Skip to content

Migrate CI-basictests from jenkins-build-scripts to in-repo test/infra #5525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
renecannao wants to merge 22 commits into
base: v3.0
Choose a base branch
from
Open

Migrate CI-basictests from jenkins-build-scripts to in-repo test/infra #5525

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
5d02ad5
Add basictests TAP group and sysbench to CI base image
renecannao Mar 22, 2026
75d958f
Fix hardcoded /home/rene/proxysql paths in pre-proxysql.bash scripts
renecannao Mar 22, 2026
0c58d1c
Fix REPO_ROOT derivation: 4 levels up from test/tap/groups/<name>/
renecannao Mar 22, 2026
3389217
Default WITHGCOV=0 in env-isolated.bash
renecannao Mar 22, 2026
6d90bc2
Source group env.sh inside test runner container
renecannao Mar 22, 2026
b93a1a1
Remove jenkins-build-scripts dependencies from test scripts
renecannao Mar 22, 2026
29fec9d
Add hostgroup aliasing hook for basictests group
renecannao Mar 22, 2026
9cf64fd
Fix failover test: use DEFAULT_MYSQL_INFRA for orchestrator DNS names
renecannao Mar 22, 2026
c1eb55d
Add CI-legacy-g2 and CI-legacy-g2-genai caller workflows
renecannao Mar 22, 2026
bc42730
Add GitHub Actions CI/CD documentation
renecannao Mar 22, 2026
eb48756
Fix mysql84+ pre-proxysql.bash: remove infra-default, fix infra paths
renecannao Mar 22, 2026
75d3246
Skip missing unit test binaries instead of counting as failures
renecannao Mar 22, 2026
4dfaedc
Revert "Skip missing unit test binaries instead of counting as failures"
renecannao Mar 22, 2026
5773411
Fix unit test Makefile: auto-detect feature flags from libproxysql.a
renecannao Mar 22, 2026
98fb842
Add test/tap/tests/unit/ to TAP_WORKDIRS
renecannao Mar 22, 2026
16e9413
Pass MAKECMDGOALS to unit test submake
renecannao Mar 22, 2026
f2db55f
Fix basictests hostgroup hook: move instead of copy to avoid monitor …
renecannao Mar 22, 2026
648852b
Add debug filters to infra-mysql57 infra-config.sql
renecannao Mar 22, 2026
7df23de
Remove error suppression from ProxySQL config dump queries
renecannao Mar 23, 2026
09e9207
Move reg_test_3765_ssl_pollout-t from legacy-g2 to legacy-g5
renecannao Mar 23, 2026
d087285
Enable coverage when either WITHGCOV or COVERAGE_MODE is set
renecannao Mar 23, 2026
879ebdc
Fix startup order and add readiness check in test runner
renecannao Mar 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions .github/workflows/CI-legacy-g2-genai.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: CI-legacy-g2-genai
run-name: '${{ github.event.workflow_run && github.event.workflow_run.head_branch || github.ref_name }} ${{ github.workflow }} ${{ github.event.workflow_run && github.event.workflow_run.head_sha || github.sha }}'

on:
workflow_dispatch:
workflow_run:
workflows: [ CI-trigger ]
types: [ in_progress ]

concurrency:
group: ${{ github.workflow }}-${{ github.event.workflow_run && github.event.workflow_run.head_branch || github.ref_name }}
cancel-in-progress: true

jobs:
run:
uses: sysown/proxysql/.github/workflows/ci-legacy-g2-genai.yml@GH-Actions
secrets: inherit
with:
trigger: ${{ toJson(github) }}
19 changes: 19 additions & 0 deletions .github/workflows/CI-legacy-g2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: CI-legacy-g2
run-name: '${{ github.event.workflow_run && github.event.workflow_run.head_branch || github.ref_name }} ${{ github.workflow }} ${{ github.event.workflow_run && github.event.workflow_run.head_sha || github.sha }}'

on:
workflow_dispatch:
workflow_run:
workflows: [ CI-trigger ]
types: [ in_progress ]

concurrency:
group: ${{ github.workflow }}-${{ github.event.workflow_run && github.event.workflow_run.head_branch || github.ref_name }}
cancel-in-progress: true

jobs:
run:
uses: sysown/proxysql/.github/workflows/ci-legacy-g2.yml@GH-Actions
Copy link

@coderabbitai coderabbitai bot Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For GitHub Actions reusable workflows, what are the security/reproducibility recommendations for using branch refs vs commit SHAs in jobs.<job_id>.uses?

💡 Result:

For GitHub Actions reusable workflows, in jobs.<job_id>.uses, use commit SHAs instead of branch refs for optimal security and reproducibility. Security: Pinning to a full-length commit SHA provides immutability, preventing supply chain attacks where a bad actor pushes malicious code to a branch or moves a tag. Branches and tags can change, allowing potential backdoors without SHA collision. Official GitHub docs explicitly recommend SHA pinning for both actions and reusable workflows, stating it is the safest option. GitHub offers policies to enforce SHA pinning. Reproducibility: SHAs ensure the exact same workflow version is used every time, guaranteeing consistent behavior across runs. Branch refs fetch the latest commit on that branch, which may change between runs (e.g., new pushes), leading to non-deterministic outcomes. When re-running jobs with non-SHA refs, it may pull updated versions. Tags are better than branches but still mutable if repository access is compromised. Alternatives: Tags from verified creators are acceptable if SHA pinning is inconvenient, but less secure. For same-repo local references (./.github/workflows/file.yml), it uses the caller's commit, offering reproducibility without explicit SHA. Use Dependabot for updates. Example: jobs: my-job: uses: owner/repo/.github/workflows/reusable.yml@abc123def4567890abcdef1234567890abcdef12 # full SHA

Citations:

Pin the reusable workflow to a commit SHA.

Line 16 uses @GH-Actions (mutable branch ref). This allows the caller to execute different workflow code over time without any change in this repository, creating reproducibility and supply chain risks. GitHub's official security guidance recommends pinning to a full-length commit SHA as the safest option. Branch refs can drift and enable potential backdoors if the branch is moved or updated.

Suggested change 
-    uses: sysown/proxysql/.github/workflows/ci-legacy-g2.yml@GH-Actions
+    uses: sysown/proxysql/.github/workflows/ci-legacy-g2.yml@<commit-sha>
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/CI-legacy-g2.yml at line 16, Replace the mutable branch
ref in the reusable workflow usage string "uses:
sysown/proxysql/.github/workflows/ci-legacy-g2.yml@GH-Actions" with a
full-length commit SHA from the referenced repository; locate the "uses:
sysown/proxysql/.github/workflows/ci-legacy-g2.yml@GH-Actions" occurrence, fetch
the exact commit SHA you want to pin (40 hex characters), and update the ref to
"uses: sysown/proxysql/.github/workflows/ci-legacy-g2.yml@<commit-sha>" so the
workflow is pinned to that immutable commit.

secrets: inherit
with:
trigger: ${{ toJson(github) }}
Copy link

@coderabbitai coderabbitai bot Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Avoid passing the full github context as workflow input.

Line 19 forwards toJson(github), which is broader than needed and can carry sensitive/context-heavy data into downstream logs and processing. Pass an allowlisted, minimal payload instead.

What fields are included in the GitHub Actions `github` context, and are there cautions about exposing it (for example `github.token`) when serializing or logging?
Suggested change 
     with:
-      trigger: ${{ toJson(github) }}
+      trigger: ${{ toJson(fromJSON(format(
+        '{{"event_name":"{0}","workflow":"{1}","ref_name":"{2}","sha":"{3}","run_id":"{4}"}}',
+        github.event_name,
+        github.workflow,
+        github.ref_name,
+        github.sha,
+        github.run_id
+      ))) }}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/CI-legacy-g2.yml at line 19, The workflow currently
forwards the entire GitHub context via "trigger: ${{ toJson(github) }}"; replace
that with an allowlisted minimal payload (e.g., a serialized object containing
only github.repository, github.ref, github.sha, github.event_name,
github.workflow, and github.actor) instead of the full toJson(github), and
ensure you explicitly exclude any sensitive fields (notably github.token or any
secrets) by building the object inline or as discrete inputs; update the use
sites that consume "trigger" to read the new minimal keys.

Loading
Loading