Skip to content

ci: validate rendered talos/ patches pre-merge so bad machine config fails the PR, not the merge groupΒ #2477

Description

@devantler

πŸ€– Generated by the Daily AI Assistant

Problem

Machine-config errors in talos/** patches surface only in the merge_group's πŸš€ Deploy to Prod (ksail cluster update) β€” after promotion, atomically, evicting the PR from the queue. Live case: #2462 was evicted because its ${WG_SERVER_PRIVATE_KEY} env-expansion rendered empty in CI (private key is invalid: wrong key "" length: 0); nothing on the PR event renders the Talos patches at all.

Proposed direction

Add a PR-event CI step that renders the Talos machine config with the patches applied (via ksail, with placeholder-but-valid values for env-expanded secrets, e.g. a generated throwaway WireGuard key) and validates it (talosctl validate or ksail's own validation), scoped to run when talos/** changes. It must fail fast on empty/invalid env-expansions.

Acceptance criteria

  • A PR touching talos/** with an invalid or unexpandable patch goes red on the PR event, before promotion/queueing.
  • No real secrets are needed on the PR event (placeholder key material suffices for schema validation).
  • Documented in AGENTS.md's validate guidance.

(Origin: CodeRabbit outside-diff-range finding on #2462.)

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    βœ… Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions