gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-12 14:48:53 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2e8c5a8d227e1eb87f33d3bcbe7d89e8fa434a78
certctl/cowork/ci-pipeline-cleanup/baseline.md
T
shankar0123 d57910cece ci-pipeline-cleanup Phase 0: baseline + frozen decisions + Bundle II revisions 
Bundle: ci-pipeline-cleanup, Phase 0.

Captures all 12 baseline measurements at HEAD 1de61e91 (tag v2.0.66):
- ci.yml shape (1488 lines, 53 named steps, 22 regression-guard steps)
- 4 Dockerfiles in repo
- 24/24 migration up/down balance
- 136 OpenAPI operationIds vs 149 router Register calls (13-route gap
  for Phase 9 root-cause)
- 11 vendor sidecars + 1 always-on nginx in deploy/docker-compose.test.yml
- 19 status checks per push (target after cleanup: 7)

Locks the 14 Phase-0 frozen decisions in cowork/ci-pipeline-cleanup/
frozen-decisions.md. Two of them deliberately revise Bundle II
decisions:
- Decision 0.4 revises Bundle II 0.9 (vendor matrix collapse)
- Decision 0.5 revises Bundle II 0.4 (Windows IIS matrix deletion)

Both revisions are documented with rationale + preservation note in
cowork/ci-pipeline-cleanup/decisions-revised.md. Verified failure-log
evidence cited for the Windows matrix (CI run 25183374742) +
verified source-grep evidence for the t.Log-only vendor-edge tests
(115 of 116).

Two operator-on-workstation deliverables explicitly deferred to
their respective Phases:
- Live SA1019 site count (Phase 3 pre-flight)
- RAM headroom on prototype branch with collapsed vendor-e2e (Phase 5
  pre-merge gate)

No code changes in this commit — Phase 0 is documentation + measurement
+ frozen-decision lock-in only.
2026-04-30 20:24:12 +00:00

160 lines
7.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# CI Pipeline Cleanup — Phase 0 Baseline
> Captured against repo HEAD `1de61e91cf07449356d9046a76499c86efe413b1` (operator tag `v2.0.66`) on 2026-04-30.
> Each subsequent Phase that changes a number references this baseline.
## Repo state
**HEAD SHA:** `1de61e91cf07449356d9046a76499c86efe413b1`
**Operator-stamped tag:** `v2.0.66`
## ci.yml shape
- Total lines: `1488`
- Total named steps: `53`
- Named regression-guard steps: 22 (enumerated below)
### The 22 regression-guard steps
```
81: - name: Forbidden auth-type literal regression guard (G-1)
144: - name: Forbidden bare InsecureSkipVerify regression guard (L-001)
180: - name: Forbidden bare FROM regression guard (H-001)
201: - name: Forbidden missing USER regression guard (M-012)
228: - name: Forbidden README JWT advertising regression guard (H-009)
254: - name: Forbidden api_key_hash JSON-shape regression guard (G-2)
311: - name: Forbidden plaintext HEALTHCHECK regression guard (U-2)
360: - name: Forbidden migration mount in compose initdb (U-3)
417: - name: Forbidden StatusBadge dead-key + TS phantom-field regression guard (D-1 + D-2)
569: - name: Forbidden client-side bulk-action loop regression guard (L-1)
613: - name: Forbidden orphan-CRUD client function regression guard (B-1)
665: - name: Forbidden strings.Contains(err.Error()) regression guard (S-2)
868: - name: QA-doc Part-count drift guard
886: - name: QA-doc seed-count drift guard
938: - name: Test-naming convention guard (hard-fail)
982: - name: Forbidden hardcoded source-count prose regression guard (S-1)
1027: - name: Documented orphan client fns sync guard (P-1)
1063: - name: Frontend page-coverage regression guard (T-1)
1118: - name: Bundle-8 / L-015 target=_blank rel=noopener regression guard
1147: - name: Bundle-8 / L-019 dangerouslySetInnerHTML regression guard
1176: - name: Bundle-8 / M-009 + M-029 Pass 1 mutation contract guard (hard zero)
1220: - name: Forbidden env-var docs drift regression guard (G-3)
```
## SA1019 site count
- **Operator-on-workstation deliverable** — sandbox cannot run `staticcheck`.
- ci.yml inline comment claims "6 sites" (`middleware.NewAuth × 3`, `csr.Attributes`, `elliptic.Marshal`).
- Source-grep at HEAD shows:
- `internal/api/handler/scep.go`: `csr.Attributes` references present
- `internal/connector/issuer/local/local.go`: `elliptic.Marshal` historic refs (already migrated per bundle9_coverage_test.go byte-equivalence test)
- `cmd/server/main_test.go`: `middleware.NewAuth` references TBD
- Operator must run `staticcheck ./... 2>&1 | grep SA1019` on workstation and update Phase 3 plan with the actual site list.
## Dockerfile inventory (verified 4)
```
./Dockerfile.agent
./Dockerfile
./deploy/test/f5-mock-icontrol/Dockerfile
./deploy/test/libest/Dockerfile
```
## Migration up/down balance
- ups: `24`
- downs: `24`
- missing downs: `0`
## OpenAPI ↔ handler parity gap (verified)
- operationIds in api/openapi.yaml: `136`
- r.Register calls in router.go: `149`
- Gap to root-cause in Phase 9: 13 routes
## docker-compose.test.yml sidecars
```
52: certctl-tls-init:
107: postgres:
135: pebble-challtestsrv:
150: pebble:
178: step-ca:
213: certctl-server:
363: nginx:
391: certctl-agent:
449: libest-client:
488: apache-test:
502: haproxy-test:
515: traefik-test:
533: caddy-test:
548: envoy-test:
562: postfix-test:
577: dovecot-test:
591: openssh-test:
613: f5-mock-icontrol:
631: k8s-kind-test:
648: windows-iis-test:
666: certctl-test:
```
## Makefile::verify body (existing)
```
verify:
@echo "==> fmt"
@go fmt ./... | { ! grep -q '.'; } || (echo "gofmt produced changes — commit them" && exit 1)
@echo "==> go vet ./..."
@go vet ./...
@echo "==> golangci-lint run ./... (incl. staticcheck ST*)"
@which golangci-lint > /dev/null || (echo "Installing golangci-lint..." && go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest)
@golangci-lint run ./... --timeout 5m
@echo "==> go test -short ./..."
@go test -short -count=1 ./...
@echo ""
@echo "verify: PASS — safe to commit"
```
## RAM headroom for collapsed vendor-e2e job
- **Operator-on-workstation deliverable** — requires a prototype branch with the collapsed job + `docker stats` polling.
- Per Phase 0 frozen decision 0.14: if peak RSS ≤ 12 GB on ubuntu-latest (16 GB ceiling), single-job collapse is approved.
- If > 12 GB, fall back to bucketed-matrix design documented in `cowork/ci-pipeline-cleanup/decisions-revised.md`.
## Coverage thresholds at HEAD
```
778: if [ "$(echo "$SERVICE_COV < 70" | bc -l)" -eq 1 ]; then
779: echo "::error::Service layer coverage ${SERVICE_COV}% is below 70% (Bundle R-CI-extended floor — add tests, do not lower the gate)"
782: if [ "$(echo "$HANDLER_COV < 75" | bc -l)" -eq 1 ]; then
783: echo "::error::Handler layer coverage ${HANDLER_COV}% is below 75% (Bundle R-CI-extended floor — add tests, do not lower the gate)"
786: if [ "$(echo "$DOMAIN_COV < 40" | bc -l)" -eq 1 ]; then
787: echo "::error::Domain layer coverage ${DOMAIN_COV}% is below 40% threshold"
790: if [ "$(echo "$MIDDLEWARE_COV < 30" | bc -l)" -eq 1 ]; then
791: echo "::error::Middleware layer coverage ${MIDDLEWARE_COV}% is below 30% threshold"
802: if [ "$(echo "$CRYPTO_COV < 88" | bc -l)" -eq 1 ]; then
803: echo "::error::Crypto package coverage ${CRYPTO_COV}% is below 88% (Bundle R closure floor — add tests, do not lower the gate)"
832: if [ "$(echo "$LOCAL_ISSUER_COV < 86" | bc -l)" -eq 1 ]; then
833: echo "::error::Local-issuer coverage ${LOCAL_ISSUER_COV}% is below 86% (Bundle R closure floor — add tests, do not lower the gate)"
842: if [ "$(echo "$ACME_COV < 80" | bc -l)" -eq 1 ]; then
843: echo "::error::ACME issuer coverage ${ACME_COV}% is below 80% (Bundle R-CI-extended floor — add tests, do not lower the gate)"
846: if [ "$(echo "$STEPCA_COV < 80" | bc -l)" -eq 1 ]; then
847: echo "::error::StepCA issuer coverage ${STEPCA_COV}% is below 80% (Bundle L.B closure floor — add tests, do not lower the gate)"
850: if [ "$(echo "$MCP_COV < 85" | bc -l)" -eq 1 ]; then
851: echo "::error::MCP coverage ${MCP_COV}% is below 85% (Bundle K closure floor — add tests, do not lower the gate)"
```
## CodeQL workflow (no changes)
- File: `.github/workflows/codeql.yml` (`81` lines)
- Matrix: `[go, javascript-typescript]` — 2 status checks per push
- Trigger: push to master, PR to master, weekly Sunday cron
## Status check accounting (verified)
Today: 1 `go-build-and-test` + 1 `frontend-build` + 1 `helm-lint` + 12 `deploy-vendor-e2e (<vendor>)` + 2 `deploy-vendor-e2e-windows (<vendor>)` + 2 `CodeQL Analyze (<lang>)` = **19 status checks per push**.
After cleanup: 1 `go-build-and-test` + 1 `frontend-build` + 1 `helm-lint` + 1 `deploy-vendor-e2e` + 1 `image-and-supply-chain` + 2 `CodeQL Analyze (<lang>)` = **7 status checks per push**.
Reference in New Issue View Git Blame Copy Permalink