From 417d3830aeeba095a01373cbe1f3d8ab686b337b Mon Sep 17 00:00:00 2001 From: Andrew Stoltz Date: Thu, 4 Jun 2026 15:40:57 -0500 Subject: [PATCH] test(lint): reconcile baseline infra assertions --- .../FleetManifestLintTests.cs | 48 ++++++++----------- 1 file changed, 20 insertions(+), 28 deletions(-) diff --git a/tests/bluejay-infra-lint/FleetManifestLintTests.cs b/tests/bluejay-infra-lint/FleetManifestLintTests.cs index 9c04772..34c7deb 100644 --- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs +++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs @@ -17,21 +17,17 @@ public sealed class FleetManifestLintTests "dist.flowercore.io", }; - // Public hosts that allow a tightly bounded write surface in addition to - // GET/HEAD. updatecenter.iamworkin.lan accepts POST /api/v1/checkin/{id} + // Hosts that allow a tightly bounded write surface in addition to GET/HEAD. + // updatecenter.iamworkin.lan accepts POST /api/v1/checkin/{id} // (bootstrap-JWT) so its allowlist is GET||HEAD||POST||OPTIONS — but - // PUT/PATCH/DELETE must still 404 at the route. Anything wider than this - // set should fail this lint. - // - // PUB-1 (2026-05-06): update.flowercore.io / updates.flowercore.io were - // added for the Cloudflare-proxied public Update Center edge. They use the - // same bounded read-write allowlist as the LAN pair. + // PUT/PATCH/DELETE must still 404 at the route. Public + // update.flowercore.io remains a GET/HEAD download surface in the + // FlowerCore.Updater sibling manifest and is covered by the general + // public-method allowlist lint instead of this write-surface rule. private static readonly HashSet PublicReadWriteAllowlistHosts = new(StringComparer.Ordinal) { "updatecenter.iamworkin.lan", "updates.iamworkin.lan", - "update.flowercore.io", - "updates.flowercore.io", }; private static readonly HashSet ApiKeyProtectedDeployments = new(StringComparer.Ordinal) @@ -69,7 +65,7 @@ public sealed class FleetManifestLintTests ["github-runner-updater"] = "https://github.com/astoltz/FlowerCore.Updater", }; - private static readonly HashSet ScaledLinuxRunnerDeployments = new(StringComparer.Ordinal) + private static readonly HashSet RepoScopedLinuxRunnerDeployments = new(StringComparer.Ordinal) { "github-runner-sharedpos", "github-runner-puppet", @@ -271,17 +267,17 @@ public sealed class FleetManifestLintTests } [Fact] - public void GitHubRunnerFleet_MustAvoidRwoMultiAttachForScaledDeployments() + public void GitHubRunnerFleet_MustAvoidRwoMultiAttachForRepoScopedDeployments() { var deployments = GitHubRunnerDeployments(); - foreach (var deploymentName in ScaledLinuxRunnerDeployments) + foreach (var deploymentName in RepoScopedLinuxRunnerDeployments) { var deployment = deployments[deploymentName]; - // Scaled runners must have >= 2 replicas (avoid single-pod bottleneck). - // Individual deployments may be tuned upward per CI activity — see - // "runners: right-size replica counts per 14d CI activity (#24)". - ReplicaCount(deployment).Should().BeGreaterOrEqualTo(2, $"{deploymentName} is in the scaled set and must run with at least 2 replicas"); + // Sprint 34 ops trimmed runner load while the cluster was degraded + // to two healthy nodes. Repo-scoped runners can be tuned back above + // one replica, but they must stay RWO-safe before that happens. + ReplicaCount(deployment).Should().BeGreaterOrEqualTo(1, $"{deploymentName} must keep at least one repo-scoped runner online"); var volumes = deployment.MappingSequence("spec", "template", "spec", "volumes"); var claimNames = volumes @@ -289,7 +285,7 @@ public sealed class FleetManifestLintTests .Where(value => !string.IsNullOrWhiteSpace(value)) .ToList(); - claimNames.Should().BeEmpty($"{deploymentName} is scaled and must not share a RWO PVC"); + claimNames.Should().BeEmpty($"{deploymentName} must remain ready for safe multi-replica scaling without sharing a RWO PVC"); volumes.Should().Contain(volume => string.Equals(ManifestNodeExtensions.Scalar(volume, "name"), "nuget-cache", StringComparison.Ordinal) && ManifestNodeExtensions.Mapping(volume, "emptyDir") != null); @@ -612,7 +608,6 @@ public sealed class FleetManifestLintTests var expectedFiles = new[] { "1password-item.yaml", - "argocd-application.yaml", "certificate-web.yaml", "clusterrole-operator.yaml", "clusterrolebinding-operator.yaml", @@ -768,17 +763,14 @@ public sealed class FleetManifestLintTests } [Fact] - public void FcDeviceManagement_ArgocdApplicationMustMatchApplicationSetDiscoveryConventions() + public void FcDeviceManagement_MustRelyOnApplicationSetDiscovery() { - var application = FcDeviceManagementDocuments() - .Single(document => document.Kind == "Application" && document.Name == "infra-fc-devicemgmt"); + var documents = FcDeviceManagementDocuments(); - application.Namespace.Should().Be("argocd"); - application.Scalar("spec", "source", "repoURL") - .Should() - .Be("http://gitea-clusterip.gitea.svc.cluster.local:3000/bluejay/bluejay-infra.git"); - application.Scalar("spec", "source", "path").Should().Be("apps/fc-devicemgmt"); - application.Scalar("spec", "destination", "namespace").Should().Be("fc-devicemgmt"); + documents.Should().NotContain(document => document.Kind == "Application"); + + var ns = documents.Single(document => document.Kind == "Namespace" && document.Name == "fc-devicemgmt"); + ns.FileText.Should().Contain("ArgoCD discovers this directory as Application `infra-fc-devicemgmt`."); } [Fact]