `#`
scripts/ci-guards/vendor-e2e-skip-check.sh → scripts/vendor-e2e-skip-check.sh
+13 -5
View File
@@ -1,9 +1,9 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# scripts/ci-guards/vendor-e2e-skip-check.sh # scripts/vendor-e2e-skip-check.sh
# #
# Counts `^--- SKIP:` lines in the vendor-e2e test output and fails # Counts `^--- SKIP:` lines in the vendor-e2e test output and fails
# the build if any test skipped that's NOT in the allowlist at # the build if any test skipped that's NOT in the allowlist at
# scripts/ci-guards/vendor-e2e-skip-allowlist.txt. # scripts/vendor-e2e-skip-allowlist.txt.
# #
# Per ci-pipeline-cleanup bundle Phase 5 / frozen decision 0.6. # Per ci-pipeline-cleanup bundle Phase 5 / frozen decision 0.6.
# requireSidecar() in deploy/test/vendor_e2e_helpers.go uses # requireSidecar() in deploy/test/vendor_e2e_helpers.go uses
@@ -12,12 +12,20 @@
# one fails to start, the affected tests skip silently. This # one fails to start, the affected tests skip silently. This
# guard catches that. # guard catches that.
# #
# Usage: bash scripts/ci-guards/vendor-e2e-skip-check.sh <test-output.log> # Lives in scripts/ (not scripts/ci-guards/) because it's a
# helper that consumes a test-output log produced by a specific
# CI step — not a regression guard runnable bare. The
# scripts/ci-guards/ contract requires bare-callable, no-arg
# scripts. See scripts/ci-guards/README.md.
#
# Usage: bash scripts/vendor-e2e-skip-check.sh <test-output.log>
set -e set -e
LOG="${1:-test-output.log}" # Mandatory arg — fail loud at parse time rather than when the file
ALLOWLIST="scripts/ci-guards/vendor-e2e-skip-allowlist.txt" # is missing (avoids the silent-default footgun).
LOG="${1:?usage: $0 <test-output.log>}"
ALLOWLIST="scripts/vendor-e2e-skip-allowlist.txt"
if [ ! -f "$LOG" ]; then if [ ! -f "$LOG" ]; then
echo "::error::test output log not found: $LOG" echo "::error::test output log not found: $LOG"