ci(sandbox): add macOS runner for darwin-specific tar behavior test#2063
Conversation
Site previewPreview: https://ec5f6e47-site.fullsend-ai.workers.dev Commit: |
|
🤖 Finished Review · ✅ Success · Started 9:40 AM UTC · Completed 9:49 AM UTC |
ReviewFindingsMedium
Labels: PR already has appropriate labels ( Previous runReviewFindingsMedium
Low
Previous run (2)ReviewFindingsMedium
Low
Info
Previous run (3)ReviewFindingsHigh
Medium
Low
Info
Previous run (4)ReviewFindingsHigh
Medium
Low
Info
Previous runReviewFindingsMedium
Low
Labels: PR modifies CI workflow and sandbox test infrastructure. Previous run (2)ReviewFindingsMedium
Low
Info
Previous run (3)ReviewFindingsHigh
Medium
Low
Info
Previous run (4)ReviewFindingsHigh
Medium
Low
Info
|
f4486d2 to
9624e47
Compare
|
🤖 Finished Review · ✅ Success · Started 9:53 AM UTC · Completed 10:03 AM UTC |
85770c7 to
b7da455
Compare
|
🤖 Finished Review · ✅ Success · Started 10:41 AM UTC · Completed 10:49 AM UTC |
waynesun09
left a comment
There was a problem hiding this comment.
Review Squad (5 agents: Claude x3, Gemini, Codex) — 6 new findings (2 HIGH, 4 MEDIUM)
HIGH — Wrong Conventional Commit prefix
PR title uses fix(sandbox): but this PR adds CI infrastructure and a test file — no user-visible bug fix. fix feeds into release notes under "Bug Fixes" via GoReleaser. Suggest: ci(sandbox): add macOS runner for darwin-specific tar behavior test or test(sandbox): ...
Flagged by 3/5 review agents (consensus).
b7da455 to
9a9f810
Compare
PR Summary by QodoAdd macOS CI job to validate COPYFILE_DISABLE tar behavior Description
Diagram
High-Level Assessment
Files changed (2)
|
Code Review by Qodo
1. Weak negative control check
|
|
🤖 Review · ❌ Terminated · Started 6:04 AM UTC · Ended 6:17 AM UTC |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
| with: | ||
| files: coverage.out | ||
|
|
||
| test-sandbox-darwin: |
There was a problem hiding this comment.
[medium] architectural-fit
Adding a macOS runner for darwin-specific tests incurs significant CI cost (macOS runners are ~10x more expensive than Linux). The existing unit test at sandbox_test.go:418 verifies COPYFILE_DISABLE=1 is set via a fake tar shim. The new integration test validates real bsdtar behavior on macOS, which is orthogonal coverage. Consider whether this should run on every PR or on a schedule to reduce cost.
| subjectTar := filepath.Join(t.TempDir(), "subject.tar.gz") | ||
| subjectCmd := exec.Command("tar", "-czf", subjectTar, "-C", srcDir, ".") | ||
| subjectCmd.Env = append(controlEnv, "COPYFILE_DISABLE=1") | ||
| out, err := subjectCmd.CombinedOutput() |
There was a problem hiding this comment.
[low] test-adequacy
The subject assertion can pass trivially when the negative control also produces no ._* files. If the xattr does not trigger AppleDouble generation on the CI runner, the test provides zero signal. The negative control only emits t.Log (warning) rather than t.Skip, making the no-signal condition invisible in CI output.
Suggested fix: Replace t.Log("warning: ...") with t.Skip("control tar without COPYFILE_DISABLE produced no ._* files — skipping") so CI clearly reports when the test was not exercised.
| ) | ||
|
|
||
| // TestDarwinBsdtar_CopyfileDisableSuppressesAppleDouble exercises real macOS bsdtar | ||
| // to verify COPYFILE_DISABLE=1 prevents ._* files in tarballs. This validates OS-level |
There was a problem hiding this comment.
[low] test-naming-convention
Test name TestDarwinBsdtar_CopyfileDisableSuppressesAppleDouble deviates from the dominant TestFunctionName_Scenario pattern in sandbox_test.go. The deviation is partially justified since this test exercises raw bsdtar behavior rather than a specific exported function.
|
🤖 Finished Review · ✅ Success · Started 6:04 AM UTC · Completed 6:17 AM UTC |
waynesun09
left a comment
There was a problem hiding this comment.
LGTM — prior review findings addressed. One remaining nit: PR title uses fix(sandbox): but should be ci(sandbox): or test(sandbox): since this adds CI infrastructure and a test, not a user-visible bug fix. This will affect release note categorization via GoReleaser.
9a9f810 to
c574d3c
Compare
|
🤖 Review · |
Add a dedicated macOS runner in lint.yml to exercise darwin-specific sandbox behavior. Add TestUploadDir_SuppressesAppleDoubleInTarball on darwin: verifies COPYFILE_DISABLE=1 prevents ._* files in tarballs using python3 tarfile inspection, with a negative control to confirm xattr application actually triggers AppleDouble generation without the flag. Signed-off-by: Hector Martinez <hemartin@redhat.com>
c574d3c to
db0772f
Compare
|
🤖 Finished Review · ✅ Success · Started 7:01 AM UTC · Completed 7:13 AM UTC |
|
🤖 Finished Retro · ✅ Success · Started 7:23 AM UTC · Completed 7:29 AM UTC |
Retro: PR #2063 — macOS CI runner for darwin-specific tar testTimeline: Human-authored PR opened Jun 9, merged Jun 25 (16 days). The review bot ran 5+ times and flagged protected-path, architectural scope, and minor code issues. However, a human "Review Squad" (5 agents) on Jun 22 caught 6 additional findings — including two HIGH-severity issues — that the review bot missed: stale GitHub Actions versions (checkout v6 vs v7 in the same repo) and missing token isolation ( What went well:
Key gap: The review bot failed to detect inconsistent configuration between sibling CI jobs in the same workflow file — specifically missing security env blanking and outdated action versions compared to adjacent jobs. These are pattern-consistency checks that don't require external knowledge. Proposals: 1 filed (sibling-job consistency checks). Skipped proposals for redundant review deduplication (covered by #1418, #1422, #1014), protected-path tuning (covered by #2614, #1551, #2588), and review bot contradiction handling (covered by #2484). Proposals filed
|
Adding a macOS runner to test behavior related to
tarin macOS.Closes #2032