ci: gate e2e property suite + unconditional source doc validation (CIP-3141)

tobyhede · tobyhede · commit 6eebf1d48fc8 · 2026-06-19T23:14:36.000+10:00
Adds a dedicated test:sqlx:e2e mise task and CI job for the proptest-e2e suite
(needs ZeroKMS creds; the credential-free shards run the fixture suite), and
runs source doc validation unconditionally.
diff --git a/.github/workflows/test-eql.yml b/.github/workflows/test-eql.yml
@@ -268,9 +268,13 @@ jobs:
         run: |
           mise run postgres:up postgres-${POSTGRES_VERSION} --extra-args "--detach --wait"
 
-      - name: Validate SQL documentation (Postgres ${{ matrix.postgres-version }})
+      # Source-only doc checks (coverage + required-tags) moved to the
+      # unconditional `docs-static` job so they run on every PR (incl. docs-only)
+      # and exactly once, not per-Postgres. This step keeps only the DB-backed
+      # SQL-syntax validation, which genuinely needs the per-version Postgres.
+      - name: Validate documented SQL syntax (Postgres ${{ matrix.postgres-version }})
         run: |
-          mise run docs:validate
+          mise run docs:validate:documented-sql
 
       - name: Clean-DB v3 install smoke (Postgres ${{ matrix.postgres-version }})
         run: |
@@ -460,6 +464,75 @@ jobs:
         run: |
           mise run --output prefix test:splinter --postgres ${POSTGRES_VERSION}
 
+  # Source-only SQL documentation validation (coverage + required Doxygen tags).
+  # Deliberately NOT relevance-gated: it runs on EVERY pull_request — including
+  # docs-only PRs that skip the heavy jobs — so documentation is always
+  # validated. DB-free and creds-free (the psql-backed syntax check stays in the
+  # per-version `validate` job).
+  docs-static:
+    name: "SQL doc validation"
+    runs-on: blacksmith-16vcpu-ubuntu-2204
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+        with:
+          version: 2026.4.0
+          install: true
+          cache: true
+      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
+        with:
+          workspaces: .
+          shared-key: sqlx-tests
+          save-if: false
+      - name: Validate SQL doc coverage + required tags
+        run: |
+          mise run docs:validate:source
+
+  # The e2e (fresh-encryption) property suite. Encrypts random values through
+  # ZeroKMS at run time, so it needs CS_* creds and is PG-version-independent —
+  # one PG17 run, never the matrix. Compiles the `proptest-e2e`-gated binaries
+  # (which the default-feature sharded archive excludes) and runs only the
+  # e2e oracle. Like build-archive, it holds CS_* and so carries the same
+  # fork-PR guard to keep the secrets off fork runs.
+  e2e:
+    name: "e2e property suite (fresh encryption)"
+    needs: [changes, setup]
+    if: >-
+      (github.event_name == 'merge_group'
+       || github.event_name == 'workflow_dispatch'
+       || (github.event_name == 'pull_request' && needs.changes.outputs.relevant == 'true'))
+      && (github.event_name != 'pull_request'
+          || github.event.pull_request.head.repo.full_name == github.repository)
+    runs-on: blacksmith-16vcpu-ubuntu-2204
+    env:
+      POSTGRES_VERSION: "17"
+      CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
+      CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
+      CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
+      CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+        with:
+          version: 2026.4.0
+          install: true
+          cache: true
+      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
+        with:
+          workspaces: .
+          shared-key: sqlx-tests
+          save-if: false
+      - name: Setup database (Postgres 17)
+        run: |
+          mise run postgres:up postgres-${POSTGRES_VERSION} --extra-args "--detach --wait"
+      - name: Run e2e property suite
+        run: |
+          mise run test:sqlx:e2e
+
   # The ONE required status check. Stable name on every event, so branch
   # protection never references an event-dependent leaf name (which would
   # deadlock). Passes iff every needed job is success or skipped. Treating
@@ -469,7 +542,7 @@ jobs:
   ci-required:
     name: "ci-required"
     needs: [changes, setup, build-archive, test, validate, schema, rust-crates,
-            codegen, self-contained-v3, matrix-coverage, splinter]
+            codegen, self-contained-v3, matrix-coverage, splinter, docs-static, e2e]
     if: always()
     runs-on: blacksmith-16vcpu-ubuntu-2204
     steps:
diff --git a/mise.toml b/mise.toml
@@ -89,6 +89,22 @@ echo "Running Rust tests..."
 cargo test --features proptest-e2e
 """
 
+[tasks."test:sqlx:e2e"]
+description = "Run ONLY the e2e (fresh-encryption) property suite — needs ZeroKMS creds"
+# Prep builds + migrates + regenerates fixtures (the latter needs CS_* creds,
+# which the dedicated CI `e2e` job supplies). The e2e suite is the only one that
+# encrypts fresh values through ZeroKMS at run time, so it cannot run from the
+# credential-free sharded archive; it gets its own job. The fixture suite (which
+# DOES run in the shards) is intentionally excluded here via the `e2e_oracle`
+# filter so this job does not duplicate sharded work — it only compiles the
+# `proptest-e2e`-gated binaries and runs the fresh-encryption oracle.
+depends = ["test:sqlx:prep"]
+dir = "{{config_root}}/tests/sqlx"
+run = """
+echo "Running e2e property suite (fresh ZeroKMS encryption)..."
+cargo test --features proptest-e2e e2e_oracle
+"""
+
 [tasks."test:sqlx:watch"]
 description = "Run SQLx tests in watch mode (rebuild EQL on changes)"
 # Same prep as test:sqlx so watch mode starts from a migrated DB + fresh
diff --git a/tasks/docs/validate/source.sh b/tasks/docs/validate/source.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+#MISE description="Source-only SQL doc validation (coverage + required tags, no DB)"
+# Build first so generated encrypted-domain SQL exists under src/.
+#MISE depends=["build"]
+#
+# This is the DB-free subset of `docs:validate`: coverage + required-tags read
+# the `--!` doxygen comments out of src/**/*.sql and need no Postgres. It exists
+# so CI can validate documentation on EVERY PR (including docs-only PRs that skip
+# the heavy, relevance-gated jobs) without standing up a database. The
+# `documented-sql` syntax check (which needs psql) stays in the per-Postgres
+# `validate` job.
+
+set -e
+
+echo
+echo "Checking documentation coverage..."
+mise run --output prefix docs:validate:coverage
+
+echo
+echo "Validating required tags..."
+mise run --output prefix docs:validate:required-tags
