Conversation
product-security-plaid-production
bot
requested review from
chainchad,
george-dorin and
skudasov
|
✅ No conflicts with other open PRs targeting |
There was a problem hiding this comment.
Pull request overview
Risk Rating: MEDIUM — CI/workflow refactor that can silently change what runs post-build.
This PR splits legacy tests into “smoke” vs “non-functional” buckets and moves post-Docker-build testing into a dedicated reusable workflow invoked from docker-build.yml.
Changes:
- Add a reusable
post-docker-build.ymlworkflow to orchestrate post-build test workflows. - Move long-running legacy soak/chaos tests out of
legacy-system-tests.ymlinto a newlegacy-non-functional-tests.ymlworkflow. - Update
docker-build.ymlto call the new post-build orchestrator workflow instead of inlining multiple test jobs.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| .github/workflows/post-docker-build.yml | New reusable workflow intended to orchestrate multiple post-Docker-build test workflows. |
| .github/workflows/legacy-system-tests.yml | Removes long-running soak/chaos tests from the legacy system test matrix. |
| .github/workflows/legacy-non-functional-tests.yml | New workflow to run the removed long-running soak/chaos tests in a separate bucket. |
| .github/workflows/docker-build.yml | Switches post-build testing to call the new post-docker-build.yml reusable workflow. |
Tofel
force-pushed
the
dx-3786-split-legacy-tests
branch
from
a13200e to
693a63b
Compare
sebawo
left a comment
sebawo
left a comment
There was a problem hiding this comment.
PR Review: [DX-3786] Split Legacy Tests
Scope: GitHub Actions workflow restructuring (+279/-50)
What This PR Does
Extracts "post-docker-build" orchestration into a dedicated workflow and splits legacy tests into:
- Smoke (fast, functional) → stays in
legacy-system-tests.yml - Non-functional (soak/chaos) → moves to new
legacy-non-functional-tests.yml
docker-build.yml now calls a single post-docker-build.yml instead of three separate inline jobs.
Issues Found
Important
1. Unpinned action versions in legacy-non-functional-tests.yml
actions/checkout@v6, actions/setup-go@v6, and actions/upload-artifact@v7 are unpinned, which is inconsistent with the other actions in the same file that ARE SHA-pinned (e.g., aws-actions/configure-aws-credentials@8df5847..., aws-actions/amazon-ecr-login@183a1442...). Unpinned tags are mutable — a compromised tag update would silently affect the workflow.
# current (unpinned)
uses: actions/checkout@v6
uses: actions/setup-go@v6 # v6
uses: actions/upload-artifact@v7
# should be SHA-pinned like other actions in this file
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.22. workflow_dispatch has no inputs in legacy-non-functional-tests.yml
The workflow_dispatch trigger defines no inputs, while workflow_call does. In GitHub Actions these are separate — a manual dispatch won't let the user supply chainlink_image_tag, ecr, chainlink_image_repository_path, or chainlink_version. This means manual triggering silently falls through to nightly-date-based image resolution and an empty chainlink_image_repository_path, which would likely break resolve-chainlink-image.sh.
# current — dispatch has no inputs
on:
workflow_dispatch:
workflow_call:
inputs:
chainlink_image_repository_path: ...
# fix — mirror inputs under workflow_dispatch as well
on:
workflow_dispatch:
inputs:
chainlink_image_repository_path:
required: false
...Suggestions
3. Redundant # v6 comment (legacy-non-functional-tests.yml)
uses: actions/setup-go@v6 # v6 ← comment duplicates what's already in the ref4. Indentation inconsistency in post-docker-build.yml
The rest of the changed files use 2-space indentation; post-docker-build.yml uses 4-space indentation throughout. Minor, but inconsistent with project style.
Positives
- Good security fix:
eval $ENV_CMD→eval "$ENV_CMD"andeval $TESTCMD→eval "$TESTCMD"inlegacy-system-tests.ymlprevents word-splitting issues. - Correct handling of secret-bearing outputs: The comment explaining why the image resolution step is duplicated (GitHub masks job outputs containing secrets) shows good awareness of Actions limitations.
- Clean separation of concerns: Moving the three post-build callers into
post-docker-build.ymlmakesdocker-build.ymlcleaner and keeps the orchestration logic in one place. run_on_prguards correctly removed: Those were only needed when smoke and non-functional tests shared a workflow; they're not needed in the dedicated non-functional workflow.
| Severity | Count | Description |
|---|---|---|
| Important | 2 | Unpinned actions, missing workflow_dispatch inputs |
| Suggestion | 2 | Redundant comment, indentation |
| Blocking | 0 | — |
The refactor logic is sound. The two important issues are worth addressing before merge — particularly the workflow_dispatch inputs gap, since manually triggering the workflow would produce a confusing/broken run.
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| pull-requests: write |
There was a problem hiding this comment.
pull-requests: write is granted to this job but the workflow doesn’t appear to perform any PR mutations (no commenting/labeling/updates). Consider dropping PR write permission to keep the GITHUB_TOKEN least-privileged, especially since this job uses OIDC and runs long-lived tests.
| pull-requests: write |
There was a problem hiding this comment.
without it one of the downstreams will fail
.github/workflows/docker-build.yml
Outdated
| checks: write | ||
| id-token: write | ||
| pull-requests: write |
There was a problem hiding this comment.
This job grants checks: write and pull-requests: write, but the downstream workflows invoked from post-docker-build.yml don’t appear to use the Checks API or mutate PRs. Consider removing unneeded scopes here so the effective token permissions for all called workflows are reduced (reusable workflows can only receive the intersection of caller/callee permissions).
| checks: write | |
| id-token: write | |
| pull-requests: write | |
| id-token: write |
There was a problem hiding this comment.
without it one of the downstreams will fail
Splits legacy tests into two buckets:
Instead of inlining these tests in
Docker Buildmove them to a dedicated workflow.Once this is done we can add these tests to
post-build-publish(release) and have faster feedback (no need to wait for soak tests to know if some of the tests have passed).Tests: