gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 23:31:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci(workflows): wire Auditable Codebase Bundle guards into ci.yml

Browse Source 
Three changes to .github/workflows/ci.yml:

1. Add internal/ciparity/... to the Go Test with Coverage package
   list. The four surface-parity tests run alongside everything else
   and contribute to the coverage report.

2. Skip cold-db-compose-smoke.sh in the existing generic
   regression-guards loop (under go-build-and-test). The script needs
   Docker + a fresh postgres volume; including it here would always
   fail because that job doesn't bring up compose.

   The other two new Bundle guards
   (complete-path-config-coverage.sh, doc-rot-detector.sh) are
   plain-shell + Python and need no Docker — the existing
   'for g in scripts/ci-guards/*.sh' loop auto-picks them up.

3. New top-level job: 'cold-db-compose-smoke'
   - needs: go-build-and-test (don't waste compute if the basics are red)
   - 15-min wall-clock cap (image pull + compose-up + probe + teardown)
   - Dumps compose logs on failure for postgres + certctl-server +
     certctl-agent + certctl-tls-init so the failure is actionable
     without a re-run.

Validated:
  - python3 -c 'import yaml; yaml.safe_load(...)' → yaml ok

Operator follow-up:
  - Add 'cold-db-compose-smoke' to the master branch-protection
    required-checks list once the first successful run lands.

Audit-Closes: post-v2.1.0-anti-rot/item-6
This commit is contained in:
shankar0123
2026-05-12 14:12:39 +00:00
parent bef1feb54f
commit ae9e55e860
1 changed files with 52 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/ci.yml
+52 -1
View File
@@ -106,8 +106,10 @@ jobs:
run: go test -race ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/scheduler/... ./internal/connector/... ./internal/crypto/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -timeout 300s run: go test -race ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/scheduler/... ./internal/connector/... ./internal/crypto/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -timeout 300s
- name: Go Test with Coverage - name: Go Test with Coverage
# internal/ciparity/... — post-v2.1.0 anti-rot item 2 surface-
# parity tests; stdlib-only so they always pass in this job.
run: | run: |
go test ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/api/router/... ./internal/auth/... ./internal/integration/... ./internal/connector/issuer/... ./internal/connector/target/... ./internal/connector/notifier/... ./internal/connector/discovery/... ./internal/crypto/... ./internal/mcp/... ./internal/cli/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... -count=1 -cover -coverprofile=coverage.out go test ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/api/router/... ./internal/auth/... ./internal/integration/... ./internal/connector/issuer/... ./internal/connector/target/... ./internal/connector/notifier/... ./internal/connector/discovery/... ./internal/crypto/... ./internal/mcp/... ./internal/cli/... ./internal/domain/... ./internal/validation/... ./internal/tlsprobe/... ./internal/ciparity/... -count=1 -cover -coverprofile=coverage.out
- name: Check Coverage Thresholds - name: Check Coverage Thresholds
# ci-pipeline-cleanup Phase 2: per-package floors moved to # ci-pipeline-cleanup Phase 2: per-package floors moved to
@@ -207,10 +209,23 @@ jobs:
# Adding a new guard: drop a new <id>.sh; this loop auto-picks it up. # Adding a new guard: drop a new <id>.sh; this loop auto-picks it up.
# Contract: each guard MUST exit 0 on clean repo, non-zero with # Contract: each guard MUST exit 0 on clean repo, non-zero with
# ::error:: prefix on regression. See scripts/ci-guards/README.md. # ::error:: prefix on regression. See scripts/ci-guards/README.md.
#
# SKIP cold-db-compose-smoke.sh — it needs Docker + a fresh
# postgres volume, which only exists in the dedicated
# `cold-db-compose-smoke` job below. Including it in this loop
# would always fail (no Docker on the runners that don't bring
# up compose).
run: | run: |
set -e set -e
fail=0 fail=0
for g in scripts/ci-guards/*.sh; do for g in scripts/ci-guards/*.sh; do
case "$(basename "$g")" in
cold-db-compose-smoke.sh)
echo "::group::$(basename "$g") (skipped — runs in dedicated job)"
echo "::endgroup::"
continue
;;
esac
echo "::group::$(basename "$g")" echo "::group::$(basename "$g")"
if ! bash "$g"; then if ! bash "$g"; then
fail=1 fail=1
@@ -219,6 +234,42 @@ jobs:
done done
exit $fail exit $fail
cold-db-compose-smoke:
# Per post-v2.1.0 anti-rot item 6 (Auditable Codebase Bundle).
#
# Catches migration-on-cold-DB regressions: wipe the postgres
# volume, bring the stack up cold, mint a day-0 admin, issue +
# renew + revoke a test certificate, assert audit rows, tear down.
# Targets the bug class that the warm-DB integration suite misses
# (canonical case: 2026-05-09 migration 000045 broken INSERT,
# fixed in commit 6444e13).
name: Cold-DB compose smoke
runs-on: ubuntu-latest
needs: go-build-and-test
steps:
- uses: actions/checkout@v4
- name: Show Docker versions
run: |
docker --version
docker compose version
- name: Cold-DB compose smoke
# 15-min wall-clock cap covers cold image pull + compose-up +
# full issue/renew/revoke probe + teardown. Increase only if
# the underlying steps legitimately grow.
timeout-minutes: 15
run: bash scripts/ci-guards/cold-db-compose-smoke.sh
- name: Dump compose logs on failure
if: failure()
run: |
cd deploy
for svc in postgres certctl-server certctl-agent certctl-tls-init; do
echo "==== $svc ===="
docker compose logs --no-color --tail 200 "$svc" || true
done
frontend-build: frontend-build:
name: Frontend Build name: Frontend Build
runs-on: ubuntu-latest runs-on: ubuntu-latest