You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
GA-readiness review fixes plus a 100% Specter coverage gate (structural + outcome at all tiers).
- F6 hygiene: remove stray root binary, gitignore /openwatch, strip prototype login creds
- F2 lint: warn when local golangci-lint != CI-pinned 1.64.8
- F1 isolation: self-contained SPA test fixture; gate native package-build tests behind OPENWATCH_PACKAGING_BUILD
- F5 CI: hard-fail the build on frontend vitest failures
- F4 release: fail closed on unsigned tag-push releases
- F3 docs: reconcile guide versions to 0.2.0-rc.10 + CHANGELOG
- Specter: enforce 100% structural AC coverage and raise all outcome tiers to 100, wiring the formerly env-gated tests (Kensa corpus AC-08; runtime-boot AC-14 via pgx + CSRF fix) to run in CI
echo "::error::Specter structural coverage is below 100% — every acceptance criterion must carry a // @ac (Go) or // @ac (frontend) annotation. Specs below 100%:"
220
+
echo "$below"
221
+
exit 1
222
+
fi
223
+
echo "All specs at 100% structural coverage."
224
+
199
225
# Single full-suite run that BOTH detects data races and emits the
200
226
# JSON specter ingests — replacing the previous two end-to-end passes
201
227
# (`make test-race` + a separate non-race `go test -json`), which ran
@@ -206,8 +232,18 @@ jobs:
206
232
# to 600s because race instrumentation slows the hot DB packages.
207
233
- name: go test (race + json) for specter ingest
208
234
if: steps.paths.outputs.go == 'true'
235
+
# OPENWATCH_PACKAGING_BUILD=1 opts the native package-build + runtime-boot
236
+
# tests into this run so their AC coverage is enforced in CI; a plain
237
+
# local `go test ./...` skips them (they take minutes and write into
238
+
# dist/). See packaging/tests/package_test.go:requirePackagingBuild.
239
+
env:
240
+
OPENWATCH_PACKAGING_BUILD: "1"
209
241
run: |
210
242
set +e
243
+
# Point the Kensa variable-catalog tests at the real rule corpus that
244
+
# ships inside the kensa module, so api-system-scan-config/AC-08 runs
245
+
# here instead of skipping (100% outcome coverage requires it).
246
+
export OPENWATCH_KENSA_RULES_DIR="$(go list -m -f '{{.Dir}}' github.com/Hanalyx/kensa)/rules"
211
247
go test -race -json -timeout 600s -p 4 ./... > /tmp/go-test.json
212
248
EXIT=$?
213
249
if [ "$EXIT" -ne 0 ]; then
@@ -242,12 +278,14 @@ jobs:
242
278
set +e
243
279
npx vitest run --reporter=junit --outputFile=/tmp/vitest-junit.xml --reporter=default
244
280
EXIT=$?
245
-
# Don't block the pipeline on Vitest failure — surface it but
246
-
# let specter sync report which ACs are uncovered. The Go test
247
-
# step above already fails the build on test failure; this
248
-
# mirror keeps the gate's failure source observable.
281
+
# Record the exit code but DON'T fail here: specter ingest (next
282
+
# step) still needs to read the JUnit file, and specter sync should
283
+
# report which ACs the failures left uncovered before we abort.
284
+
# The "Enforce frontend tests passed" step below turns a non-zero
285
+
# result into a hard build failure once specter has run.
286
+
echo "$EXIT" > /tmp/vitest-exit
249
287
if [ "$EXIT" -ne 0 ]; then
250
-
echo "::warning::Vitest reported test failures — see specter coverage for affected ACs"
288
+
echo "::warning::Vitest reported test failures — specter coverage below shows affected ACs; the build fails at the enforcement step."
251
289
fi
252
290
253
291
- name: specter ingest
@@ -264,6 +302,22 @@ jobs:
264
302
# are skipped at parse time.
265
303
run: specter sync --tests '**/*'
266
304
305
+
# Hard frontend-test gate. Vitest failures are deferred above so
306
+
# specter can ingest the JUnit results and report coverage first; this
307
+
# step makes a real frontend test failure fail the build. A frontend
308
+
# regression that does not happen to map to a spec AC would otherwise
309
+
# slip through (specter only gates annotated ACs), so this is the
310
+
# backstop that keeps `npm test` authoritative in CI.
# permissive below so an unsigned trial build is still possible.
90
+
echo "::error::No GPG_PRIVATE_KEY secret configured, but this is a tag-push release ($GITHUB_REF_NAME). Refusing to publish unsigned packages. Configure the GPG_PRIVATE_KEY secret, or cut an unsigned trial via workflow_dispatch."
91
+
exit 1
85
92
else
86
93
echo "gpg=false" >> "$GITHUB_OUTPUT"
87
-
echo "::notice::No GPG_PRIVATE_KEY secret — packages and checksums will be published unsigned."
94
+
echo "::warning::No GPG_PRIVATE_KEY secret — this workflow_dispatch build will be published UNSIGNED. Tag pushes fail closed instead."
0 commit comments