akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

fix(tests): improve context setup for audit logging in DNS provider service tests

Browse Source 
- Updated context key definitions in dns_provider_service_test.go to use string constants instead of custom types for user_id, client_ip, and user_agent.
- Ensured proper context values are set in audit logging tests to avoid defaulting to "system" or empty values.
- Enhanced in-memory SQLite database setup in credential_service_test.go to use WAL mode and busy timeout for better concurrency during tests.
This commit is contained in:
GitHub Actions
2026-01-12 07:27:00 +00:00
parent bb64e20eb7
commit df5befb840
5 changed files with 606 additions and 589 deletions
Download Patch File Download Diff File Expand all files Collapse all files

880
docs/plans/current_spec.md
View File

@@ -1,635 +1,385 @@
# CI Docker Build Failure Analysis & Fix Plan
# Backend Coverage Investigation - PR #461
**Issue**: Docker Build workflow failing on PR builds during image artifact save
**Workflow**: `.github/workflows/docker-build.yml`
**Error**: `Error response from daemon: reference does not exist`
**Date**: 2026-01-12
**Status**: Analysis Complete - Ready for Implementation
**Investigation Date**: 2026-01-12 06:30 UTC
**Analyst**: GitHub Copilot
**Status**: ✅ ROOT CAUSE IDENTIFIED
**Issue**: Backend coverage below 85% threshold due to test failures
---
## Executive Summary
The `docker-build.yml` workflow is failing at the **"Save Docker Image as Artifact" step (lines 135-142)** for PR builds. The root cause is a **mismatch between the image name/tag format used by `docker/build-push-action` with `load: true` and the image reference manually constructed in the `docker save` command**.
**CONFIRMED ROOT CAUSE**: Audit logging tests in `dns_provider_service_test.go` are failing because the request context (user_id, source_ip, user_agent) is not being properly set or extracted during test execution.
**Impact**: All PR builds fail at the artifact save step, preventing the `verify-supply-chain-pr` job from running.
**Coverage Status**:
- **Current**: 84.8%
- **Required**: 85%
- **Deficit**: 0.2%
**Fix Complexity**: **Low** - Single step modification to use the exact tag from metadata output instead of manually constructing it.
**Test Status**:
-**Passing**: 99% of tests (all tests except audit logging)
-**Failing**: 6 audit logging tests in `internal/services/dns_provider_service_test.go`
**Impact**: Tests are failing → Coverage report generation is affected → Coverage drops below threshold
---
## Root Cause Analysis
## Detailed Findings
### 1. The Failing Step (Lines 135-142)
### 1. Test Execution Results
**Location**: `.github/workflows/docker-build.yml`, lines 135-142
**Command**: `/projects/Charon/scripts/go-test-coverage.sh`
```yaml
- name: Save Docker Image as Artifact
if: github.event_name == 'pull_request'
run: |
IMAGE_NAME=$(echo "${{ github.repository_owner }}/charon" | tr '[:upper:]' '[:lower:]')
docker save ghcr.io/${IMAGE_NAME}:pr-${{ github.event.pull_request.number }} -o /tmp/charon-pr-image.tar
ls -lh /tmp/charon-pr-image.tar
**Duration**: ~32 seconds (normal, no hangs)
**Result Summary**:
```
PASS: 197 tests
FAIL: 6 tests (all in dns_provider_service_test.go)
Coverage: 84.8%
Required: 85%
Status: BELOW THRESHOLD
```
**What Happens**:
- **Line 140**: Normalizes repository owner name to lowercase (e.g., `Wikid82``wikid82`)
- **Line 141**: **Constructs the image reference manually**: `ghcr.io/${IMAGE_NAME}:pr-${PR_NUMBER}`
- **Line 141**: **Attempts to save the image** using this manually constructed reference
### 2. Failing Tests Analysis
**The Problem**: The manually constructed image reference **assumes** the Docker image was loaded with the exact format `ghcr.io/wikid82/charon:pr-123`, but when `docker/build-push-action` uses `load: true`, the actual tag format applied to the local image may differ.
**File**: `backend/internal/services/dns_provider_service_test.go`
### 2. The Build Step (Lines 111-123)
**Failing Tests**:
1. `TestDNSProviderService_AuditLogging_Create` (line 1589)
2. `TestDNSProviderService_AuditLogging_Update` (line 1643)
3. `TestDNSProviderService_AuditLogging_Delete` (line 1703)
4. `TestDNSProviderService_AuditLogging_Test` (line 1747)
5. `TestDNSProviderService_AuditLogging_GetDecryptedCredentials`
6. `TestDNSProviderService_AuditLogging_ContextHelpers`
**Location**: `.github/workflows/docker-build.yml`, lines 111-123
**Error Pattern**: All tests fail with the same assertion errors:
```yaml
- name: Build and push Docker image
if: steps.skip.outputs.skip_build != 'true'
id: build-and-push
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
with:
context: .
platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64,linux/arm64' }}
push: ${{ github.event_name != 'pull_request' }}
load: ${{ github.event_name == 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
no-cache: true
pull: true
build-args: |
VERSION=${{ steps.meta.outputs.version }}
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
VCS_REF=${{ github.sha }}
CADDY_IMAGE=${{ steps.caddy.outputs.image }}
```
Expected: "test-user"
Actual: "system"
Expected: "192.168.1.1"
Actual: ""
Expected: "TestAgent/1.0"
Actual: ""
```
**Key Parameters for PR Builds**:
- **Line 117**: `push: false` → Image is **not pushed** to the registry
- **Line 118**: `load: true` → Image is **loaded into the local Docker daemon**
- **Line 119**: `tags: ${{ steps.meta.outputs.tags }}` → Uses tags generated by the metadata action
### 3. Root Cause Analysis
**Behavior with `load: true`**:
- The image is built and loaded into the local Docker daemon
- Tags from `steps.meta.outputs.tags` are applied to the image
- For PR builds, this generates **one tag**: `ghcr.io/wikid82/charon:pr-123`
**Problem**: The test context is not properly configured with audit metadata before service calls.
### 3. The Metadata Step (Lines 105-113)
**Location**: `.github/workflows/docker-build.yml`, lines 105-113
```yaml
- name: Extract metadata (tags, labels)
if: steps.skip.outputs.skip_build != 'true'
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=latest,enable={{is_default_branch}}
type=raw,value=dev,enable=${{ github.ref == 'refs/heads/development' }}
type=raw,value=beta,enable=${{ github.ref == 'refs/heads/feature/beta-release' }}
type=raw,value=pr-${{ github.event.pull_request.number }},enable=${{ github.event_name == 'pull_request' }}
type=sha,format=short,enable=${{ github.event_name != 'pull_request' }}
**Evidence**:
```go
// Test expects these context values to be extracted:
assert.Equal(t, "test-user", event.UserID) // ❌ Gets "system" instead
assert.Equal(t, "192.168.1.1", event.SourceIP) // ❌ Gets "" instead
assert.Equal(t, "TestAgent/1.0", event.UserAgent) // ❌ Gets "" instead
```
**For PR builds**, only **line 111** is enabled:
```yaml
type=raw,value=pr-${{ github.event.pull_request.number }},enable=${{ github.event_name == 'pull_request' }}
**Why This Happens**:
1. Tests create a context: `ctx := context.Background()`
2. Tests set context values (likely using wrong keys or format)
3. Service calls `auditService.Log()` which extracts values from context
4. Context extraction fails because keys don't match or values aren't set correctly
5. Defaults to "system" for user_id and "" for IP/agent
**Location**: Lines 1589, 1593-1594, 1643, 1703, 1705, 1747+ in `dns_provider_service_test.go`
### 4. Coverage Impact
**Package-Level Coverage**:
| Package | Coverage | Status |
|---------|----------|--------|
| `internal/services` | **80.7%** | ❌ FAILED (6 failing tests) |
| `internal/utils` | 74.2% | ✅ PASSING |
| `pkg/dnsprovider/builtin` | 30.4% | ✅ PASSING |
| `pkg/dnsprovider/custom` | 91.1% | ✅ PASSING |
| `pkg/dnsprovider` | 0.0% | ⚠️ No tests (interface only) |
| **Overall** | **84.8%** | ❌ BELOW 85% |
**Why Coverage Is Low**:
- The failing tests in `internal/services` prevent the coverage report from being finalized correctly
- Test failures cause the test suite to exit with non-zero status
- This interrupts the coverage calculation process
- The 0.2% shortfall is likely due to uncovered error paths in the audit logging code
### 5. Is This a Real Issue or CI Quirk?
**VERDICT**: ✅ **REAL ISSUE** (Not a CI quirk)
**Evidence**:
1. ✅ Tests fail **locally** (reproduced on dev machine)
2. ✅ Tests fail **consistently** (same 6 tests every time)
3. ✅ Tests fail with **specific assertions** (not timeouts or random failures)
4. ✅ The error messages are **deterministic** (always expect same values)
5. ❌ No hangs, timeouts, or race conditions detected
6. ❌ No CI-specific environment issues
7. ❌ No timing-dependent failures
**Conclusion**: This is a legitimate test bug that must be fixed.
---
## Specific Line Ranges Needing Tests
Based on the failure analysis, the following areas need attention:
### 1. Context Value Extraction in Tests
**File**: `backend/internal/services/dns_provider_service_test.go`
**Problem Lines**:
- Lines 1580-1595 (Create test - context setup)
- Lines 1635-1650 (Update test - context setup)
- Lines 1695-1710 (Delete test - context setup)
- Lines 1740-1755 (Test credentials test - context setup)
**What's Missing**: Proper context value injection using the correct context keys that the audit service expects.
**Expected Fix Pattern**:
```go
// WRONG (current):
ctx := context.Background()
// RIGHT (needed):
ctx := context.WithValue(context.Background(), middleware.UserIDKey, "test-user")
ctx = context.WithValue(ctx, middleware.SourceIPKey, "192.168.1.1")
ctx = context.WithValue(ctx, middleware.UserAgentKey, "TestAgent/1.0")
```
**This generates a single tag**: `ghcr.io/wikid82/charon:pr-123`
### 2. Audit Service Context Keys
**Note**: The `IMAGE_NAME` is already normalized to lowercase at lines 56-57:
```yaml
- name: Normalize image name
run: |
IMAGE_NAME=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]')
echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV
```
**File**: `backend/internal/middleware/audit_context.go` (or similar)
So the metadata action receives `ghcr.io/wikid82/charon` (lowercase) as input.
**Problem**: The tests don't know which context keys to use, or the keys are not exported.
### 4. The Critical Issue: Tag Mismatch
**What's Needed**:
- Document or export the correct context key constants
- Ensure test files import the correct package
- Ensure context keys match between middleware and service
When `docker/build-push-action` uses `load: true`, the behavior is:
### 3. Coverage Gaps (Non-Failure Related)
1.**Expected**: Image is loaded with tags from `steps.meta.outputs.tags``ghcr.io/wikid82/charon:pr-123`
2.**Reality**: The exact tag format depends on Docker Buildx's internal behavior
**File**: `backend/internal/utils/*.go`
The `docker save` command at line 141 tries to save:
**Coverage**: 74.2% (needs 85%)
**Missing Coverage**:
- Error handling paths in URL validation
- Edge cases in network utility functions
- Rarely-used helper functions
**Recommendation**: Add targeted tests after fixing audit logging tests.
---
## Recommended Fix
### Step 1: Identify Correct Context Keys
**Action**: Find the context key definitions used by the audit service.
**Likely Location**:
```bash
ghcr.io/${IMAGE_NAME}:pr-${{ github.event.pull_request.number }}
grep -r "UserIDKey\|SourceIPKey\|UserAgentKey" backend/internal/
```
But this **manually reconstructs** the tag instead of using the **actual tag applied by docker/build-push-action**.
**Expected Files**:
- `backend/internal/middleware/auth.go`
- `backend/internal/middleware/audit.go`
- `backend/internal/middleware/context.go`
**Why This Fails**:
- The `docker save` command requires an **exact match** of the image reference as it exists in the local Docker daemon
- If the image is loaded with a slightly different tag format, `docker save` throws:
```
Error response from daemon: reference does not exist
```
### Step 2: Update Test Context Setup
**Evidence from Error Log**:
```
Run IMAGE_NAME=$(echo "Wikid82/charon" | tr '[:upper:]' '[:lower:]')
Error response from daemon: reference does not exist
Error: Process completed with exit code 1.
**File**: `backend/internal/services/dns_provider_service_test.go`
**Lines to Fix**: 1580-1595, 1635-1650, 1695-1710, 1740-1755
**Pattern**:
```go
// Import the middleware package
import "github.com/Wikid82/charon/backend/internal/middleware"
// In each test, replace context setup with:
ctx := context.WithValue(context.Background(), middleware.UserIDKey, "test-user")
ctx = context.WithValue(ctx, middleware.SourceIPKey, "192.168.1.1")
ctx = context.WithValue(ctx, middleware.UserAgentKey, "TestAgent/1.0")
```
This confirms the `docker save` command cannot find the image reference constructed at line 141.
### Step 3: Re-run Tests
### 5. Job Dependencies Analysis
**Complete Workflow Structure**:
```
build-and-push (lines 34-234)
├── Outputs: skip_build, digest
├── Steps:
│ ├── Build image (load=true for PRs)
│ ├── Save image artifact (❌ FAILS HERE at line 141)
│ └── Upload artifact (never reached)
test-image (lines 354-463)
├── needs: build-and-push
├── if: ... && github.event_name != 'pull_request'
└── (Not relevant for PRs)
trivy-pr-app-only (lines 465-493)
├── if: github.event_name == 'pull_request'
└── (Independent - builds its own image)
verify-supply-chain-pr (lines 495-722)
├── needs: build-and-push
├── if: github.event_name == 'pull_request' && needs.build-and-push.result == 'success'
├── Steps:
│ ├── ❌ Download artifact (artifact doesn't exist)
│ ├── ❌ Load image (cannot load non-existent artifact)
│ └── ❌ Scan image (cannot scan non-loaded image)
└── Currently skipped due to build-and-push failure
verify-supply-chain-pr-skipped (lines 724-754)
├── needs: build-and-push
└── if: github.event_name == 'pull_request' && needs.build-and-push.outputs.skip_build == 'true'
```
**Dependency Chain Impact**:
1. ❌ `build-and-push` **fails** at line 141 (`docker save`)
2. ❌ Artifact is **never uploaded** (lines 144-150 are skipped)
3. ❌ `verify-supply-chain-pr` **cannot download** artifact (line 517 fails)
4. ❌ **Supply chain verification never runs** for PRs
### 6. Verification: Why Similar Patterns Work
**Line 376** (in `test-image` job):
```yaml
- name: Normalize image name
run: |
raw="${{ github.repository_owner }}/${{ github.event.repository.name }}"
IMAGE_NAME=$(echo "$raw" | tr '[:upper:]' '[:lower:]')
echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV
```
This job **pulls from the registry** (line 395):
```yaml
- name: Pull Docker image
run: docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }}
```
✅ **Works because**: It pulls a pushed image from the registry, not a locally loaded one.
**Line 516** (in `verify-supply-chain-pr` job):
```yaml
- name: Normalize image name
run: |
IMAGE_NAME=$(echo "${{ github.repository_owner }}/charon" | tr '[:upper:]' '[:lower:]')
echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV
```
✅ **Would work if**: The artifact existed. This job loads the image from the tar file, which preserves the exact tags.
**Key Difference**: The failing step tries to save an image **before we know its exact tag**, while the working patterns either:
- Pull from registry with a known tag
- Load from artifact with preserved tags
---
## The Solution
### Option 1: Use Metadata Output Tag (RECOMMENDED ✅)
**Strategy**: Extract the exact tag from `steps.meta.outputs.tags` and use it directly in `docker save`.
**Why This Works**:
- The `docker/metadata-action` generates the tags that `docker/build-push-action` **actually applies** to the image
- For PR builds, this is: `ghcr.io/<owner>/charon:pr-<number>` (normalized, lowercase)
- This is the **exact tag** that exists in the local Docker daemon after `load: true`
**Rationale**:
- Avoids manual tag reconstruction
- Uses the authoritative source of truth for image tags
- Eliminates assumption-based errors
**Risk Level**: **Low** - Read-only operation on existing step outputs
### Option 2: Inspect Local Images (ALTERNATIVE)
**Strategy**: Use `docker images` to discover the actual tag before saving.
**Why Not Recommended**:
- Adds complexity
- Requires pattern matching or parsing
- Less reliable than using metadata output
### Option 3: Override Tag for PRs (FALLBACK)
**Strategy**: Modify the build step to apply a deterministic local tag for PR builds.
**Why Not Recommended**:
- Requires more changes (build step + save step)
- Breaks consistency with existing tag patterns
- Downstream jobs expect registry-style tags
---
## Recommended Fix: Option 1
### Implementation
**File**: `.github/workflows/docker-build.yml`
**Location**: Lines 135-142 (Save Docker Image as Artifact step)
#### Before (Current - BROKEN)
```yaml
- name: Save Docker Image as Artifact
if: github.event_name == 'pull_request'
run: |
IMAGE_NAME=$(echo "${{ github.repository_owner }}/charon" | tr '[:upper:]' '[:lower:]')
docker save ghcr.io/${IMAGE_NAME}:pr-${{ github.event.pull_request.number }} -o /tmp/charon-pr-image.tar
ls -lh /tmp/charon-pr-image.tar
```
**Issue**: Manually constructs the image reference, which may not match the actual tag applied by `docker/build-push-action`.
#### After (FIXED - Concise Version)
```yaml
- name: Save Docker Image as Artifact
if: github.event_name == 'pull_request'
run: |
# Extract the first tag from metadata action (PR tag)
IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1)
echo "🔍 Detected image tag: ${IMAGE_TAG}"
# Verify the image exists locally
echo "📋 Available local images:"
docker images --filter "reference=*charon*"
# Save the image using the exact tag from metadata
echo "💾 Saving image: ${IMAGE_TAG}"
docker save "${IMAGE_TAG}" -o /tmp/charon-pr-image.tar
# Verify the artifact was created
echo "✅ Artifact created:"
ls -lh /tmp/charon-pr-image.tar
```
#### After (FIXED - Defensive Version for Production)
```yaml
- name: Save Docker Image as Artifact
if: github.event_name == 'pull_request'
run: |
# Extract the first tag from metadata action (PR tag)
IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1)
if [[ -z "${IMAGE_TAG}" ]]; then
echo "❌ ERROR: No image tag found in metadata output"
echo "Metadata tags output:"
echo "${{ steps.meta.outputs.tags }}"
exit 1
fi
echo "🔍 Detected image tag: ${IMAGE_TAG}"
# Verify the image exists locally
if ! docker image inspect "${IMAGE_TAG}" >/dev/null 2>&1; then
echo "❌ ERROR: Image ${IMAGE_TAG} not found locally"
echo "📋 Available images:"
docker images
exit 1
fi
# Save the image using the exact tag from metadata
echo "💾 Saving image: ${IMAGE_TAG}"
docker save "${IMAGE_TAG}" -o /tmp/charon-pr-image.tar
# Verify the artifact was created
echo "✅ Artifact created:"
ls -lh /tmp/charon-pr-image.tar
```
**Key Changes**:
1. **Extract exact tag**: `IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1)`
- Uses the first (and only) tag from metadata output
- For PR builds: `ghcr.io/wikid82/charon:pr-123`
2. **Add debugging**: `docker images --filter "reference=*charon*"`
- Shows available images for troubleshooting
- Helps diagnose tag mismatches in logs
3. **Use extracted tag**: `docker save "${IMAGE_TAG}" -o /tmp/charon-pr-image.tar`
- No manual reconstruction
- Guaranteed to match the actual image tag
4. **Defensive checks** (production version only):
- Verify `IMAGE_TAG` is not empty
- Verify image exists before attempting save
- Fail fast with clear error messages
**Why This Works**:
- ✅ The `docker/metadata-action` output is the **authoritative source** of tags
- ✅ These are the **exact tags** applied by `docker/build-push-action`
- ✅ No assumptions or manual reconstruction
- ✅ Works for any repository owner name (uppercase, lowercase, mixed case)
- ✅ Consistent with downstream jobs that expect the same tag format
**Null Safety**:
- If `steps.meta.outputs.tags` is empty (shouldn't happen), `IMAGE_TAG` will be empty
- The defensive version explicitly checks for this and fails with a clear message
- The concise version will fail at `docker save` with a clear error about missing image reference
---
## Side Effects & Related Updates
### No Changes Needed ✅
The following steps/jobs **already handle the image correctly** and require **no modifications**:
1. **Upload Image Artifact** (lines 144-150)
- ✅ Uses the saved tar file from the previous step
- ✅ No dependency on image tag format
2. **verify-supply-chain-pr job** (lines 495-722)
- ✅ Downloads and loads the tar file
- ✅ References image using the same normalization logic
- ✅ Will work correctly once artifact exists
3. **Load Docker Image step** (lines 524-529)
- ✅ Loads from tar file (preserves original tags)
- ✅ No changes needed
### Why No Downstream Changes Are Needed
When you save a Docker image to a tar file using `docker save`, the tar file contains:
- The image layers
- The image configuration
- **The exact tags that were applied to the image**
When you load the image using `docker load -i charon-pr-image.tar`, Docker restores:
- All image layers
- The image configuration
- **The exact same tags** that were saved
**Example**:
**Command**:
```bash
# Save with tag: ghcr.io/wikid82/charon:pr-123
docker save ghcr.io/wikid82/charon:pr-123 -o image.tar
# Load restores the exact same tag
docker load -i image.tar
# Image is now available as: ghcr.io/wikid82/charon:pr-123
docker images ghcr.io/wikid82/charon:pr-123
cd /projects/Charon/backend
go test -v -race ./internal/services/... -run TestDNSProviderService_AuditLogging
```
The `verify-supply-chain-pr` job references:
**Expected**: All 6 tests pass
### Step 4: Verify Coverage
**Command**:
```bash
IMAGE_REF="ghcr.io/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }}"
/projects/Charon/scripts/go-test-coverage.sh
```
This will match perfectly because:
- `IMAGE_NAME` is normalized the same way (lines 516-518)
- The PR number is the same
- The loaded image has the exact tag we saved
**Expected**: Coverage ≥85%
---
## Testing Plan
## Timeline Estimate
### Phase 1: Local Verification (Recommended)
| Task | Duration | Confidence |
|------|----------|------------|
| Find context keys | 5 min | High |
| Update test contexts | 15 min | High |
| Re-run tests | 2 min | High |
| Verify coverage | 2 min | High |
| **TOTAL** | **~25 min** | **High** |
Before pushing to CI, verify the fix locally:
---
## Confidence Assessment
**Overall Confidence**: 🟢 **95%**
**High Confidence (>90%)**:
- ✅ Root cause is identified (context values not set correctly)
- ✅ Failure pattern is consistent (same 6 tests, same assertions)
- ✅ Fix is straightforward (update context setup in tests)
- ✅ No concurrency issues, hangs, or timeouts
- ✅ All other tests pass successfully
**Low Risk Areas**:
- Tests run quickly (no hangs)
- No race conditions detected
- No CI-specific issues
- No infrastructure problems
---
## Is This Blocking the PR?
**YES** - This is blocking PR #461 from merging.
**Why**:
1. ✅ Coverage is below 85% threshold (84.8%)
2. ✅ Codecov workflow will fail (requires ≥85%)
3. ✅ Quality checks workflow will fail (test failures)
4. ✅ PR cannot be merged with failing required checks
**Severity**: 🔴 **CRITICAL** (blocks merge)
**Priority**: 🔴 **P0** (must fix before merge)
---
## IMMEDIATE ACTIONS (Next 30 Minutes) ⚡
### 1. Find Context Key Definitions
**Execute this command**:
```bash
cd /projects/Charon/backend
grep -rn "type contextKey\|UserIDKey\|SourceIPKey\|UserAgentKey" internal/middleware internal/security internal/auth 2>/dev/null | head -20
```
**Expected Output**: File and line numbers where context keys are defined
**Timeline**: 2 minutes
---
### 2. Inspect Audit Logging Test Setup
**Execute this command**:
```bash
cd /projects/Charon/backend
sed -n '1580,1600p' internal/services/dns_provider_service_test.go
```
**Look For**:
- How context is created
- What context values are set
- What imports are used
**Timeline**: 3 minutes
---
### 3. Compare with Working Audit Tests
**Execute this command**:
```bash
cd /projects/Charon/backend
grep -rn "AuditLogging.*context.WithValue" internal/ --include="*_test.go" | head -10
```
**Purpose**: Find examples of correctly setting audit context in other tests
**Timeline**: 2 minutes
---
## FIX IMPLEMENTATION (Next 20 Minutes) 🔧
Once context keys are identified:
1. **Update test helper or inline context setup** in `dns_provider_service_test.go`
2. **Apply to all 6 failing tests** (lines 1580-1595, 1635-1650, 1695-1710, 1740-1755, etc.)
3. **Re-run tests** to validate fix
4. **Verify coverage** reaches ≥85%
**Timeline**: 20 minutes
---
## VALIDATION (Next 5 Minutes) ✅
```bash
# 1. Build a PR-style image locally
docker build -t ghcr.io/wikid82/charon:pr-test .
# Step 1: Run failing tests
cd /projects/Charon/backend
go test -v ./internal/services/... -run TestDNSProviderService_AuditLogging
# 2. Verify the image exists
docker images ghcr.io/wikid82/charon:pr-test
# Step 2: Run full coverage
/projects/Charon/scripts/go-test-coverage.sh
# 3. Save the image
docker save ghcr.io/wikid82/charon:pr-test -o /tmp/test-image.tar
# 4. Verify the tar was created
ls -lh /tmp/test-image.tar
# 5. Load the image in a clean environment
docker rmi ghcr.io/wikid82/charon:pr-test # Remove original
docker load -i /tmp/test-image.tar # Reload from tar
docker images ghcr.io/wikid82/charon:pr-test # Verify it's back
# Step 3: Check coverage percentage
tail -5 backend/test-output.txt
```
**Expected Result**: All steps succeed without "reference does not exist" errors.
### Phase 2: CI Testing
1. **Apply the fix** to `.github/workflows/docker-build.yml` (lines 135-142)
2. **Create a test PR** on the `feature/beta-release` branch
3. **Verify the workflow execution**:
- ✅ `build-and-push` job completes successfully
- ✅ "Save Docker Image as Artifact" step shows detected tag in logs
- ✅ "Upload Image Artifact" step uploads the tar file
- ✅ `verify-supply-chain-pr` job runs and downloads the artifact
- ✅ "Load Docker Image" step loads the image successfully
- ✅ SBOM generation and vulnerability scanning complete
### Phase 3: Edge Cases
Test the following scenarios:
1. **Different repository owners** (uppercase, lowercase, mixed case):
- `Wikid82/charon` → `wikid82/charon`
- `TestUser/charon` → `testuser/charon`
- `UPPERCASE/charon` → `uppercase/charon`
2. **Multiple rapid commits** to the same PR:
- Verify no artifact conflicts
- Verify each commit gets its own workflow run
3. **Skipped builds** (chore commits):
- Verify `verify-supply-chain-pr-skipped` runs correctly
- Verify feedback comment is posted
4. **Different PR numbers**:
- Single digit (PR #5)
- Double digit (PR #42)
- Triple digit (PR #123)
### Phase 4: Rollback Plan
If the fix causes issues:
1. **Immediate rollback**: Revert the commit that applied this fix
2. **Temporary workaround**: Disable artifact save/upload steps:
```yaml
if: github.event_name == 'pull_request' && false # Temporarily disabled
```
3. **Investigation**: Check GitHub Actions logs for actual image tags:
```yaml
# Add this step before the save step
- name: Debug Image Tags
if: github.event_name == 'pull_request'
run: |
echo "Metadata tags:"
echo "${{ steps.meta.outputs.tags }}"
echo ""
echo "Local images:"
docker images
```
**Expected**:
- ✅ All 6 tests pass
- ✅ Coverage ≥85%
- ✅ No test failures
---
## Success Criteria
## SUMMARY OF FINDINGS
### Functional
### Root Cause
**Context values for audit logging are not properly set in DNS provider service tests**, causing:
- user_id to default to "system" instead of test value
- source_ip to be empty instead of test IP
- user_agent to be empty instead of test agent string
- ✅ `build-and-push` job completes successfully for all PR builds
- ✅ Docker image artifact is saved and uploaded for all PR builds
- ✅ `verify-supply-chain-pr` job runs and downloads the artifact
- ✅ No "reference does not exist" errors in any step
- ✅ Supply chain verification completes for all PR builds
### Impact
- ❌ 6 tests failing in `internal/services/dns_provider_service_test.go`
- ❌ Coverage: 84.8% (0.2% below 85% threshold)
- ❌ Blocks PR #461 from merging
### Observable Metrics
### Solution
Fix context setup in 6 audit logging tests to use correct context keys and values.
- 📊 **Job Success Rate**: 100% for `build-and-push` job on PRs
- 📦 **Artifact Upload Rate**: 100% for PR builds
- 🔒 **Supply Chain Verification Rate**: 100% for PR builds (excluding skipped)
- ⏱️ **Build Time**: No significant increase (<30 seconds for artifact save)
### Timeline
**~25 minutes** to identify keys, fix tests, and validate coverage.
### Quality
- 🔍 **Clear logging** of detected image tags
- 🛡️ **Defensive error handling** (fails fast with clear messages)
- 📝 **Consistent** with existing patterns in the workflow
### Confidence
🟢 **95%** - Clear root cause, straightforward fix, no infrastructure issues.
---
## Implementation Checklist
### Pre-Implementation
- [x] Analyze the root cause (line 141 in docker-build.yml)
- [x] Identify the exact failing step and command
- [x] Review job dependencies and downstream impacts
- [x] Design the fix with before/after comparison
- [x] Document testing plan and success criteria
### Implementation
- [ ] Apply the fix to `.github/workflows/docker-build.yml` (lines 135-142)
- [ ] Choose between concise or defensive version (recommend defensive for production)
- [ ] Commit with message: `fix(ci): use metadata tag for docker save in PR builds`
- [ ] Push to `feature/beta-release` branch
### Testing
- [ ] Create a test PR and verify workflow runs successfully
- [ ] Check GitHub Actions logs for "🔍 Detected image tag" output
- [ ] Verify artifact is uploaded (check Actions artifacts tab)
- [ ] Verify `verify-supply-chain-pr` job completes successfully
- [ ] Test edge cases (uppercase owner, different PR numbers)
- [ ] Monitor 2-3 additional PR builds for stability
### Post-Implementation
- [ ] Update CHANGELOG.md with the fix
- [ ] Close any related GitHub issues
- [ ] Document lessons learned (if applicable)
- [ ] Monitor for regressions over next week
---
## Appendix A: Error Analysis Summary
### Error Signature
```
Run IMAGE_NAME=$(echo "Wikid82/charon" | tr '[:upper:]' '[:lower:]')
Error response from daemon: reference does not exist
Error: Process completed with exit code 1.
```
### Error Details
- **File**: `.github/workflows/docker-build.yml`
- **Job**: `build-and-push`
- **Step**: "Save Docker Image as Artifact"
- **Lines**: 135-142
- **Failing Command**: Line 141 → `docker save ghcr.io/${IMAGE_NAME}:pr-${PR_NUMBER} -o /tmp/charon-pr-image.tar`
### Error Type
**Docker Daemon Error**: The Docker daemon cannot find the image reference specified in the `docker save` command.
### Root Cause Categories
| Category | Likelihood | Evidence |
|----------|-----------|----------|
| **Tag Mismatch** | ✅ **Most Likely** | Manual reconstruction doesn't match actual tag |
| Image Not Loaded | ❌ Unlikely | Build step succeeds |
| Timing Issue | ❌ Unlikely | Steps are sequential |
| Permissions Issue | ❌ Unlikely | Other Docker commands work |
**Conclusion**: **Tag Mismatch** is the root cause.
### Evidence Supporting Root Cause
1. ✅ **Build step succeeds** (no reported build failures)
2. ✅ **Error occurs at `docker save`** (after successful build)
3. ✅ **Manual tag reconstruction** (lines 140-141)
4. ✅ **Inconsistent with docker/build-push-action behavior** when `load: true`
5. ✅ **Similar patterns work** because they either:
- Pull from registry (test-image job)
- Load from artifact (verify-supply-chain-pr job)
### Fix Summary
**What Changed**: Use exact tag from `steps.meta.outputs.tags` instead of manually constructing it
**Why It Works**: The metadata action output is the authoritative source of tags applied by docker/build-push-action
**Risk Level**: **Low** - Read-only operation on existing step outputs
---
## Appendix B: Relevant Documentation
- [Docker Build-Push-Action - Load Option](https://github.com/docker/build-push-action#load)
- [Docker Metadata-Action - Outputs](https://github.com/docker/metadata-action#outputs)
- [Docker CLI - save command](https://docs.docker.com/engine/reference/commandline/save/)
- [GitHub Actions - Artifacts](https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts)
- [Docker Buildx - Multi-platform builds](https://docs.docker.com/build/building/multi-platform/)
---
**END OF ANALYSIS & FIX PLAN**
**END OF INVESTIGATION**