🧪 test(ci): three-tier fuzz + soak + benchmarks (sockguard parity) and doc cleanup#19
Merged
Merged
Conversation
- 📝 docs: bump v0.2.x → v0.3.x references and current-release line - 🗑️ remove: dead 0.2.0 edge-mode references and Snyk placeholder badge - 🔧 config: CONTRIBUTING dev-branch example dev/0.2.0 → dev/0.4.0
Completes the smoke → nightly → monthly fuzz tiering. Gives each of the five fuzz targets a 1h budget on the first of the month (dispatchable to longer budgets before a release), retries the known -fuzztime boundary flake once, and retains crash corpora for 180 days. Mirrors sockguard's monthly tier.
Stands up loadgen → portwing (generic adapter) → mockdocker and drives a sustained mixed load — cached-inventory/version/proxy reads plus SSE subscriber connect/hold/disconnect churn (the leak-prone path) — then fails if the agent's resident set grows past a budget (64 MiB default) over a multi-hour soak. Catches the long-lived-agent leak profile the unit/integration/fuzz tiers don't. - ✨ feat(bench): mockdocker fake Docker daemon over a unix socket - ✨ feat(bench): loadgen HTTP generator with bearer auth + SSE-churn mode - 🧪 test: scripts/soak.sh orchestrator (build, warmup, RSS baseline, assert) - 🧪 test(ci): quality-soak-weekly.yml (Sundays + dispatch, 4h / 64 MiB)
Go benchmarks on the per-request hot paths (auth middleware, Argon2id verify — cold derivation vs. warm SHA-256 cache, client-IP extraction, rate limiter) and the parse paths (PHC, image-ref, Drydock labels, trusted-proxy CIDRs, MCP dispatch). quality-bench-monthly.yml reruns them with -benchmem -count=5 on the first of each month and keeps a 90-day artifact, so a ns/op or allocs/op regression shows up month over month. Completes the test-posture parity with sockguard.
- 📝 docs(changelog): [Unreleased] entries for tier-3 fuzz, weekly soak, and monthly benchmark tracking - 📝 docs(roadmap): mark three-tier fuzzing, soak, and benchmark tracking shipped under the sockguard test-posture parity item
scttbnsn
requested review from
ALARGECOMPANY and
biggest-littlest
as code owners
CI lint gate flagged the soak mock: - 🔧 config(gosec): tighten socket perms 0o666 → 0o600 (G302); same-user soak - 🐛 fix(errcheck): check the fmt.Fprint error on the event stream - 🔧 config(gosec): justified #nosec G706 on the opt-in %q-quoted debug log
biggest-littlest
approved these changes
Jun 16, 2026
biggest-littlest
left a comment
biggest-littlest
left a comment
Member
There was a problem hiding this comment.
CI's green across the board — build, integration against real dockerd, all five fuzz smokes, govulncheck, CodeQL, lint. The three new workflows validate clean and the soak ran end-to-end with zero leak. Benchmarks are a sensible baseline. Good to merge.
ALARGECOMPANY
approved these changes
Jun 16, 2026
ALARGECOMPANY
left a comment
ALARGECOMPANY
left a comment
Member
There was a problem hiding this comment.
Second pass — agree with the above. All required checks pass, workflows lint clean (actionlint + zizmor), and the changes are test/CI-only plus docs, no runtime code touched. LGTM.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Brings Portwing's CI test posture to parity with sockguard's, and clears the version drift that accumulated across the docs after the v0.3.0 rename.
The testing arc is now three tiers of fuzz + soak + benchmarks, matching sockguard:
quality-fuzz-monthly.yml) — completes the smoke (per-PR) → nightly → monthly tiering. Each of the five fuzz targets gets a 1h budget on the first of the month, dispatchable to longer budgets before a release. Retries the known-fuzztimeboundary flake once; crash corpora retain 180 days.quality-soak-weekly.yml+ harness) — stands uploadgen → portwing (generic adapter) → mockdockerand drives a sustained mix (cached-inventory/version/proxy reads plus SSE subscriber connect/hold/disconnect churn, the leak-prone path), then fails if RSS grows past a budget (64 MiB default) over a multi-hour soak. Newbenchmarks/cmd/{mockdocker,loadgen}driven byscripts/soak.sh(has--dry-run).quality-bench-monthly.yml+ 12 benchmark funcs) — covers the per-request hot paths (auth middleware, Argon2id verify cold-vs-warm-cache, client-IP extraction, rate limiter) and the parse paths (PHC, image-ref, Drydock labels, trusted-proxy CIDRs, MCP dispatch). Reruns with-benchmem -count=5, keeps a 90-day artifact so a ns/op or allocs/op regression is visible month over month.Plus doc cleanup: v0.2.x → v0.3.x references, dropped the dead 0.2.0 edge-mode mentions and the Snyk placeholder badge, and bumped the CONTRIBUTING dev-branch example.
Verification
gofmtclean,go vetclean,go build ./...+ fullgo test ./...pass (no regressions).ParseLabelsandagentTokenare 0-alloc.actionlint+zizmorclean on all three new workflows.Notes
Schedules are slotted to avoid collisions: mutation 06:30, bench 07:45, deep fuzz 08:30 (UTC, day 1). The 24h soak target lands once a self-hosted runner is wired up; github-hosted runs soak 4h under the 6h job ceiling.