feat: tiered CI pipeline with self-hosted runner (#44)#51
Merged
jh-lee-cryptolab merged 10 commits intomainfrom Apr 7, 2026
Merged
feat: tiered CI pipeline with self-hosted runner (#44)#51jh-lee-cryptolab merged 10 commits intomainfrom
jh-lee-cryptolab merged 10 commits intomainfrom
Conversation
jh-lee-cryptolab
force-pushed
the
worktree-worktree-issue-44-ci-pipeline
branch
2 times, most recently
from
10b84d7 to
0a6d8f2
Compare
Terraform config and bootstrap script for a GitHub Actions self-hosted runner on OCI Compute (VM.Standard.E5.Flex, 2 OCPU / 8 GB). Installs Docker CE and registers the runner with labels self-hosted + vault-ci. Supports 3 concurrent jobs. Node.js 24 forced for GitHub Actions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Single-job CI on self-hosted vault-ci runner: format:check → lint → test (unit + integration). Docker build + smoke test on push to main only. Uses .mise.ci.toml via MISE_ENV=ci. Adds curl to Dockerfile runtime. Switches docker-publish.yml to self-hosted runner. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Delete test_crypto.py (7) and integration/test_vault_api.py (5) which tested pyenvector, not vault logic. Trim test_public_key.py (7→3). Update mise test task to include integration tests. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fixture generation script captures real CiphertextScore blobs from enVector Cloud and AES metadata envelopes. Fixtures committed so CI runs without cloud access. Tests verify _decrypt_scores_impl (protobuf → FHE decrypt → top-K) and _decrypt_metadata_impl (HKDF → AES). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jh-lee-cryptolab
force-pushed
the
worktree-worktree-issue-44-ci-pipeline
branch
from
555904f to
5edea73
Compare
EMBEDDING_DIM (384) and FHE_DIM (1024) were incorrectly separated. pyenvector Cipher dim is the vector dimension, not a crypto parameter. Unify to a single DIM=768, fix index.delete_index() → index.drop(), and regenerate all test fixtures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Unify EMBEDDING_DIM/FHE_DIM to single DIM=768 - Generate document vectors with controlled query similarity (0.3~0.9) - Use randn + L2 normalize for realistic cosine similarity distribution - Clean up stale server keys/index before regeneration - Fix index cleanup: delete_index() → drop() - Regenerate all fixtures with dim=768 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
The current fixture setup documents the input and output formats. Given that security is critical for this repository, I wonder exposing this level of detailed sample data is appropriate? |
heeyeon01
reviewed
Apr 7, 2026
- Add tests/fixtures.tar.gz.gpg (AES256 symmetric encryption) - Add tests/fixtures/ to .gitignore (plaintext decrypted at test time) - Add mise tasks: fixtures:decrypt, fixtures:encrypt - GPG passphrase managed via FIXTURES_GPG_PASSPHRASE env / GitHub secret Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jh-lee-cryptolab
force-pushed
the
worktree-worktree-issue-44-ci-pipeline
branch
from
5ce16e1 to
1b1cc47
Compare
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove public SSH access (0.0.0.0/0:22) and ssh_authorized_keys from CI runner instance. Access via OCI Cloud Shell instead. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
sunchuljung
reviewed
Apr 7, 2026
Contributor
Author
@heeyeon01 Thanks for the review. All the fixtures are now encrypted with gpg key for security. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
No automated test execution on PRs — tests run manually before merging. Regressions can slip through undetected.
TL;DR
Self-hosted CI runner on OCI + GitHub Actions workflow for automated lint, test, and Docker build. Test suite cleaned up to focus on vault logic only, with fixture-based integration tests for the decrypt pipeline.
Summary
ci.yml) with check job (format → lint → test) and build-image job (main push only).mise.ci.tomlfor CI-minimal toolset (python/buf/ruff only) viaMISE_ENV=cidocker-publish.ymlto self-hosted runnertest_crypto.py) and trimtest_public_key.py— unit tests now verify vault logic onlyscripts/generate-test-fixtures.py) that captures real CiphertextScore blobs from enVector Cloud_decrypt_scores_impl(protobuf → FHE decrypt → top-K) and_decrypt_metadata_impl(HKDF → AES decrypt)Alternatives
ubuntu-latestrunners: rejected — all CI on self-hosted for consistent environment and no per-minute billingTest plan
Closes #44