From dbc2d33395ee7daa56fc70ed15363141da22cef1 Mon Sep 17 00:00:00 2001 From: ErenAri Date: Sat, 20 Jun 2026 21:44:48 +0300 Subject: [PATCH 1/2] Add weekly stability-gate workflow with archived readiness report Fills the production-track gap of a "stability trend with consecutive ready reports": a scheduled (weekly) + manual workflow that runs the CI-safe core (build, vet, gofmt, unit tests, govulncheck), emits a dated READY/NOT-READY report to the job summary, uploads it as an artifact, and fails if not ready. Complements rather than duplicates: VM-backed compatibility stays in the compatibility-gate workflows; freshness in kernel-freshness/profile-catalog; the full operator gate (make production-tech-check) aggregates local evidence. Actions SHA-pinned; least-privilege (contents: read); no untrusted inputs. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/stability-gate.yml | 97 ++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 .github/workflows/stability-gate.yml diff --git a/.github/workflows/stability-gate.yml b/.github/workflows/stability-gate.yml new file mode 100644 index 0000000..b023142 --- /dev/null +++ b/.github/workflows/stability-gate.yml @@ -0,0 +1,97 @@ +name: stability-gate + +# Weekly release-readiness rollup. Aggregates the CI-safe stability signals into +# a single dated READY / NOT-READY report (uploaded as an artifact and written to +# the job summary), giving the "consecutive ready reports over time" trend that +# docs/production-technical-track.md asks for. +# +# Scope: this is the lightweight, no-VM trend signal. VM-backed compatibility +# proof is covered separately by multiarch-compatibility / latest-kernel / +# bpfcompat-example-hosted; kernel freshness by kernel-freshness + +# profile-catalog-maintenance. The full operator gate (`make production-tech-check`) +# aggregates local VM/OSS evidence and is run by maintainers, not here. +# +# Actions pinned by commit SHA; least-privilege permissions. + +on: + schedule: + - cron: "13 5 * * 1" # Mondays 05:13 UTC + workflow_dispatch: + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + +env: + GO_VERSION: "1.25.11" + +jobs: + stability: + name: Release-readiness rollup + runs-on: ubuntu-latest + timeout-minutes: 25 + steps: + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 + with: + go-version: ${{ env.GO_VERSION }} + cache: true + + - name: Run stability checks and build report + id: gate + run: | + set -uo pipefail + ts="$(date -u +%Y%m%dT%H%M%SZ)" + mkdir -p stability + report="stability/stability-${ts}.md" + overall="READY" + + run() { + local name="$1"; shift + if "$@" >/tmp/"${name}".log 2>&1; then + printf '| %s | ✅ PASS |\n' "$name" >> /tmp/rows.md + else + printf '| %s | ❌ FAIL |\n' "$name" >> /tmp/rows.md + overall="NOT-READY" + fi + } + + : > /tmp/rows.md + run "build" go build ./... + run "vet" go vet ./... + run "gofmt" bash -c '[ -z "$(gofmt -l $(git ls-files "*.go"))" ]' + run "unit-tests" go test ./... + run "govulncheck" bash -c 'go run golang.org/x/vuln/cmd/govulncheck@latest ./...' + + { + echo "# bpfcompat stability report" + echo + echo "- Timestamp (UTC): ${ts}" + echo "- Commit: ${GITHUB_SHA}" + echo "- Overall: **${overall}**" + echo + echo "| Check | Result |" + echo "|---|---|" + cat /tmp/rows.md + echo + echo "_Scope: CI-safe checks only. VM-backed compatibility is covered by the compatibility-gate workflows; full operator gate aggregates local evidence (\`make production-tech-check\`)._" + } | tee "$report" >> "$GITHUB_STEP_SUMMARY" + + echo "overall=${overall}" >> "$GITHUB_OUTPUT" + echo "report=${report}" >> "$GITHUB_OUTPUT" + + - name: Upload stability report + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 + with: + name: stability-report + path: stability/ + if-no-files-found: error + + - name: Fail if not ready + if: steps.gate.outputs.overall != 'READY' + run: | + echo "::error::Stability gate is NOT-READY for commit ${GITHUB_SHA}" + exit 1 From 2b575f20a77d964c95eea4b39c027084d95c7f78 Mon Sep 17 00:00:00 2001 From: ErenAri Date: Sat, 20 Jun 2026 21:45:55 +0300 Subject: [PATCH 2/2] Exclude vendor from stability gofmt check; gofmt manifest.go The stability gate's gofmt check now excludes vendor/ (we don't format third-party code). Also applies gofmt to internal/manifest/manifest.go (a trivial pre-existing struct-field alignment fix surfaced by the gate), so the gate's first run reports READY. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/stability-gate.yml | 2 +- internal/manifest/manifest.go | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/stability-gate.yml b/.github/workflows/stability-gate.yml index b023142..5c68eec 100644 --- a/.github/workflows/stability-gate.yml +++ b/.github/workflows/stability-gate.yml @@ -62,7 +62,7 @@ jobs: : > /tmp/rows.md run "build" go build ./... run "vet" go vet ./... - run "gofmt" bash -c '[ -z "$(gofmt -l $(git ls-files "*.go"))" ]' + run "gofmt" bash -c '[ -z "$(gofmt -l $(git ls-files "*.go" ":!:vendor/*"))" ]' run "unit-tests" go test ./... run "govulncheck" bash -c 'go run golang.org/x/vuln/cmd/govulncheck@latest ./...' diff --git a/internal/manifest/manifest.go b/internal/manifest/manifest.go index 8c03dbe..64533aa 100644 --- a/internal/manifest/manifest.go +++ b/internal/manifest/manifest.go @@ -12,17 +12,17 @@ import ( ) type Manifest struct { - Name string `yaml:"name"` - Programs []Program `yaml:"programs"` - Maps []MapFixup `yaml:"maps,omitempty"` - ProgramVariants []ProgramVariantGroup `yaml:"program_variants,omitempty"` + Name string `yaml:"name"` + Programs []Program `yaml:"programs"` + Maps []MapFixup `yaml:"maps,omitempty"` + ProgramVariants []ProgramVariantGroup `yaml:"program_variants,omitempty"` // ProbeCompanions lists programs statically referenced from prog-array // map slots; they must stay autoloaded during trial_load probes or // slot initialization fails before the probed program is exercised. - ProbeCompanions []string `yaml:"probe_companions,omitempty"` - RequiredProfiles []string `yaml:"required_profiles,omitempty"` - FunctionalTests []FunctionalTest `yaml:"functional_tests,omitempty"` - Metadata map[string]any `yaml:"metadata,omitempty"` + ProbeCompanions []string `yaml:"probe_companions,omitempty"` + RequiredProfiles []string `yaml:"required_profiles,omitempty"` + FunctionalTests []FunctionalTest `yaml:"functional_tests,omitempty"` + Metadata map[string]any `yaml:"metadata,omitempty"` } // ProgramVariantGroup declares alternative programs for the same event where