feat(EC-1816): add multi-component stress benchmark by dheerajodha · Pull Request #3331 · conforma/cli · GitHub
Skip to content

feat(EC-1816): add multi-component stress benchmark#3331

Open
dheerajodha wants to merge 4 commits into
conforma:mainfrom
dheerajodha:EC-1816
Open

feat(EC-1816): add multi-component stress benchmark#3331
dheerajodha wants to merge 4 commits into
conforma:mainfrom
dheerajodha:EC-1816

Conversation

@dheerajodha

Copy link
Copy Markdown
Contributor
  • Adds a stress benchmark under benchmark/stress/ that validates a multi-component snapshot with 35 workers, simulating the workload that caused the OOM incident (EC-1805)
  • Component count (EC_STRESS_COMPONENTS, default 10) and worker count (EC_STRESS_WORKERS, default 35) are parameterized via env vars for CI tuning
  • Reuses existing benchmark infrastructure (benchmark/internal/suite, registry, untar) and the same golden-container image data, duplicated across components at runtime

Resolves: EC-1816

@coderabbitai

coderabbitai Bot commented Jun 4, 2026

Copy link
Copy Markdown

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 4, 2026

Copy link
Copy Markdown

Review

Findings

Low

  • [edge-case] benchmark/stress/stress.go:38 — The envInt function panics on invalid or non-positive environment variable values. This is consistent with the established pattern across all benchmark code (simple/simple.go uses panic identically, as does internal/untar/untar.go), so no change is required. A future improvement could use fmt.Fprintf(os.Stderr, ...) + os.Exit(1) for marginally better user experience on configuration errors.

Labels: PR adds Go benchmark/testing infrastructure under benchmark/stress/.

Previous run

Review

Findings

Medium

  • [stale-reference] benchmark/stress/stress.go:97 — The git source URL for golden-container uses the old organization name enterprise-contract (https://github.com/enterprise-contract/golden-container.git) while the rest of the codebase (simple benchmark, hack scripts) has migrated to https://github.com/conforma/golden-container. The git revision 8327c1ce7472b017b9396fe26d5d5e1ed0eb61cc also differs from the simple benchmark's 2dec8f515a64ef2f21ee3e7b1ed41da77a5c5a9a, suggesting it may reference a commit in the old repo that could become unavailable if the old repo is archived.
    Remediation: Use https://github.com/conforma/golden-container to match the existing simple benchmark pattern, and verify the revision hash exists in the conforma fork.

Low

  • [edge-case] benchmark/stress/stress.go:42 — The envInt function panics on values < 1 but does not guard against unreasonably large values. For EC_STRESS_COMPONENTS, an extremely large value would cause buildSnapshot to allocate a massive slice, likely causing an OOM before the benchmark runs. Minor robustness concern since this is a developer tool.

  • [incomplete-doc] benchmark/README.md — The benchmark README describes benchmarks generically but doesn't mention the new stress benchmark, its env vars (EC_STRESS_COMPONENTS, EC_STRESS_WORKERS), or its distinct purpose of simulating multi-component workloads.

Info

  • [pattern-violation] benchmark/stress/stress.go:119 — The policy JSON string in the stress benchmark is well-formed JSON (no trailing commas), while the simple benchmark's policy string contains trailing commas (invalid JSON). The stress benchmark is more correct here, but the inconsistency between benchmarks is notable.
Previous run (2)

Review

Findings

Low

  • [resource-leak] benchmark/stress/stress.go:68 — In setup(), if registry.Launch() fails, the temporary directory created by untar.UnTar() is never cleaned up. The panic exits without removing the temp dir. This matches the existing pattern in benchmark/simple/simple.go and the OS reclaims the directory on process exit, so practical risk is minimal.
    Remediation: Call os.RemoveAll(dir) before panicking on registry.Launch failure, or defer cleanup unconditionally.

  • [missing-input-validation] benchmark/stress/stress.go:52envInt accepts zero and negative values for EC_STRESS_COMPONENTS and EC_STRESS_WORKERS. Setting these to zero or negative values could produce confusing benchmark results.
    Remediation: Add a check that the returned value is at least 1.

Info

  • [sub-agent-failure] The style-conventions, intent-coherence, and docs-currency sub-agents did not return findings: model claude-sonnet-4-5@20250929 not available on the deployment. These are sonnet-tier dimensions; correctness (opus) completed successfully.
Previous run (3)

Review

Findings

Low

  • [edge-case] benchmark/stress/stress.go:56envInt does not validate that the returned integer is positive. Setting EC_STRESS_COMPONENTS=0 produces a snapshot with zero components, and EC_STRESS_WORKERS=0 or a negative value is passed directly to --workers. These degenerate inputs silently produce meaningless benchmark results rather than failing fast. Consider adding a lower-bound check (e.g., if n < 1 { panic(...) }).

Info

  • [design-direction] benchmark/stress/ — The stress benchmark is well-placed in the benchmark infrastructure alongside the existing simple benchmark. Both use golang.org/x/benchmarks/driver for performance measurement. If the goal evolves toward OOM reproduction/regression testing specifically, acceptance tests could complement this benchmark.
  • [sub-agent-gap] The style-conventions sub-agent could not access PR branch files. Manual inspection confirms the stress benchmark follows the established patterns from benchmark/simple/: identical setup()/Closer lifecycle, same driver.Parallel(n, 1, fn) shape, consistent license headers, and proper reuse of benchmark/internal/ packages.

Comment thread benchmark/stress/stress.go
@fullsend-ai-review fullsend-ai-review Bot added the ready-for-merge All reviewers approved — ready to merge label Jun 4, 2026
@codecov

codecov Bot commented Jun 4, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 80 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
benchmark/stress/stress.go 0.00% 80 Missing ⚠️
Flag Coverage Δ
acceptance 53.43% <ø> (-2.17%) ⬇️
generative 16.68% <0.00%> (-1.15%) ⬇️
integration 27.49% <0.00%> (+0.93%) ⬆️
unit 68.69% <0.00%> (-0.35%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
benchmark/stress/stress.go 0.00% <0.00%> (ø)

... and 14 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Add a stress benchmark under benchmark/stress/ that validates a
multi-component snapshot with configurable worker count, simulating
real-world release pipeline workloads that caused OOM (EC-1805).

- Component count controlled via EC_STRESS_COMPONENTS (default 10)
- Worker count controlled via EC_STRESS_WORKERS (default 35)
- Uses the same golden-container image as the simple benchmark,
  duplicated across components at runtime
- Reuses the existing benchmark/internal/suite harness
- Includes prepare_data.sh to regenerate offline data archive
- Automatically supported by make benchmark_stress via Makefile
  wildcard rules

Resolves: EC-1816

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 11, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 12:58 PM UTC · Completed 1:06 PM UTC
Commit: 47d3320 · View workflow run →

Comment thread benchmark/stress/stress.go
Comment thread benchmark/stress/stress.go
@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jun 11, 2026
Pull pre-built data.tar.gz from quay.io/conforma/benchmark-data
in prepare_data.sh, falling back to upstream regeneration. Add
push_data.sh for uploading the archive.

Resolves: EC-1816

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions github-actions Bot added size: XL and removed size: L labels Jun 16, 2026
@fullsend-ai-review

Copy link
Copy Markdown

🤖 Review · Started 12:25 PM UTC
Commit: 47d3320 · View workflow run →

Reject zero and negative values for EC_STRESS_COMPONENTS and
EC_STRESS_WORKERS to fail fast instead of producing meaningless
benchmark results.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dheerajodha dheerajodha marked this pull request as ready for review June 16, 2026 12:32
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 16, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 12:34 PM UTC · Completed 12:44 PM UTC
Commit: 47d3320 · View workflow run →

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@benchmark/stress/prepare_data.sh`:
- Around line 30-36: The oras pull command suppresses error output with
2>/dev/null and the script always falls back to regenerating from upstream on
failure, making CI runs non-reproducible and hiding infrastructure issues.
Remove the error suppression (2>/dev/null) from the oras pull command on line 30
and restructure the logic so that if the oras pull fails, the script exits with
an error rather than continuing to the regeneration fallback. This ensures
benchmark input remains deterministic and surfaces any Quay or authentication
failures instead of silently working around them.

In `@benchmark/stress/stress.go`:
- Around line 26-38: The imports in the stress.go file are not properly ordered
according to the gci formatting standards. Run the project's Go import
formatting tool (typically gci write or go fmt) on the stress.go file to
automatically reorder the imports into the correct grouping: standard library
imports first, followed by blank line, then third-party imports (like
golang.org/x/benchmarks), followed by blank line, then local package imports
(like github.com/conforma/cli). This will resolve the gci formatting check
failure.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 03e32d5c-c048-4271-92dd-eba0be016eaa

📥 Commits

Reviewing files that changed from the base of the PR and between c6df9ad and aa42a5a.

📒 Files selected for processing (3)
  • benchmark/stress/prepare_data.sh
  • benchmark/stress/push_data.sh
  • benchmark/stress/stress.go

Comment thread benchmark/stress/prepare_data.sh
Comment thread benchmark/stress/stress.go

@fullsend-ai-review fullsend-ai-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.

}

type snapshot struct {
Components []component `json:"components"`

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] stale-reference

The git source URL for golden-container uses the old organization name enterprise-contract (https://github.com/enterprise-contract/golden-container.git) while the rest of the codebase has migrated to https://github.com/conforma/golden-container. The git revision also differs from the simple benchmark, suggesting it may reference a commit in the old repo.

Suggested fix: Use https://github.com/conforma/golden-container to match the existing simple benchmark pattern, and verify the revision hash exists in the conforma fork.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is intentional. The git URL and revision come from the image's actual build attestation, the slsa_source_correlated policy check compares the snapshot's git source against what's in the attestation, and the attestation for sha256:166e38c records enterprise-contract/golden-container.git at revision 8327c1ce. Using conforma/golden-container would fail source correlation.

The simple benchmark actually has this bug, it uses the conforma URL with a different revision, which causes 3 violations. Which is fixed here in the stress benchmark. But I understand your concern about this file using reference from a deprecated quay repo. I'm thinking if it's worth finding an image with attestation that uses the latest quay repo instead.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, then unless you can find such attestation with low effort, i'm fine with keeping the deprecated reference 👍
We can always come back to this once we actually deprecate it and the test will break

Comment thread benchmark/stress/stress.go
if err != nil {
panic(err)
}
return string(data)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[info] pattern-violation

The policy JSON string uses well-formed JSON (no trailing commas) while the simple benchmark has trailing commas. The stress benchmark is more correct, but the inconsistency is notable.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ooooh I love this side of Claude, it said:

Skipping. The simple benchmark's trailing commas are a pre-existing bug there, not something to replicate here. Being correct isn't a pattern violation.

💅

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed ready-for-merge All reviewers approved — ready to merge labels Jun 16, 2026
st3penta
st3penta previously approved these changes Jun 22, 2026

@st3penta st3penta left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just one comment, but overall LGTM

Comment thread benchmark/stress/stress.go Outdated
if err := suite.Execute([]string{
"validate",
"image",
"--json-input",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--json-input is marked DEPRECATED in cmd/validate/image.go. The replacement --images accepts the same format. benchmark/simple/simple.go:100 also uses --json-input, so worth updating both if you switch.

Suggested change
"--json-input",
"--images",

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, thank you! Fixed

Replace deprecated --json-input with --images, add benchmark listing
to README.

Resolves: EC-1816

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 30, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:06 PM UTC · Completed 1:18 PM UTC
Commit: 47d3320 · View workflow run →

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] edge-case

The envInt function panics on invalid or non-positive environment variable values. This is consistent with the established pattern across all benchmark code (simple/simple.go, internal/untar/untar.go), so no change is required. A future improvement could use fmt.Fprintf(os.Stderr, ...) + os.Exit(1) for better user experience on configuration errors.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed requires-manual-review Review requires human judgment labels Jun 30, 2026
@fullsend-ai-review fullsend-ai-review Bot added go Pull requests that update Go code testing labels Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

go Pull requests that update Go code ready-for-merge All reviewers approved — ready to merge size: XL testing

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants