Skip to content

fix(go-ci): take coverage report ownership without sudo#29

Merged
monsieurleberre merged 1 commit into
devfrom
fix/go-ci-coverage-chown-no-sudo
Jun 23, 2026
Merged

fix(go-ci): take coverage report ownership without sudo#29
monsieurleberre merged 1 commit into
devfrom
fix/go-ci-coverage-chown-no-sudo

Conversation

@monsieurleberre

@monsieurleberre monsieurleberre commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Problem

go-ci.yaml's coverage step ran sudo chown … code-coverage-results.md to reclaim a file the irongut/CodeCoverageSummary Docker action writes as root. Self-hosted runners (Hetzner pool) lack passwordless sudo, so it died with sudo: a password is required — breaking build-and-test for every Go consumer.

Fix

Take ownership without sudo: when the report isn't writable, replace it with a runner-owned copy via a same-directory cp + mv -f (needs only workspace-dir perms; no-op on hosted runners).

Validation

  • actionlint clean; repo self-test green.
  • Verified on a real Hetzner runner via a consumer (terraform-provider-canton-internal): build-and-test passes, coverage 80%, no sudo error — run.

Non-breaking → moves v2 forward (cut v2.3.2). Note: v1 has the same bug and needs the same fix for @v1 consumers.

@monsieurleberre
fix(go-ci): take coverage report ownership without sudo
f25ee4f 
The 'Augment coverage report with cyclomatic complexity' step ran
'sudo chown' to reclaim code-coverage-results.md (written as root by the
irongut/CodeCoverageSummary Docker action). Self-hosted runners lack
passwordless sudo, so the step failed with 'sudo: a password is required',
breaking every Go consumer's build-and-test job. Replace the file with a
runner-owned copy via cp + mv -f when it is not writable; this needs only
workspace-directory permissions and is a no-op on GitHub-hosted runners.
Copilot AI review requested due to automatic review settings June 23, 2026 09:33
Copilot AI reviewed Jun 23, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@monsieurleberre monsieurleberre merged commit 115dc93 into dev Jun 23, 2026
2 checks passed
@monsieurleberre monsieurleberre deleted the fix/go-ci-coverage-chown-no-sudo branch June 23, 2026 14:04
monsieurleberre added a commit to peacefulstudio/canton-localnet that referenced this pull request Jun 24, 2026
@monsieurleberre
chore(ci): bump go-ci reusable workflow to @v2 (#109)
8e098e1 
The @v1 go-ci.yaml carried a broken 'sudo chown' coverage step that fails on
self-hosted Hetzner runners (sudo: a password is required), breaking Go CI.
Fixed in @v2 (peacefulstudio/github-actions#29); input contract is unchanged.
monsieurleberre added a commit to peacefulstudio/canton-localnet that referenced this pull request Jun 24, 2026
@monsieurleberre
Sync 0.6.9-1.preview.1: Splice 0.6.9 upgrade + all-five-validator def…
85a456f 
…ault (#11)

* ci(integration): run Go fixture step on success-or-failure for Go/C# parity (#101)

The C# fixture integration step already carries `if: success() || failure()`
so it self-decides on a real env var vs. a clean self-skip. The Go fixture
step lacked the same guard, so an earlier-step failure (e.g. the build-dar
DAR step) would skip the Go test outright rather than letting it run and
report. Add the same guard to the Go step so both languages behave
symmetrically.

This is the residual symmetry concern from #34; the composite-action
refactor #34 originally requested is obsolete (the duplicated extraction
shell was removed when the boot+smoke jobs were consolidated into
compose-integration.yaml).

* chore(nuget): enforce XML docs on shipping package (#93) (#102)

* ci(integration): run Go fixture step on success-or-failure for Go/C# parity

The C# fixture integration step already carries `if: success() || failure()`
so it self-decides on a real env var vs. a clean self-skip. The Go fixture
step lacked the same guard, so an earlier-step failure (e.g. the build-dar
DAR step) would skip the Go test outright rather than letting it run and
report. Add the same guard to the Go step so both languages behave
symmetrically.

This is the residual symmetry concern from #34; the composite-action
refactor #34 originally requested is obsolete (the duplicated extraction
shell was removed when the boot+smoke jobs were consolidated into
compose-integration.yaml).

* chore(nuget): enforce XML docs on shipping package (#93)

Brings Peaceful.Canton.Localnet.Testing closer to the dotnet-extensions
packaging bar. Of the four gaps in #93, the icon (gap #1) and PackageTags
(gap #2) already landed via #98, so this PR covers the remaining
documentation enforcement:

- Remove the CS1591 suppression from the shipping csproj so missing
  public-API doc comments surface as build errors (GenerateDocumentationFile
  was already on). CS1591 stays untouched for the test project, which does
  not generate a doc file.
- Document the previously-undocumented public surface: client/fixture
  constructors, the EndpointDiscovery env-var name constants, the
  LocalnetProfile enum members, the LocalnetFixture deep-module properties
  and DisposeAsync, the exception types' ctors/properties, and the
  DarUploaderRetryOptions members.

Deferred:
- AnalysisLevel parity (gap #4): turning on latest-recommended repo-wide
  under TreatWarningsAsErrors surfaces ~52 pre-existing CA findings
  (CA1848 LoggerMessage, CA1873 log-arg guards, CA1859 return/param types).
  The issue flags this gap as optional ("take it or split it out"); split
  out to keep this PR a docs-only change rather than a logging refactor.
- Package icon (gap #1) already present (csharp/icon.png, 640x640, via #98).

Verification: `dotnet build -c Release` on the shipping project is
warning-clean (0/0) with CS1591 enforced; test project builds clean;
`dotnet test` 125 passed / 3 skipped (live-LocalNet smoke, env-gated) / 0
failed.

Refs #93

* style(testing): add blank line before AdminClient doc comment

Restores the consistent blank-line spacing between members in the
LocalnetFixture public surface, matching every other documented member
in the block.

* ci: re-trigger csharp CI to pick up csharp-ci @v2=v2.3.1 (shard-result fix)

* feat(localnet): upgrade Splice 0.6.5 -> 0.6.9 (#106)

Three-way merge of upstream hyperledger-labs/splice 0.6.9 into our
5-validator LocalNet fork, preserving the B/A/SV/D health-check slot
set, the POSTGRES_VERSION=17 / NGINX_VERSION=1.30.0 pins, and the
per-slot env/ wiring (NOT a destructive re-vendor).

- Bump SPLICE_VERSION 0.6.5 -> 0.6.9 in compose/.env.defaults; re-pin
  splice.sha / links.csv to upstream bc6a3587.
- Carry over two upstream functional changes: splice health check
  curl -f -> wget --no-verbose --tries=1 --spider, and drop
  domain-migration-id from conf/splice/app.conf.
- Bump C# package version to 0.6.9-1 (0.6.9.0 assembly/file).
- README quickstart string 0.6.5 -> 0.6.9; CHANGELOG [Unreleased] entry.
- SCRIBE_VERSION (PQS, 0.6.13) is an independent pin, left unchanged.

Closes #105

* docs(skill): retarget localnet-vm skill at Hetzner, deprecate AWS (#107)

* docs(skill): retarget localnet-vm skill at Hetzner, deprecate AWS

Check the shared localnet-vm skill into the repo (un-ignore .claude/skills/
localnet-vm/) and rewrite it so the Hetzner VM is the primary documented target.
Demote the legacy AWS EC2 path to a clearly-labelled deprecated section.

* docs(skill): fix Hetzner token env var and vm tunnel host in localnet-vm skill

- Use TF_VAR_hcloud_token (the provider reads var.hcloud_token); HCLOUD_TOKEN is not consumed by the terraform/hetzner provider.
- vm tunnel still defaults to the legacy terraform/ (AWS) state dir, so document passing --host from the Hetzner elastic_ip output.

* chore(ci): bump go-ci reusable workflow to @v2 (#109)

The @v1 go-ci.yaml carried a broken 'sudo chown' coverage step that fails on
self-hosted Hetzner runners (sudo: a password is required), breaking Go CI.
Fixed in @v2 (peacefulstudio/github-actions#29); input contract is unchanged.

* feat(localnet): default to full 5 validators; Hetzner VM runs sv+a+b (#111)

Local dev now boots all five validators for full fidelity. The shared
Hetzner VM drops c and d (neither is exercised by CI integration tests)
to save resources on the billing box.

* chore(skill): relocate localnet-vm skill out of .claude/ to root skills/ (#112)

* chore(skill): relocate localnet-vm skill out of .claude/ to root skills/

Internal commit be7d08d (#107) checked the localnet-vm skill into git via a
brittle .gitignore un-ignore hack under the otherwise-ignored .claude/. That
hack crossed to the public mirror as .gitignore noise, leaking the skill's
naming/existence.

- git mv .claude/skills/localnet-vm/SKILL.md -> skills/localnet-vm/SKILL.md
- drop the .gitignore un-ignore block; .claude/ is fully ignored again
- local harness discovery preserved via an ignored .claude/ symlink
- note skills/ as intentionally-private in .gitpublic
- freshen the skill for Splice 0.6.9 and the per-env validator split
  (default 5; Hetzner runs sv+a+b)

* chore(skill): add SPDX header to localnet-vm SKILL.md

Placed immediately after the YAML frontmatter rather than before it:
Claude Code requires the frontmatter --- delimiter on line 1, so a
leading comment would break skill discovery.

* docs(changelog): cut 0.6.9-1.preview.1; preserve public CODEOWNERS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@monsieurleberre