CI remediation: release upload permissions + fuzz threshold stability#89
CI remediation: release upload permissions + fuzz threshold stability#89chrisgleissner merged 1 commit intomainfrom
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #89 +/- ##
============================================
- Coverage 79.67% 79.64% -0.03%
Complexity 101 101
============================================
Files 271 271
Lines 28376 28376
Branches 9849 9210 -639
============================================
- Hits 22608 22601 -7
- Misses 5237 5242 +5
- Partials 531 533 +2
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
Restores green CI by fixing GitHub Release upload permissions in Android/iOS workflows and reducing fuzz-test false negatives by making stagnation/encoding thresholds CI-aware; also updates PLANS.md with remediation evidence and tracking.
Changes:
- Set
contents: writepermissions to unblockgh release uploadfor Android/iOS release workflows. - Make fuzz visual stagnation + short-video tolerances configurable and CI-tuned via env defaults.
- Replace
PLANS.mdwith a CI remediation and RC release plan including run evidence/logs.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/run-fuzz.mjs | Adds CI-aware defaults for fuzz stagnation/short-video validation and uses them in report/validation thresholds. |
| playwright/fuzz/chaosRunner.fuzz.ts | Reads visual stagnation threshold from env and improves assertion messaging to reflect the configured threshold. |
| PLANS.md | Updates remediation plan/logs with CI run evidence and acceptance criteria for RC readiness. |
| .github/workflows/ios.yaml | Adjusts GITHUB_TOKEN permissions to allow iOS release asset uploads. |
| .github/workflows/android.yaml | Adjusts GITHUB_TOKEN permissions to allow Android release asset uploads. |
| if (isCiRun) { | ||
| if (!env.FUZZ_VISUAL_STAGNATION_THRESHOLD_MS) { | ||
| env.FUZZ_VISUAL_STAGNATION_THRESHOLD_MS = String(visualStagnationThresholdMs); | ||
| } | ||
| if (!env.FUZZ_SHORT_VIDEO_TOLERANCE_MS) { | ||
| env.FUZZ_SHORT_VIDEO_TOLERANCE_MS = String(shortVideoToleranceMs); | ||
| } | ||
| } |
There was a problem hiding this comment.
In CI mode, the script only sets FUZZ_VISUAL_STAGNATION_THRESHOLD_MS / FUZZ_SHORT_VIDEO_TOLERANCE_MS when the env var is unset. If the env var is set but invalid (e.g. empty string, non-numeric, 0/negative), toPositiveInt() falls back for internal calculations, but the original invalid string is still passed to Playwright shards, so chaosRunner.fuzz.ts will use a different threshold than the merge/validation logic. Consider always normalizing these env vars to the computed/sanitized numeric value (or at least overriding when parsing yields a non-positive/non-finite value) so the runner and post-merge checks stay consistent.
|
|
||
| permissions: | ||
| contents: read | ||
| contents: write |
There was a problem hiding this comment.
Workflow-level permissions.contents is set to write for the entire workflow. Since only the release packaging/upload job needs to create/upload release assets, keeping the workflow default at contents: read and granting contents: write only on the specific release job reduces token scope and limits blast radius if any other job is compromised.
| contents: write | |
| contents: read |
|
|
||
| permissions: | ||
| contents: read | ||
| contents: write |
There was a problem hiding this comment.
Workflow-level permissions.contents is set to write for the entire workflow. Since only the Release | Attach APK/AAB job needs to create/upload GitHub release assets, consider keeping the workflow default at contents: read and granting contents: write only on that job to follow least-privilege for GITHUB_TOKEN.
| contents: write | |
| contents: read |
Summary\n- fix GitHub release asset upload 403s in Android/iOS workflows\n- tune CI fuzz thresholds to avoid false nightly failures from session-timeout/encoding lag\n- update PLANS.md with run evidence and remediation log\n\n## Validation\n- npm run lint\n- npm run test\n- npm run build\n- npm run test:coverage\n- ./build\n