Skip to content

build(harness): package the integration suite as a container image (cutover)#441

Merged
bdchatham merged 2 commits into
mainfrom
feat/harness-image
Jun 23, 2026
Merged

build(harness): package the integration suite as a container image (cutover)#441
bdchatham merged 2 commits into
mainfrom
feat/harness-image

Conversation

@bdchatham

@bdchatham bdchatham commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

What

First cutover step toward retiring the seitask-runner image + Chaos-Mesh Workflow nightly.

  • test/integration/Dockerfilego test -c -tags integration → distroless/nonroot binary; entrypoint runs the selected suite via -test.run TestX. Fault + seiload manifests are //go:embed-ed, so the binary is self-contained (no scenario files to COPY).
  • ecr.yml — adds "Build and push integration-harness" (mirrors the seitask step) → pushes sei/integration-harness:<sha>.
  • .dockerignore — re-includes test/integration/**/*_test.go + *.tmpl (both excluded by the existing **/*_test.go + ** rules; the harness is entirely build-tagged _test.go).

The sei/integration-harness ECR repo is already provisioned (platform terraform, applied). Per the design discussion, the go test -c form is deliberate — it's the conventional in-cluster e2e pattern (k8s e2e.test), and _test.go + the build tag give a Go-enforced guarantee the suites can't leak into the controller binary.

Test

Validated locally (linux/amd64): image builds, and the binary lists TestBenchmark / TestChaosSuite / TestChainUpgrade / TestRelease. The ecr.yml push step runs only on merge-to-main (the repo now exists).

🤖 Generated with Claude Code

@bdchatham @claude
build(harness): package the integration suite as a container image
c5067a4 
Add test/integration/Dockerfile — `go test -c -tags integration` →
distroless/nonroot binary whose entrypoint runs the selected suite
(args: -test.run TestX). The fault + seiload manifests are //go:embed-ed,
so the binary is self-contained (no scenario files to COPY).

Add the "Build and push integration-harness" step to ecr.yml (mirrors
the seitask step), and re-include test/integration's *_test.go + *.tmpl
in .dockerignore (both excluded by the existing rules; the harness is
entirely build-tagged _test.go).

First step of the cutover that retires the seitask-runner image + the
Chaos-Mesh Workflow nightly. Validated locally: image builds, and the
binary lists TestBenchmark/TestChaosSuite/TestChainUpgrade/TestRelease.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@cursor

cursor Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

PR Summary

Low Risk
Build and CI-only changes; production controller/seitask images are unchanged, and harness sources remain gated by the integration build tag in other Docker contexts.

Overview
Adds the first cutover step toward running nightly integration tests from a dedicated sei/integration-harness image instead of seitask-runner + Chaos-Mesh workflows.

A new test/integration/Dockerfile compiles ./test/integration with go test -c -tags integration into a distroless, nonroot /harness.test binary. CronJobs are expected to pick a suite via args like -test.run TestX; embedded templates keep the image self-contained.

.dockerignore now re-includes test/integration/**/*_test.go and *.tmpl so the harness build is not stripped by the global ** / *_test.go exclusions.

.github/workflows/ecr.yml adds a build-and-push step for sei/integration-harness:<sha>, using a separate registry build cache from the controller/seitask images so test-build layers do not pollute production image cache.

Reviewed by Cursor Bugbot for commit 46b8363. Bugbot is set up for automated code reviews on this repo. Configure here.

@bdchatham @claude
build(harness): isolate the harness build cache from the controller i…
46b8363 
…mage

Per the supply-chain review: the harness image is a test-image build over
the whole test tree; sharing the controller's mode=max build cache would
let a poisoned test-build layer reach the production controller image.
Give the harness build its own cache ref (sei/build-cache:integration-harness).
Note in .dockerignore that the re-included test files enter the
controller/seitask contexts but are inert there.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@bdchatham bdchatham merged commit 795b4b4 into main Jun 23, 2026
5 checks passed
@bdchatham bdchatham deleted the feat/harness-image branch June 23, 2026 20:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bdchatham