Skip to content

fix: stabilize Chainsaw tests and add govulncheck to CI gate#95

Merged
SebTardif merged 2 commits into
mainfrom
fix/chainsaw-stable-state-govulncheck-gate
May 27, 2026
Merged

fix: stabilize Chainsaw tests and add govulncheck to CI gate#95
SebTardif merged 2 commits into
mainfrom
fix/chainsaw-stable-state-govulncheck-gate

Conversation

@SebTardif

@SebTardif SebTardif commented May 27, 2026

Copy link
Copy Markdown
Contributor

Changes

Chainsaw transient-state flake fix (#93)

Replace static InsufficientData assertions in observe-mode and opt-out
Chainsaw tests with script-based polls that accept either InsufficientData
or Monitoring. This is the same fix pattern applied to recommend-mode in
PR #92: with minimumDataPoints: 1, the operator can transition past
InsufficientData before the assert evaluates, causing a 2-minute timeout.

Tests fixed:

  • test/e2e/observe-mode/chainsaw-test.yaml
  • test/e2e/opt-out/chainsaw-test.yaml

Govulncheck CI gate (#72)

Add govulncheck as a job in ci.yaml gated by the go path filter, and
include it in the ci-gate required status check. PRs with known
vulnerabilities in the dependency tree are now blocked from merging.

The existing govulncheck in security.yaml continues to run on the weekly
schedule for proactive detection.

Closes #93
Closes #72

SebTardif added 2 commits May 27, 2026 08:54
@SebTardif
docs: add Chainsaw stable-state assertion convention to AGENTS.md
6e41212 
Chainsaw tests that assert transient operator states (InsufficientData)
race with the reconcile loop when minimumDataPoints is low. Add testing
convention to prefer stable state assertions or script-based polls that
accept multiple valid states.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
@SebTardif
fix: stabilize Chainsaw tests and add govulncheck to CI gate
6db9cb2 
Replace static InsufficientData assertions in observe-mode and opt-out
Chainsaw tests with script-based polls that accept either InsufficientData
or Monitoring. This prevents the same transient-state race fixed in
recommend-mode (PR #92): with minimumDataPoints=1, the operator can
transition past InsufficientData before the assert evaluates.

Add govulncheck as a CI gate job so PRs are blocked when known
vulnerabilities exist in the dependency tree. The existing govulncheck
in security.yaml continues to run on the weekly schedule.

Closes #93
Closes #72

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
@github-actions github-actions Bot added size/m 50-249 lines changed area/ci CI/CD workflows area/docs Documentation area/e2e E2E and integration tests labels May 27, 2026
@SebTardif SebTardif merged commit 011c8ad into main May 27, 2026
33 checks passed
@SebTardif SebTardif deleted the fix/chainsaw-stable-state-govulncheck-gate branch May 27, 2026 16:12
@github-actions github-actions Bot mentioned this pull request May 27, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/ci CI/CD workflows area/docs Documentation area/e2e E2E and integration tests size/m 50-249 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

test: observe-mode Chainsaw test has same transient-state flake risk as recommend-mode ci: add govulncheck to CI gate (not just security workflow)

1 participant

@SebTardif