Skip to content

fix(ci): pre-start E2E stack, free BDD disk, harden pinact/IPR#1669

Open
mkostromin-sigma wants to merge 8 commits into
prebid:mainfrom
mkostromin-sigma:fix/1667-e2e-prestart-stack
Open

fix(ci): pre-start E2E stack, free BDD disk, harden pinact/IPR#1669
mkostromin-sigma wants to merge 8 commits into
prebid:mainfrom
mkostromin-sigma:fix/1667-e2e-prestart-stack

Conversation

@mkostromin-sigma

@mkostromin-sigma mkostromin-sigma commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

Unblocks red main CI after #1613/#1634 and hardens flaky required checks:

  1. fix(ci): pre-start E2E compose stack before pytest (ADCP_TESTING=true) #1667 / E2E readiness — keep ADCP_TESTING=true; pre-start compose (up -d --wait --wait-timeout 600) before pytest so --timeout=300 only covers test bodies; tighten adcp-server healthcheck; proxy depends_on: service_healthy.
  2. fix(ci): BDD In-Network ENOSPC during tox uv sync after #1613/#1634 #1662 / BDD In-Network ENOSPC — free disk + PGDATA_TMPFS_SIZE=2g before in-network tox sync (folded from fix(ci): free disk before BDD In-Network tox sync #1663).
  3. Shared _free-disk composite (DRY) + arch guards + docs/development/ci-pipeline.md.
  4. Review follow-ups — explicit pytest ADCP_TESTING pin; stronger proxy-health / ADCP_TESTING guards.
  5. deps — bump mcp>=1.28.1 for CVE-2026-59950 / GHSA-vj7q-gjh5-988w (Security Audit / pip-audit).
  6. pinact — retries + pinact run -offline=false -no-api so GitHub API 503s do not fail the required Security job.
  7. IPR durability — split verify (pull_request, read-only against signatures/ipr-signatures.json + gh retries) from sign (issue_comment → CLA Assistant after API health wait). Removes verify from relying on PR-comments API (Unicorn/HTML 503). Until this merges, main's legacy pull_request_target CLA check can still flake independently.

Closes #1667. Closes #1662.

Test plan

@mkostromin-sigma mkostromin-sigma self-assigned this Jul 16, 2026
@mkostromin-sigma mkostromin-sigma added this to the 2.X (Non breaking) milestone Jul 16, 2026
@mkostromin-sigma
mkostromin-sigma marked this pull request as draft July 16, 2026 18:27
@mkostromin-sigma
mkostromin-sigma marked this pull request as ready for review July 16, 2026 19:20
mkostromin-sigma added a commit to mkostromin-sigma/salesagent that referenced this pull request Jul 16, 2026
Extract shared runner reclaim into .github/actions/_free-disk, document
E2E pre-start + ADCP_TESTING=true verify-only path, and tighten the
pytest ADCP_TESTING contract (must stay true, not merely non-empty).
mkostromin-sigma added a commit to mkostromin-sigma/salesagent that referenced this pull request Jul 16, 2026
Pin ADCP_TESTING on the pytest step and require proxy to wait for a
healthy adcp-server so compose up --wait cannot flake on 502s.
mkostromin-sigma added a commit to mkostromin-sigma/salesagent that referenced this pull request Jul 16, 2026
Split verify (read-only signatures check + retries) from sign
(CLA Assistant after API health wait). Use pull_request so the
PR workflow applies; avoid Unicorn HTML failures on comments.
Stop clearing ADCP_TESTING in the E2E job (that forced fixture cold build
under pytest --timeout=300). CI now builds creative-agent + compose, ups
with --wait (healthchecks), then pytest verify-only. Tighten adcp-server
healthcheck probes for reliable compose --wait.
Image build + /opt/venv + a second full tox env under tox_data overflowed
ubuntu-latest after prebid#1613/prebid#1634, ENOSPCing uv sync. Reclaim runner disk,
prune the builder cache, and cap PGDATA tmpfs for the serial e2e_rest leg.
Extract shared runner reclaim into .github/actions/_free-disk, document
E2E pre-start + ADCP_TESTING=true verify-only path, and tighten the
pytest ADCP_TESTING contract (must stay true, not merely non-empty).
Pin ADCP_TESTING on the pytest step and require proxy to wait for a
healthy adcp-server so compose up --wait cannot flake on 502s.
Security Audit / pip-audit fail on mcp 1.27.2 (GHSA-vj7q-gjh5-988w).
pinact list-tags calls flake the Security gate when api.github.com
returns 503; retry with backoff before failing.
Retries still failed on persistent list-tags 503; pinact v4 -no-api
enforces SHA pins without calling api.github.com.
Split verify (read-only signatures check + retries) from sign
(CLA Assistant after API health wait). Use pull_request so the
PR workflow applies; avoid Unicorn HTML failures on comments.
@mkostromin-sigma
mkostromin-sigma force-pushed the fix/1667-e2e-prestart-stack branch from 0e2b293 to a879fe9 Compare July 16, 2026 23:32
@mkostromin-sigma mkostromin-sigma changed the title fix(ci): pre-start E2E stack before pytest fix(ci): pre-start E2E stack, free BDD disk, harden pinact/IPR Jul 17, 2026
mkostromin-sigma added a commit to mkostromin-sigma/salesagent that referenced this pull request Jul 17, 2026
Port pinact v4 -no-api from prebid#1669 so SHA-pin checks do not call
api.github.com and flake on Unicorn/503.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: Under Review

Development

Successfully merging this pull request may close these issues.

fix(ci): pre-start E2E compose stack before pytest (ADCP_TESTING=true) fix(ci): BDD In-Network ENOSPC during tox uv sync after #1613/#1634

1 participant