feat(EC-1816): add multi-component stress benchmark#3331
Conversation
ReviewFindingsLow
Labels: PR adds Go benchmark/testing infrastructure under benchmark/stress/. Previous runReviewFindingsMedium
Low
Info
Previous run (2)ReviewFindingsLow
Info
Previous run (3)ReviewFindingsLow
Info
|
Codecov Report❌ Patch coverage is
Flags with carried forward coverage won't be shown. Click here to find out more.
... and 14 files with indirect coverage changes 🚀 New features to boost your workflow:
|
Add a stress benchmark under benchmark/stress/ that validates a multi-component snapshot with configurable worker count, simulating real-world release pipeline workloads that caused OOM (EC-1805). - Component count controlled via EC_STRESS_COMPONENTS (default 10) - Worker count controlled via EC_STRESS_WORKERS (default 35) - Uses the same golden-container image as the simple benchmark, duplicated across components at runtime - Reuses the existing benchmark/internal/suite harness - Includes prepare_data.sh to regenerate offline data archive - Automatically supported by make benchmark_stress via Makefile wildcard rules Resolves: EC-1816 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
🤖 Finished Review · ✅ Success · Started 12:58 PM UTC · Completed 1:06 PM UTC |
Pull pre-built data.tar.gz from quay.io/conforma/benchmark-data in prepare_data.sh, falling back to upstream regeneration. Add push_data.sh for uploading the archive. Resolves: EC-1816 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
🤖 Review · Started 12:25 PM UTC |
Reject zero and negative values for EC_STRESS_COMPONENTS and EC_STRESS_WORKERS to fail fast instead of producing meaningless benchmark results. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
🤖 Finished Review · ✅ Success · Started 12:34 PM UTC · Completed 12:44 PM UTC |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@benchmark/stress/prepare_data.sh`:
- Around line 30-36: The oras pull command suppresses error output with
2>/dev/null and the script always falls back to regenerating from upstream on
failure, making CI runs non-reproducible and hiding infrastructure issues.
Remove the error suppression (2>/dev/null) from the oras pull command on line 30
and restructure the logic so that if the oras pull fails, the script exits with
an error rather than continuing to the regeneration fallback. This ensures
benchmark input remains deterministic and surfaces any Quay or authentication
failures instead of silently working around them.
In `@benchmark/stress/stress.go`:
- Around line 26-38: The imports in the stress.go file are not properly ordered
according to the gci formatting standards. Run the project's Go import
formatting tool (typically gci write or go fmt) on the stress.go file to
automatically reorder the imports into the correct grouping: standard library
imports first, followed by blank line, then third-party imports (like
golang.org/x/benchmarks), followed by blank line, then local package imports
(like github.com/conforma/cli). This will resolve the gci formatting check
failure.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 03e32d5c-c048-4271-92dd-eba0be016eaa
📒 Files selected for processing (3)
benchmark/stress/prepare_data.shbenchmark/stress/push_data.shbenchmark/stress/stress.go
| } | ||
|
|
||
| type snapshot struct { | ||
| Components []component `json:"components"` |
There was a problem hiding this comment.
[medium] stale-reference
The git source URL for golden-container uses the old organization name enterprise-contract (https://github.com/enterprise-contract/golden-container.git) while the rest of the codebase has migrated to https://github.com/conforma/golden-container. The git revision also differs from the simple benchmark, suggesting it may reference a commit in the old repo.
Suggested fix: Use https://github.com/conforma/golden-container to match the existing simple benchmark pattern, and verify the revision hash exists in the conforma fork.
There was a problem hiding this comment.
This is intentional. The git URL and revision come from the image's actual build attestation, the slsa_source_correlated policy check compares the snapshot's git source against what's in the attestation, and the attestation for sha256:166e38c records enterprise-contract/golden-container.git at revision 8327c1ce. Using conforma/golden-container would fail source correlation.
The simple benchmark actually has this bug, it uses the conforma URL with a different revision, which causes 3 violations. Which is fixed here in the stress benchmark. But I understand your concern about this file using reference from a deprecated quay repo. I'm thinking if it's worth finding an image with attestation that uses the latest quay repo instead.
There was a problem hiding this comment.
I see, then unless you can find such attestation with low effort, i'm fine with keeping the deprecated reference 👍
We can always come back to this once we actually deprecate it and the test will break
| if err != nil { | ||
| panic(err) | ||
| } | ||
| return string(data) |
There was a problem hiding this comment.
[info] pattern-violation
The policy JSON string uses well-formed JSON (no trailing commas) while the simple benchmark has trailing commas. The stress benchmark is more correct, but the inconsistency is notable.
There was a problem hiding this comment.
Ooooh I love this side of Claude, it said:
Skipping. The simple benchmark's trailing commas are a pre-existing bug there, not something to replicate here. Being correct isn't a pattern violation.
💅
st3penta
left a comment
There was a problem hiding this comment.
just one comment, but overall LGTM
| if err := suite.Execute([]string{ | ||
| "validate", | ||
| "image", | ||
| "--json-input", |
There was a problem hiding this comment.
--json-input is marked DEPRECATED in cmd/validate/image.go. The replacement --images accepts the same format. benchmark/simple/simple.go:100 also uses --json-input, so worth updating both if you switch.
| "--json-input", | |
| "--images", |
There was a problem hiding this comment.
Good point, thank you! Fixed
Replace deprecated --json-input with --images, add benchmark listing to README. Resolves: EC-1816 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
🤖 Finished Review · ✅ Success · Started 1:06 PM UTC · Completed 1:18 PM UTC |
There was a problem hiding this comment.
[low] edge-case
The envInt function panics on invalid or non-positive environment variable values. This is consistent with the established pattern across all benchmark code (simple/simple.go, internal/untar/untar.go), so no change is required. A future improvement could use fmt.Fprintf(os.Stderr, ...) + os.Exit(1) for better user experience on configuration errors.

benchmark/stress/that validates a multi-component snapshot with 35 workers, simulating the workload that caused the OOM incident (EC-1805)EC_STRESS_COMPONENTS, default 10) and worker count (EC_STRESS_WORKERS, default 35) are parameterized via env vars for CI tuningbenchmark/internal/suite, registry, untar) and the same golden-container image data, duplicated across components at runtimeResolves: EC-1816