gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 13:41:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
eda3b484198b7b8d7dd17ea469b25cafe2a75eb0
certctl/.github/workflows/loadtest.yml
T
shankar0123 eda3b48419 ci: supply-chain hardening (Phase 1 closure — RED-1, RED-2, TEST-L2) 
Three findings from the certctl architecture diligence audit's Phase 1
bundle (Supply-Chain Hardening) closed together in one PR since they all
touch .github/workflows/ + repo root.

RED-1 — delete tracked precompiled binary
  - deploy/test/f5-mock-icontrol/f5-mock-icontrol (8.6 MB ARM64 ELF) was
    tracked alongside the Go source that builds it. The fixture's
    Dockerfile already uses a multi-stage build that re-runs
    'go build' inside the container (line 13), so the tracked binary
    was vestigial — never actually consumed by the test wiring.
  - git rm'd. Path added to .gitignore so it doesn't re-land.
  - No Makefile target needed; the Dockerfile is the rebuild path.

RED-2 — SHA-pin every GitHub Action
  - Pre: 37 of 41 'uses:' lines were tag-pinned (@v4 etc); only
    4 were SHA-pinned (sigstore/cosign-installer + anchore/sbom-action).
  - Post: 0 / 41. Every 'uses:' line is now '@<40-char-sha>  # vN'
    (the trailing comment preserves the human-readable version for
    operator audit). SHA-pinning closes the standard supply-chain
    attack vector against GitHub Actions consumers.
  - SHAs resolved live via the GitHub API; spot-checked one.

TEST-L2 — npm audit hard gate
  - Added 'npm audit --omit=dev --audit-level=high' step to the
    Frontend Build job in ci.yml. --omit=dev excludes vitest/vite/
    eslint/etc which don't ship to operators.
  - Local run today: 0 vulnerabilities; gate enters with no triage
    backlog. Catches future regressions.

New CI guards (regression-prevention):
  - scripts/ci-guards/no-tag-pinned-actions.sh — fails the build if
    a future PR adds 'uses: foo/bar@v2' instead of SHA-pinning.
  - scripts/ci-guards/no-precompiled-binary.sh — runs file(1) over
    git ls-files output; fails on any tracked ELF/Mach-O/PE.
  - Both pass locally. CI's existing loop over scripts/ci-guards/*.sh
    picks them up automatically.

Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-1,
        cowork/certctl-architecture-diligence-audit.html#fix-RED-2,
        cowork/certctl-architecture-diligence-audit.html#fix-TEST-L2
2026-05-13 19:30:53 +00:00

78 lines
3.1 KiB
YAML
Raw Blame History

# Load-test workflow — closes the #8 acquisition-readiness blocker from
# the 2026-05-01 issuer coverage audit (see
# the 2026-05-01 issuer coverage audit).
#
# CADENCE: workflow_dispatch + weekly cron, NOT per-push. Load tests
# are minutes long and don't provide useful per-PR signal — per-push
# pressure goes through ci.yml. This workflow exists to (a) catch
# gradual regressions from cumulative changes that no single PR
# triggered, and (b) give an operator a one-click way to capture
# numbers before tagging a release.
#
# THRESHOLDS: defined in deploy/test/loadtest/k6.js (p99 < 5s for
# issuance-acceptance, p99 < 2s for list, error rate < 1%). k6 exits
# non-zero on any breach, which propagates through `docker compose up
# --exit-code-from k6` → `make loadtest` → this workflow's exit.
name: loadtest
on:
workflow_dispatch:
# Manual trigger from the Actions tab. Use before tagging a
# release or after a meaningful tuning commit.
schedule:
# Mondays at 06:00 UTC. Off-peak; catches regressions accumulated
# over the previous week's merges. Once a baseline is committed
# in deploy/test/loadtest/README.md, drift relative to that
# baseline is the signal — diff the captured summary.json
# against the committed numbers.
- cron: '0 6 * * 1'
# Reduce permissions — this workflow doesn't write to PRs or push tags.
permissions:
contents: read
jobs:
k6:
name: k6 throughput run
runs-on: ubuntu-latest
# 25-minute hard cap. Pre-Bundle-10: 15min was enough for the API
# tier alone (~7 minutes total). Post-Bundle-10 the harness boots
# four additional target sidecars (nginx, apache, haproxy, f5-mock)
# before the k6 run; their healthchecks add ~30-60s. The k6 scenarios
# themselves are still 5 minutes (run in parallel with the API
# scenarios, not serially). 25 minutes absorbs that plus slow CI
# runners and cold image caches without letting a stuck container
# consume the runner indefinitely.
timeout-minutes: 25
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Set up Docker Buildx
# The compose stack builds the certctl image from the repo
# root Dockerfile. Buildx gives the build a usable cache and
# works with newer compose versions.
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- name: Run loadtest
run: make loadtest
env:
# Disable BuildKit progress noise so the run log is
# diff-able against past runs.
BUILDKIT_PROGRESS: plain
- name: Upload summary
# Always upload the summary so a regression has a diffable
# artifact even when k6 exited non-zero. summary.json is the
# authoritative machine-readable form; summary.txt is the
# human-readable text the README baseline tracks.
if: always()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: k6-summary-${{ github.run_id }}
path: deploy/test/loadtest/results/
retention-days: 90
Reference in New Issue View Git Blame Copy Permalink