ci: fix lint on push/schedule and bake orchestrator test runtime image

[renecannao]

Summary

• Lint job (main.yml): gated to pull_request / workflow_dispatch. With only-new-issues: true, golangci-lint needs a PR base to diff against; on push/schedule every pre-existing issue is flagged as new and the job fails. Every scheduled run since April 9 has been red for this reason.
• Functional tests: orchestrator containers ran apt-get update && apt-get install curl sqlite3 > /dev/null 2>&1 inside the 120s readiness window with output silenced, causing flaky "Orchestrator not ready" timeouts across the matrix (mysql 9.2/9.5/9.6, postgresql 15/17, raft). Moved the apt step into a pre-baked orchestrator-runtime:latest image built once per job; the orchestrator/orchestrator-pg/orchestrator-raft1..3 services now just run the binary.

Locally, orchestrator readiness drops from a 120s timeout to ~1s and the smoke suite passes 26/26.

Test plan

• CI workflow green on this PR (lint compares against master base and passes)
• Functional Tests workflow green on this PR across the full matrix (mysql 5.7/8.0/8.4/9.0/9.2/9.5/9.6, postgresql 15/16/17, raft)
• After merge, scheduled CI runs stop failing on the lint job

Summary by CodeRabbit

• Chores
  • Optimized test infrastructure by introducing a pre-built Docker image for functional tests, reducing build time and dependencies.
  • Updated continuous integration workflow to run linting checks conditionally on pull requests and manual triggers, improving workflow efficiency.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes introduce a custom Docker runtime image (orchestrator-runtime:latest) that pre-installs test dependencies (curl, sqlite3, ca-certificates) based on ubuntu:24.04. The functional test workflow is updated to build this image before running tests, and the docker-compose configuration is modified to use this image instead of ubuntu directly, shifting dependency installation from runtime to build-time. The lint job is conditionally gated to execute only on pull requests or manual workflow triggers.

Changes

Cohort / File(s)	Summary
CI Workflow Configuration .github/workflows/functional.yml, .github/workflows/main.yml	Added Docker build step for orchestrator-runtime image in functional test jobs; added conditional execution guard to lint job to run only on pull_request or workflow_dispatch events.
Docker Image and Compose Setup tests/functional/orchestrator-runtime.Dockerfile, tests/functional/docker-compose.yml	Created new Dockerfile installing curl, sqlite3, and ca-certificates on ubuntu:24.04; updated all orchestrator services to use orchestrator-runtime:latest image and removed inline dependency installation from container startup commands.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• CI: MySQL version matrix (5.7-9.6) and named channels tests #85: Directly modifies the same Docker build and docker-compose services for the orchestrator-runtime image.
• CI: Add behavioral validation tests for topology, problems, and operations #91: Adds functional test steps that execute within the modified functional test workflow.

Poem

🐰 A rabbit hops through Docker layers,
Pre-baking deps to skip the prayers,
No more delays when tests commence,
Just lightning-fast resilience! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes both main changes: fixing lint on push/schedule and baking a Docker runtime image for orchestrator tests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci-fix-lint-and-functional-startup

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a custom Docker image, orchestrator-runtime, for functional testing, moving the installation of dependencies like curl and sqlite3 from the container startup command to a dedicated Dockerfile. This change streamlines the docker-compose.yml configuration for several orchestrator services. Feedback suggests adding a build section to the orchestrator service in the Compose file to automatically build the runtime image if it is missing locally, improving the developer experience.

[gemini-code-assist]

To improve the local development experience, consider adding a build section to the orchestrator service. This allows docker-compose up to automatically build the orchestrator-runtime image using the provided Dockerfile if it doesn't exist locally, rather than failing with an image not found error. Since other services in this file share the same image name, defining the build context once here is sufficient for a full stack startup.

    build:
      context: .
      dockerfile: orchestrator-runtime.Dockerfile
    image: orchestrator-runtime:latest

[coderabbitai]

🧹 Nitpick comments (1)

tests/functional/orchestrator-runtime.Dockerfile (1)

1-5: Harden the runtime image by dropping root privileges.

This image currently runs as root. Adding a dedicated non-root user improves baseline container security with minimal cost.

🔧 Proposed hardening diff

 FROM ubuntu:24.04
 
 RUN apt-get update \
  && apt-get install -y --no-install-recommends curl sqlite3 ca-certificates \
  && rm -rf /var/lib/apt/lists/*
+
+RUN useradd --create-home --shell /usr/sbin/nologin orchestrator
+USER orchestrator

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/functional/orchestrator-runtime.Dockerfile` around lines 1 - 5, Add a
non-root user and switch to it in the Dockerfile: create a dedicated user/group
(e.g., "orchestrator") and home directory, chown any runtime-required
directories/files (for example those created or used by the apt installs or
later runtime artifacts), and add a USER instruction before the image final
layer so the container no longer runs as root; reference the existing FROM
ubuntu:24.04 and the RUN apt-get ... lines to locate where to insert the
user/group creation, chown, and USER orchestrator statements and ensure the new
user has a non-login shell and limited privileges.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@tests/functional/orchestrator-runtime.Dockerfile`:
- Around line 1-5: Add a non-root user and switch to it in the Dockerfile:
create a dedicated user/group (e.g., "orchestrator") and home directory, chown
any runtime-required directories/files (for example those created or used by the
apt installs or later runtime artifacts), and add a USER instruction before the
image final layer so the container no longer runs as root; reference the
existing FROM ubuntu:24.04 and the RUN apt-get ... lines to locate where to
insert the user/group creation, chown, and USER orchestrator statements and
ensure the new user has a non-login shell and limited privileges.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 22c86548-cfea-4b89-95c0-6c6605aea8e6

📥 Commits

Reviewing files that changed from the base of the PR and between 42c66d3 and d7824d5.

📒 Files selected for processing (4)

• .github/workflows/functional.yml
• .github/workflows/main.yml
• tests/functional/docker-compose.yml
• tests/functional/orchestrator-runtime.Dockerfile