bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity

tests: add bluejay-ws runner-exclusion lint + fix 3 stale runner-fleet assertions #30

Merged
bluejay merged 1 commits from runners/bluejay-ws-exclusion-lint-2026-05-26 into main 2026-05-26 03:42:06 +00:00
Conversation 0 Commits 1 Files Changed 1 +124 -3
bluejay commented 2026-05-26 03:41:41 +00:00
Owner
Copy Link

Summary

Adds Runners_MustNotPinToOperatorWorkstationHosts lint test enforcing operator directive 2026-05-26: BLUEJAY-WS / iamworkin-ws must never be a fleet GitHub Actions runner. Build-side analog of the Sprint 9 NEW safe-account exclusion gate. Scans every github-runner Deployment for forbidden nodeName, nodeSelector, nodeAffinity, and toleration pinning.

See CLAUDE.md Registering BLUEJAY-WS as a fleet GitHub Actions runner Common Mistakes entry and feedback_bluejay_ws_never_public_runner.md.

Also fixes 3 pre-existing lint failures

When the runner image bumped to v20260525-ruby3.3.11-stepca (added a setup-runner-home initContainer), three assertions broke:

  • MustRegisterRequiredReposAsRepoScopedDeploymentsContainerMappings().Should().ContainSingle() started finding 2 containers (init + main)
  • MustSetWritableNonRootDotnetAndCachePaths � same root cause
  • MustAvoidRwoMultiAttachForScaledDeploymentsReplicaCount(deployment).Should().Be(2) started failing when github-runner-print-web was bumped to replicas: 3 per Sprint 24 CI right-sizing (#24)

Fix #1+#2: new MainContainerMappings() helper (containers only, excludes initContainers). The original ContainerMappings() is unchanged for callers that legitimately want both (probe assertions).

Fix #3: relax ReplicaCount assertion from Be(2) to BeGreaterOrEqualTo(2). Semantic invariant is at least 2 replicas to avoid single-pod bottleneck; per-deployment tuning upward is valid.

Verification

Lint baseline: 6 failed ? 3 failed. New test passes (not in failure list).

Remaining 3 failures are out of scope for this PR:

  • PublicReadWriteIngressRoutes_MustPinGetHeadPostOptionsAllowlistFlowerCore.Updater/k8s/ingressroute.yaml is a historical scaffold diverged from canonical apps/fc-updater/fc-updater.yaml. Fix in separate Updater PR.
  • 2� FcDeviceManagement_*apps/fc-devicemgmt/argocd-application.yaml is missing. Needs operator domain decision on the right ArgoCD discovery convention.

Diff

tests/bluejay-infra-lint/FleetManifestLintTests.cs +124 / -3

## Summary Adds `Runners_MustNotPinToOperatorWorkstationHosts` lint test enforcing operator directive 2026-05-26: BLUEJAY-WS / iamworkin-ws must never be a fleet GitHub Actions runner. Build-side analog of the Sprint 9 NEW safe-account exclusion gate. Scans every github-runner Deployment for forbidden nodeName, nodeSelector, nodeAffinity, and toleration pinning. See CLAUDE.md `Registering BLUEJAY-WS as a fleet GitHub Actions runner` Common Mistakes entry and `feedback_bluejay_ws_never_public_runner.md`. ## Also fixes 3 pre-existing lint failures When the runner image bumped to `v20260525-ruby3.3.11-stepca` (added a `setup-runner-home` initContainer), three assertions broke: - `MustRegisterRequiredReposAsRepoScopedDeployments` � `ContainerMappings().Should().ContainSingle()` started finding 2 containers (init + main) - `MustSetWritableNonRootDotnetAndCachePaths` � same root cause - `MustAvoidRwoMultiAttachForScaledDeployments` � `ReplicaCount(deployment).Should().Be(2)` started failing when `github-runner-print-web` was bumped to `replicas: 3` per Sprint 24 CI right-sizing (#24) Fix #1+#2: new `MainContainerMappings()` helper (containers only, excludes initContainers). The original `ContainerMappings()` is unchanged for callers that legitimately want both (probe assertions). Fix #3: relax `ReplicaCount` assertion from `Be(2)` to `BeGreaterOrEqualTo(2)`. Semantic invariant is `at least 2 replicas to avoid single-pod bottleneck`; per-deployment tuning upward is valid. ## Verification Lint baseline: **6 failed ? 3 failed**. New test passes (not in failure list). Remaining 3 failures are out of scope for this PR: - `PublicReadWriteIngressRoutes_MustPinGetHeadPostOptionsAllowlist` � `FlowerCore.Updater/k8s/ingressroute.yaml` is a historical scaffold diverged from canonical `apps/fc-updater/fc-updater.yaml`. Fix in separate Updater PR. - 2� `FcDeviceManagement_*` � `apps/fc-devicemgmt/argocd-application.yaml` is missing. Needs operator domain decision on the right ArgoCD discovery convention. ## Diff `tests/bluejay-infra-lint/FleetManifestLintTests.cs` +124 / -3
bluejay added 1 commit 2026-05-26 03:41:46 +00:00
tests: add bluejay-ws runner-exclusion lint + fix 3 stale runner-fleet assertions ec78175526 
Adds Runners_MustNotPinToOperatorWorkstationHosts lint test enforcing
operator directive 2026-05-26: BLUEJAY-WS / iamworkin-ws must never be
a fleet GitHub Actions runner. Build-side analog of the Sprint 9 NEW
safe-account exclusion gate (Puppet GPO/AppLocker/WDAC/audit-forwarder
modules refuse to apply on BLUEJAY-WS). Scans every github-runner
Deployment for forbidden nodeName, nodeSelector, nodeAffinity match
expressions, and toleration key/value pinning. See CLAUDE.md "Common
Mistakes" entry and feedback_bluejay_ws_never_public_runner.md.

Also fixes 3 pre-existing GitHubRunnerFleet_* lint failures that broke
when the runner image bumped to v20260525-ruby3.3.11-stepca (added a
setup-runner-home initContainer):

  * Add MainContainerMappings() helper (containers only, excludes
    initContainers) and switch
    GitHubRunnerFleet_MustRegisterRequiredReposAsRepoScopedDeployments
    + GitHubRunnerFleet_MustSetWritableNonRootDotnetAndCachePaths
    over to it. Without this, ContainerMappings().Should().ContainSingle()
    found the initContainer + runner = 2 containers and failed.

  * Loosen GitHubRunnerFleet_MustAvoidRwoMultiAttachForScaledDeployments
    ReplicaCount assertion from Be(2) to BeGreaterOrEqualTo(2). The
    semantic invariant is "at least 2 replicas so no single-pod
    bottleneck"; deployments tuned upward per 14d CI activity (e.g.
    github-runner-print-web at replicas: 3, see commit 1f1f682 PR #24)
    are valid.

Lint baseline: 6 failed -> 3 failed (the 3 remaining are unrelated:
PublicReadWriteIngressRoutes_* lives in FlowerCore.Updater/k8s/
ingressroute.yaml — separate PR; FcDeviceManagement_* needs operator
domain decision on the missing apps/fc-devicemgmt/argocd-application.yaml).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
bluejay merged commit bc8c35896f into main 2026-05-26 03:42:06 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
bluejay
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: bluejay/bluejay-infra#30
Delete Branch "runners/bluejay-ws-exclusion-lint-2026-05-26"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?