Hive Hive
Sign in
Projects
Domains
Forage
Specs
Drops

ci(kura): scope platform values.yaml changes to the gateway-throughput e2e shard

GitHub issue · Open

Metadata
Source
tuist/tuist #11321
Updated
Jun 16, 2026
Domains
Kura
Details

Context

The gateway HTTP/2 upload-window config that the gateway-throughput e2e shard validates lives in infra/helm/platform/values.yaml (the kura-*-ingress-nginx blocks). To make chart window changes exercise that e2e, infra/helm/platform/values.yaml had been added to .github/workflows/kura.yml’s push/pull_request paths: filters.

Problem

GitHub paths: is workflow-level, so that trigger ran the entire kura matrix — format, compile, clippy, tests, audit, and every e2e shard — on any edit to values.yaml, including unrelated sections (metrics-server, observability, postgres, …) with zero kura impact. Raised in review on #11266: https://github.com/tuist/tuist/pull/11266#discussion_r3419578660

Interim action (done in #11266)

Removed infra/helm/platform/values.yaml from kura.yml’s paths: filters to stop the over-broad runs.

Coverage tradeoff to restore here: with the trigger gone, a gateway nginx window change in the chart no longer auto-runs the gateway-throughput e2e. The controller unit test TestGatewayNginxConfigMatchesChart still guards chart-vs-controller config sync, but the end-to-end throughput validation won’t fire on chart-only edits until this is fixed.

Proper fix

Re-add the values.yaml trigger but scope what runs, mirroring the repo’s existing dynamic-matrix idiom (release.yml, cli.yml, pomerium-deployment.yml compute a matrix JSON and consume it via fromJSON, skipping when []):

  1. A changes gate job (git diff --name-only over PR base…head / github.event.before…sha for push) emitting:
    • codekura/** or .github/workflows/kura.yml changed
    • gatewayinfra/helm/platform/values.yaml changed
    • e2e_matrix — all shards if code; just gateway-throughput if gateway only; [] if neither
  2. Gate the Rust jobs (format/compile/clippy/tests/audit) on code; e2e-images on code || gateway.
  3. e2e consumes strategy.matrix.include: ${{ fromJSON(needs.changes.outputs.e2e_matrix) }} with if: … != '[]'.

Result: a values.yaml-only edit runs only changes + e2e-images + the gateway-throughput shard; kura code changes run the full matrix as today.

Optional refinement

Further filter to PRs that actually touch the kura-*-ingress-nginx blocks (not unrelated values.yaml sections). Path filters are file-granularity, so this needs a content-level diff (grep the values.yaml diff for the gateway blocks / window keys) in the changes job — a bit fragile, worth it only if that file churns a lot in non-kura sections.

🤖 Generated with Claude Code

Comments
E
esnunes Jun 16, 2026

Related: the throughput e2e harness also reads a single region

Same single-region drift fragility, in the e2e harness rather than CI scoping. kura/test/e2e/grpc-upload-throughput/generate-confs.sh hardcodes the gateway block it pulls window values from:

GATEWAY_KEY="${GATEWAY_KEY:-kura-us-west-ingress-nginx}"

So the harness derives its patched nginx config from only kura-us-west. If the YAML anchor (&kuraGatewayNginxConfig) is ever unwound for a per-region override, the harness keeps passing because it never looks at the other regions — the anchor sharing is a comment-level invariant that nothing in the harness enforces. Raised in review: https://github.com/tuist/tuist/pull/11266#discussion_r3419578656

Note the controller unit test (TestGatewayNginxConfigMatchesChart) was already updated in #11266 to iterate every kura-*-ingress-nginx block, so it no longer trusts the anchor. The e2e harness should get the same treatment so both render-path validators cover all regions — e.g. generate/validate confs per regional block (or at least fail if the regions diverge), rather than sampling us-west.

Worth folding into this issue’s fix since it’s the same “scope to the regions that actually changed / don’t trust the anchor” theme.