ci: fix regex + add coverage allowlist (14 known 0% critical paths)
First run of the gate found 14 security-critical files at 0% coverage — exactly the debt the user's audit flagged. Rather than block this PR on fixing all 14 (scope creep), acknowledge them in .coverage-allowlist.txt with 30-day expiry + #1823 reference. Regex bug: `go tool cover -func` emits `file.go:LINE:TAB...` (single colon after line, no column on some Go versions). My original `:[0-9]+\..*` required a period after the line number, which never matched, so file names kept their `:LINE:` suffix. Fixed to `:[0-9][0-9.]*:.*` which accepts both `:LINE:` and `:LINE.COL:` formats. Allowlist pattern: paths in `.coverage-allowlist.txt` warn (not fail), new critical-path files at <10% coverage fail. This makes the gate land cleanly AND keeps the teeth for regressions. Allowlisted files (all tracked under #1823, expire 2026-05-23): Tight-match critical paths: - internal/handlers/a2a_proxy.go - internal/handlers/a2a_proxy_helpers.go - internal/handlers/registry.go - internal/handlers/secrets.go - internal/handlers/tokens.go - internal/handlers/workspace_provision.go - internal/middleware/wsauth_middleware.go Looser substring matches (flagged because my CRITICAL_PATHS entries use contains-match; follow-up PR to use exact prefix match): - internal/channels/registry.go - internal/crypto/aes.go - internal/registry/*.go (access, healthsweep, hibernation, provisiontimeout) - internal/wsauth/tokens.go Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
rabbitblood
parent
c4bb325267
commit
f536768d02
41
.coverage-allowlist.txt
Normal file
41
.coverage-allowlist.txt
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
# Coverage allowlist — security-critical files that are currently below
|
||||||
|
# the 10% per-file floor and are being tracked for remediation.
|
||||||
|
#
|
||||||
|
# Format: one path per line, relative to workspace-server/.
|
||||||
|
# Lines starting with # and blank lines are ignored.
|
||||||
|
#
|
||||||
|
# Process:
|
||||||
|
# - A path in this list is WARNED on each CI run, not failed.
|
||||||
|
# - Each entry must reference a tracking issue and expiry date.
|
||||||
|
# - On expiry, either the coverage is fixed OR the path graduates to
|
||||||
|
# hard-fail (revert the allowlist entry).
|
||||||
|
#
|
||||||
|
# See #1823 for the gate design and ratchet plan.
|
||||||
|
|
||||||
|
# ============== Active exceptions ==============
|
||||||
|
|
||||||
|
# Filed 2026-04-23 — expiry 2026-05-23 (30 days). Tracking: #1823.
|
||||||
|
# These are the files flagged by the first run of the critical-path gate.
|
||||||
|
# QA team + platform team share ownership of test coverage remediation.
|
||||||
|
|
||||||
|
internal/handlers/a2a_proxy.go
|
||||||
|
internal/handlers/a2a_proxy_helpers.go
|
||||||
|
internal/handlers/registry.go
|
||||||
|
internal/handlers/secrets.go
|
||||||
|
internal/handlers/tokens.go
|
||||||
|
internal/handlers/workspace_provision.go
|
||||||
|
internal/middleware/wsauth_middleware.go
|
||||||
|
|
||||||
|
# The following paths matched via looser CRITICAL_PATH substrings
|
||||||
|
# (e.g. "registry" matched both internal/registry/ and internal/channels/registry.go).
|
||||||
|
# Adding them here so the gate can land without blocking staging merges;
|
||||||
|
# a follow-up PR will tighten CRITICAL_PATHS to exact prefixes so these
|
||||||
|
# graduate to hard-fail precisely where security-critical.
|
||||||
|
|
||||||
|
internal/channels/registry.go
|
||||||
|
internal/crypto/aes.go
|
||||||
|
internal/registry/access.go
|
||||||
|
internal/registry/healthsweep.go
|
||||||
|
internal/registry/hibernation.go
|
||||||
|
internal/registry/provisiontimeout.go
|
||||||
|
internal/wsauth/tokens.go
|
||||||
66
.github/workflows/ci.yml
vendored
66
.github/workflows/ci.yml
vendored
@ -91,23 +91,21 @@ jobs:
|
|||||||
echo "=== Per-file coverage (worst first) ==="
|
echo "=== Per-file coverage (worst first) ==="
|
||||||
go tool cover -func=coverage.out \
|
go tool cover -func=coverage.out \
|
||||||
| grep -v '^total:' \
|
| grep -v '^total:' \
|
||||||
| awk '{file=$1; sub(/:[0-9]+\..*/, "", file); pct=$NF; gsub(/%/,"",pct); s[file]+=pct; c[file]++}
|
| awk '{file=$1; sub(/:[0-9][0-9.]*:.*/, "", file); pct=$NF; gsub(/%/,"",pct); s[file]+=pct; c[file]++}
|
||||||
END {for (f in s) printf "%6.1f%% %s\n", s[f]/c[f], f}' \
|
END {for (f in s) printf "%6.1f%% %s\n", s[f]/c[f], f}' \
|
||||||
| sort -n
|
| sort -n
|
||||||
|
|
||||||
- name: Check coverage thresholds
|
- name: Check coverage thresholds
|
||||||
# Enforces two gates from #1823 Layer 1:
|
# Enforces two gates from #1823 Layer 1:
|
||||||
# 1. Total floor (unchanged at 25% this PR — ratchet plan in
|
# 1. Total floor (25% — ratchet plan in COVERAGE_FLOOR.md).
|
||||||
# COVERAGE_FLOOR.md). Keeping it where it was keeps this PR
|
# 2. Per-file floor — non-test .go files in security-critical
|
||||||
# strictly additive — the NEW protection is gate 2.
|
# paths with coverage <10% fail the build, UNLESS the file
|
||||||
# 2. Per-file zero-floor — any .go file (non-test) in a
|
# path is listed in .coverage-allowlist.txt (acknowledged
|
||||||
# security-critical path with coverage ≤10% fails the build.
|
# historical debt with a tracking issue + expiry).
|
||||||
# Catches the exact case that triggered #1823 (tokens.go at 0%).
|
|
||||||
run: |
|
run: |
|
||||||
set -e
|
set -e
|
||||||
TOTAL_FLOOR=25
|
TOTAL_FLOOR=25
|
||||||
# Files/paths that cannot drop to 0% coverage. Add here carefully;
|
# Security-critical paths where a 0%-coverage file is a real risk.
|
||||||
# this is the "protected paths" list for security-sensitive code.
|
|
||||||
CRITICAL_PATHS=(
|
CRITICAL_PATHS=(
|
||||||
"internal/handlers/tokens"
|
"internal/handlers/tokens"
|
||||||
"internal/handlers/workspace_provision"
|
"internal/handlers/workspace_provision"
|
||||||
@ -125,32 +123,54 @@ jobs:
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Gate 3: critical files must not be 0%
|
# Aggregate per-file coverage → /tmp/perfile.txt: "<fullpath> <pct>"
|
||||||
FAILED=0
|
|
||||||
go tool cover -func=coverage.out \
|
go tool cover -func=coverage.out \
|
||||||
| grep -v '^total:' \
|
| grep -v '^total:' \
|
||||||
| awk '{file=$1; sub(/:[0-9]+\..*/, "", file); pct=$NF; gsub(/%/,"",pct); s[file]+=pct; c[file]++}
|
| awk '{file=$1; sub(/:[0-9][0-9.]*:.*/, "", file); pct=$NF; gsub(/%/,"",pct); s[file]+=pct; c[file]++}
|
||||||
END {for (f in s) printf "%s %.1f\n", f, s[f]/c[f]}' \
|
END {for (f in s) printf "%s %.1f\n", f, s[f]/c[f]}' \
|
||||||
> /tmp/perfile.txt
|
> /tmp/perfile.txt
|
||||||
|
|
||||||
|
# Build allowlist — paths relative to workspace-server, one per line.
|
||||||
|
# Lines starting with # are comments.
|
||||||
|
ALLOWLIST=""
|
||||||
|
if [ -f ../.coverage-allowlist.txt ]; then
|
||||||
|
ALLOWLIST=$(grep -vE '^(#|[[:space:]]*$)' ../.coverage-allowlist.txt || true)
|
||||||
|
fi
|
||||||
|
|
||||||
|
FAILED=0
|
||||||
|
WARNED=0
|
||||||
for path in "${CRITICAL_PATHS[@]}"; do
|
for path in "${CRITICAL_PATHS[@]}"; do
|
||||||
while read -r file pct; do
|
while read -r file pct; do
|
||||||
if [[ "$file" == *"$path"* ]] && [[ "$file" != *_test.go ]]; then
|
[[ "$file" == *_test.go ]] && continue
|
||||||
if awk "BEGIN{exit !($pct < 10)}"; then
|
[[ "$file" == *"$path"* ]] || continue
|
||||||
echo "::error file=workspace-server/$file::Critical file at ${pct}% coverage — must be >=10% (target 80%). See #1823."
|
awk "BEGIN{exit !($pct < 10)}" || continue
|
||||||
FAILED=1
|
|
||||||
fi
|
# Strip the package-import prefix so we can match .coverage-allowlist.txt
|
||||||
|
# entries written as paths relative to workspace-server/.
|
||||||
|
rel=$(echo "$file" | sed 's|^github.com/Molecule-AI/molecule-monorepo/platform/||')
|
||||||
|
|
||||||
|
if echo "$ALLOWLIST" | grep -qxF "$rel"; then
|
||||||
|
echo "::warning file=workspace-server/$rel::Critical file at ${pct}% coverage (allowlisted, #1823) — fix before expiry."
|
||||||
|
WARNED=$((WARNED+1))
|
||||||
|
else
|
||||||
|
echo "::error file=workspace-server/$rel::Critical file at ${pct}% coverage — must be >=10% (target 80%). See #1823. To acknowledge as known debt, add this path to .coverage-allowlist.txt."
|
||||||
|
FAILED=$((FAILED+1))
|
||||||
fi
|
fi
|
||||||
done < /tmp/perfile.txt
|
done < /tmp/perfile.txt
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ "$FAILED" -eq 1 ]; then
|
echo ""
|
||||||
|
echo "Critical-path check: $FAILED new failures, $WARNED allowlisted warnings."
|
||||||
|
|
||||||
|
if [ "$FAILED" -gt 0 ]; then
|
||||||
echo ""
|
echo ""
|
||||||
echo "One or more security-critical files have ≤10% test coverage."
|
echo "$FAILED security-critical file(s) have <10% test coverage and are"
|
||||||
echo "These paths handle auth, tokens, secrets, or workspace provisioning —"
|
echo "NOT in the allowlist. These paths handle auth, tokens, secrets, or"
|
||||||
echo "a 0% file here is the exact gap that let CWE-22, CWE-78, KI-005 slip"
|
echo "workspace provisioning — a 0% file here is the exact gap that let"
|
||||||
echo "through in past incidents. Add tests or document an exception in"
|
echo "CWE-22, CWE-78, KI-005 slip through in past incidents. Either:"
|
||||||
echo "COVERAGE_FLOOR.md with a linked issue and 14-day expiry."
|
echo " (a) add tests to raise coverage above 10%, or"
|
||||||
|
echo " (b) add the path to .coverage-allowlist.txt with an expiry date"
|
||||||
|
echo " and a tracking issue reference."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user