Skip to content

Open-source readiness: legal, branding, docs, CI, community files#248

Merged
blue4209211 merged 10 commits into
chore/rename-binary-to-nudgebeefrom
chore/opensource-readiness
May 22, 2026
Merged

Open-source readiness: legal, branding, docs, CI, community files#248
blue4209211 merged 10 commits into
chore/rename-binary-to-nudgebeefrom
chore/opensource-readiness

Conversation

@mayankpande88

@mayankpande88 mayankpande88 commented May 21, 2026

Copy link
Copy Markdown
Contributor

Stacked on top of #247 (chore/rename-binary-to-nudgebee). After #247
merges, GitHub will auto-rebase this PR onto main.

Summary

Prepares the repo to be made public as an Apache-2.0 fork of
coroot/coroot-node-agent.
8 focused commits, grouped so reviewers can step through one concern
at a time:

Commit Concern
baefecb Add NOTICE, SECURITY, COC, CHANGELOG, GPL-2 text; replace .gitignore; drop stray binaries heap.prof + github-labeler-0.0.2
ec667bb Scrub real credentials and internal identifiers from ebpftracer/l7/l7_test.go fixtures
b9c5508 Rebrand self-identification strings (job label, User-Agent, OTel service, systemd unit, install.sh) — Go module path intentionally kept as github.com/coroot/coroot-node-agent
56c03e7 Rename DaemonSet manifest, namespace, image reference
25bb8fc Rewrite README + CONTRIBUTING with upstream attribution
4c24e3c Make NUDGEBEE_* opt-out env vars canonical; keep COROOT_* for back-compat
f9d9a4d .github/ community files (CODEOWNERS, PR/issue templates, dependabot) + CI gitleaks job + drop historical /containers test exclusion
6ff5c21 docs/llm-observability.md + docs/ip-fqdn-resolver.md

Key decisions

  • Module path stays as github.com/coroot/coroot-node-agent.
    We ship as a Docker image / manifest, not as a Go library, so
    go install against our repo URL is not a supported user journey.
    Keeping the upstream path minimises rebase friction against
    upstream forever.
  • No per-file SPDX headers on eBPF C sources. The runtime
    char _license[] SEC("license") = "GPL"; declaration in
    ebpftracer/ebpf/ebpf.c (what the kernel verifier actually
    checks) plus the project-level NOTICE and README declarations
    are sufficient. Per-file SPDX would only matter for REUSE
    compliance / per-file license scanners, neither of which we
    pursue today, and would add rebase friction against upstream
    forever.
  • Cross-product detection preserved. containers/app.go still
    recognises coroot, coroot-ee, coroot-cluster-agent,
    coroot-operator; nudgebee equivalents are added on top.
  • Captured fixtures are now fully synthetic. Old
    ebpftracer/l7/l7_test.go contained a real AWS account ID, EKS
    OIDC cluster ID, AWS STS session credentials, a K8s ServiceAccount
    JWT, a Chatwoot session cookie, and our staging hostname. Replaced
    with AKIAIOSFODNN7EXAMPLE, example.com, redaction placeholders.
    Parser assertions updated to match; behaviour unchanged.
  • NUDGEBEE_* env vars are canonical, COROOT_* still works.
    Operators that have already set COROOT_LOG_MONITORING=disabled
    on their pods don't have to migrate same-day.

Still pending before flipping the repo public

  • Git history rewrite (destructive, separate operation). The
    scrubbed secret strings and the heap.prof / github-labeler-0.0.2
    blobs are still in commit history. git filter-repo will purge
    them in a separate force-push to main; that step rewrites every
    commit SHA and cannot be reviewed as a PR.
  • GitHub UI: description, topics, disable Wiki, enable
    Discussions, Dependabot security alerts + secret scanning + CodeQL.
  • Decide release versioning for the OSS debut (continue from
    current tag stream, or reset to v1.0.0).
  • Confirm security@nudgebee.com is monitored.

Test plan

  • gofmt -l . clean
  • goimports -l . clean
  • go vet ./... (darwin: pinger / sdjournal / cilium-bpf
    are Linux-only and don't build, expected)
  • go test ./common/ ./ebpftracer/l7/ ./flags/ pass
  • Full Linux docker build succeeds for amd64/arm64
  • CI on this PR (gofmt, goimports, vet, full go test ./...,
    build, gitleaks)
  • Manual: deploy to a kind cluster, scrape :80/metrics, verify
    job="nudgebee-node-agent" label

Add the project metadata required for an Apache-2 OSS release derived
from coroot/coroot-node-agent:

- NOTICE: attribution to upstream coroot/coroot-node-agent and
  declaration that eBPF C code is GPL-2.0
- SECURITY.md: private disclosure policy
- CODE_OF_CONDUCT.md: Contributor Covenant 2.1
- CHANGELOG.md: keep-a-changelog seed
- LICENSES/GPL-2.0.txt: full GPL-2.0 text (eBPF probes)

Replace the two-line .gitignore with a real Go ignore covering build
artifacts, profiles, IDE state, and eBPF objects.

Remove two binaries accidentally committed to the repo root:
heap.prof (a stray pprof dump) and github-labeler-0.0.2 (an unrelated
third-party tool, 18.6 MB). The blobs remain in history and will be
purged in a separate filter-repo pass before the repo is made public.
The HTTP test fixtures in ebpftracer/l7/l7_test.go were captured from
live production traffic and contained:

  - real (now-expired) AWS STS session credentials with our account ID
    280501305789 embedded in the security-token blob
  - a real Kubernetes ServiceAccount JWT that exposed our EKS cluster
    OIDC issuer ID and the nudgebee-agent service-account name
  - a real S3 path referencing internal bucket nudgebee-dev-loki-logs
  - a captured Chatwoot session cookie and internal staging hostname
    test.nudgebee.pollux.in
  - internal pod IPs and a VictoriaMetrics remote-write body with
    cluster/karpenter labels

Replace every fixture with synthetic data (AWS's documented
AKIAIOSFODNN7EXAMPLE access key, example.com hostnames, zeroed
signatures, fully redacted tokens). The parser assertions are updated
to match; the parsing path/host/method behaviour is unchanged.

Note: the blobs remain in git history and will be purged in a separate
filter-repo pass before the repo is made public.
When the agent identifies itself to other systems, it now says
"nudgebee-node-agent" instead of "coroot-node-agent":

  - prom/remote_writer.go: Prometheus job label and outbound User-Agent
  - logs/otel.go: OpenTelemetry service name and logger name
  - install.sh: SYSTEM_NAME, systemd unit Description and Documentation;
    also fix the download URL to point at github.com/nudgebee/node-agent
    and match the release-workflow artifact pattern
    <binary>-<semver>-<arch>
  - Dockerfile.alpine: binary output name and runtime image paths
  - test_pods_metrics.sh: make namespace, label, and base port
    configurable via env vars (with nudgebee-friendly defaults)

containers/app.go is left alone for the upstream coroot-* entries
(they let us label coroot installs running alongside us), but
nudgebee-node-agent and nudgebee-cluster-agent are added so we
self-detect cleanly.

Note: this changes the `job` label on metrics from coroot-node-agent
to nudgebee-node-agent. Downstream dashboards and alerts must be
updated accordingly; this is also recorded in CHANGELOG.md.
Rename manifests/coroot-node-agent.yaml to nudgebee-node-agent.yaml.
Update:
  - Namespace: coroot -> nudgebee
  - Labels and container/DaemonSet name -> nudgebee-node-agent
  - Image: ghcr.io/coroot/coroot-node-agent -> ghcr.io/nudgebee/node-agent
  - Pin to :latest with imagePullPolicy: IfNotPresent

Users with existing dashboards keyed on the old labels will need
to update their selectors.
README:
  - Retitle to "Nudgebee Node Agent" with upstream attribution
  - Update badges to point at the new module path
  - Restructure features into "inherited from upstream" and "added in
    this fork", calling out LLM observability, IP-to-FQDN resolver,
    enhanced L7 detection, PSI metrics, and stability work
  - Replace coroot install/docs links with our k8s manifest,
    install.sh, and ghcr image references (keeping links to upstream
    metric documentation where we haven't yet duplicated it)
  - Add Security section pointing at SECURITY.md
  - Reference NOTICE and the GPL-2.0 LICENSES/ entry for eBPF

CONTRIBUTING:
  - Drop the "thank you for contributing to Coroot" wording
  - Document the eBPF rebuild workflow (cd ebpftracer && make build) —
    the main Dockerfile only runs go build, so this is easy to miss
  - List Go and Linux/library requirements explicitly
  - Brief module layout overview to orient new contributors

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request transforms the repository into the Nudgebee Node Agent, a fork of the Coroot node agent. Key enhancements include an LLM observability pipeline for monitoring AI API traffic, an IP-to-FQDN resolver for network flow enrichment, and support for Pressure Stall Information (PSI) metrics. The PR also updates the project's branding, documentation, and installation scripts. Reviewer feedback highlights opportunities to improve the uninstallation process by cleaning up legacy files, enhance security by adding Pod Security Admission labels to the Kubernetes namespace, and improve deployment reliability by avoiding the ":latest" image tag.

Comment thread install.sh Outdated
Comment thread manifests/nudgebee-node-agent.yaml
Comment thread manifests/nudgebee-node-agent.yaml Outdated
  - proc/flags.go: accept both NUDGEBEE_EBPF_PROFILING /
    NUDGEBEE_LOG_MONITORING / NUDGEBEE_EBPF_TRACES (canonical going
    forward) and COROOT_* (backwards compatible) on the env of
    monitored processes. The COROOT_* names are a public opt-out
    contract that may already be set on user workloads; recognise
    both to avoid forcing a same-day migration.
  - containers/container.go: update the corresponding log message to
    reference the new canonical name
  - flags/flags.go: rewrite the --api-key flag help text from
    "Coroot API key" to "API key for the upstream collector"
Community files (.github/):
  - CODEOWNERS: default reviewers; closer review for eBPF + release surface
  - PULL_REQUEST_TEMPLATE.md: forces contributors to declare eBPF
    regeneration, secrets-in-fixtures check, and CHANGELOG updates
  - ISSUE_TEMPLATE/bug.yml: structured bug report with redaction reminder
  - ISSUE_TEMPLATE/feature.yml: feature-request form
  - ISSUE_TEMPLATE/config.yml: disable blank issues; route security
    reports to GitHub Security Advisories, questions to Discussions
  - dependabot.yml: weekly gomod + actions + docker updates, with
    grouped OTel/k8s/prometheus PRs to reduce noise

CI hardening (.github/workflows/ci.yml):
  - Drop the historical /containers test exclusion. The only test in
    containers/ is llm_test.go, 67 lines of pure provider-detection
    logic with no system deps. Linux CI builds the package today via
    the binary build step, so test coverage is the only thing missing.
  - Add a separate "Secret scan" job running gitleaks-action against
    full history (fetch-depth: 0). Prevents the kind of credentials
    we just scrubbed from being reintroduced. .gitleaks.toml allowlist
    covers the AWS-documented AKIAIOSFODNN7EXAMPLE key and the
    EXAMPLE_*_REDACTED placeholders used in test fixtures.
  - Set explicit `permissions: contents: read` for least-privilege.
Document the two headline nudgebee-original features. Both pages
mirror the structure used by upstream coroot docs: what it does, how
detection works, what metrics/labels are emitted, sample PromQL,
known limitations.

  - docs/llm-observability.md: provider matrix, the three-signal
    detection pipeline (DNS cache, TLS SNI, late HTTP-header tag),
    OTel-GenAI-aligned metric names, cost model from
    containers/llm_pricing.go, and the HTTP/2 mid-stream-join HPACK
    limitation that requires a workload restart after agent rollout.
  - docs/ip-fqdn-resolver.md: Service/Pod/Node resolution order,
    Workload struct fields, ephemeral-workload aggregation,
    informer-cache memory optimization, and CNI-rewrite limitation.

Update README to link both docs from the "Added in this fork" and
"Metrics" sections so they are discoverable from the entry point.
Also fix the Go Report Card badge to point at the actual module
path (github.com/coroot/coroot-node-agent), since we are intentionally
keeping the upstream module identity.
@mayankpande88 mayankpande88 force-pushed the chore/opensource-readiness branch from d3cfe2e to 6ff5c21 Compare May 21, 2026 11:19
Review comments from gemini-code-assist on PR #248:

  - install.sh: extend the generated uninstall script to also stop +
    disable the legacy coroot-node-agent systemd unit (if present) and
    remove its binary, env file, and /var/lib state. Hosts migrating
    from the upstream package no longer leave stale artifacts.

  - manifests/nudgebee-node-agent.yaml: add Pod Security Admission
    labels (enforce, audit, warn = privileged) to the `nudgebee`
    namespace. The agent requires privileged + hostPID; without these
    labels the DaemonSet is rejected on clusters that enforce PSA
    (Kubernetes >= 1.25).

  - manifests/nudgebee-node-agent.yaml: pin to `:1` (major-version
    tag, auto-updated within compatible range) instead of `:latest`.
    The release workflow already publishes major / major.minor / full
    semver tags; document in a comment that production users should
    pin to a fully qualified tag.

CI fix:

  - .github/workflows/ci.yml: replace `gitleaks/gitleaks-action@v2`
    with a direct gitleaks CLI install. The action requires a paid
    licence when run on org-owned repositories ("nudgebee is an
    organization. License key is required."); the CLI itself is
    BSD-licensed and unrestricted.
  - Scope the scan to only the commits introduced by the event
    (PR: base..HEAD; push: before..after), so the historical secrets
    queued for the upcoming git-filter-repo pass don't keep the job
    red on every run.
I dropped this exclusion in 71b95e9 on the assumption it was
vestigial, since the only test under containers/ (llm_test.go) is
pure provider-detection logic with no system deps. The fresh CI run
on PR #248 disproved that:

    /tmp/go-build*/b1595/containers.test: symbol lookup error:
    /tmp/go-build*/b1595/containers.test: undefined symbol:
    nvmlDeviceSetMemClkVfOffset
    FAIL  github.com/coroot/coroot-node-agent/containers  0.001s

containers/ transitively imports gpu/, which imports
github.com/NVIDIA/go-nvml/pkg/nvml. The bindings resolve NVML
symbols (including very recent ones like
nvmlDeviceSetMemClkVfOffset that aren't in older libnvidia-ml.so)
at process start, which aborts the test binary on a runner without
a matching NVIDIA driver before any of our actual tests get to run.

Restore `grep -v '/containers$'` so CI is green; the real fix is to
move GPU code behind a build tag (e.g. `//go:build !nognml`) so
non-GPU builds can skip the dynamic-link surface entirely. Tracking
that as a follow-up.
@blue4209211 blue4209211 merged commit 65f1e1f into chore/rename-binary-to-nudgebee May 22, 2026
2 checks passed
@blue4209211 blue4209211 deleted the chore/opensource-readiness branch May 22, 2026 05:57
mayankpande88 added a commit that referenced this pull request May 25, 2026
…nt (#247)

* chore: rename release artifacts and image binary to nudgebee-node-agent

- Dockerfile: build output, COPY destination, and ENTRYPOINT renamed
  from coroot-node-agent to nudgebee-node-agent.
- release.yml: extract from /usr/bin/nudgebee-node-agent and publish
  release assets as nudgebee-node-agent-<version>-<arch>.

Go module path (github.com/coroot/coroot-node-agent) and the ldflags
version-injection path are unchanged — module rename is a separate
refactor.

Breaking change for any consumer that explicitly execs
'coroot-node-agent' as a container command/args/healthcheck, but our
in-repo manifests/coroot-node-agent.yaml uses args-only so the
ENTRYPOINT swap is transparent there. install.sh and the sample
manifest still point at upstream releases/images and are not used by
nudgebee container deploys; flagged for separate cleanup.

* chore: apply review feedback on rename PR

- flags/flags.go: WalDir default /tmp/coroot-node-agent ->
  /tmp/nudgebee-node-agent so the default spool directory matches the
  rebrand. /tmp doesn't survive reboots, so no migration concern;
  --wal-dir / WAL_DIR overrides are unaffected.
- Dockerfile: ENTRYPOINT uses the absolute path
  /usr/bin/nudgebee-node-agent to drop the implicit PATH dependency.

* Open-source readiness: legal, branding, docs, CI, community files (#248)

* chore: add open-source governance files and clean repo hygiene

Add the project metadata required for an Apache-2 OSS release derived
from coroot/coroot-node-agent:

- NOTICE: attribution to upstream coroot/coroot-node-agent and
  declaration that eBPF C code is GPL-2.0
- SECURITY.md: private disclosure policy
- CODE_OF_CONDUCT.md: Contributor Covenant 2.1
- CHANGELOG.md: keep-a-changelog seed
- LICENSES/GPL-2.0.txt: full GPL-2.0 text (eBPF probes)

Replace the two-line .gitignore with a real Go ignore covering build
artifacts, profiles, IDE state, and eBPF objects.

Remove two binaries accidentally committed to the repo root:
heap.prof (a stray pprof dump) and github-labeler-0.0.2 (an unrelated
third-party tool, 18.6 MB). The blobs remain in history and will be
purged in a separate filter-repo pass before the repo is made public.

* test: scrub real credentials and internal identifiers from L7 fixtures

The HTTP test fixtures in ebpftracer/l7/l7_test.go were captured from
live production traffic and contained:

  - real (now-expired) AWS STS session credentials with our account ID
    280501305789 embedded in the security-token blob
  - a real Kubernetes ServiceAccount JWT that exposed our EKS cluster
    OIDC issuer ID and the nudgebee-agent service-account name
  - a real S3 path referencing internal bucket nudgebee-dev-loki-logs
  - a captured Chatwoot session cookie and internal staging hostname
    test.nudgebee.pollux.in
  - internal pod IPs and a VictoriaMetrics remote-write body with
    cluster/karpenter labels

Replace every fixture with synthetic data (AWS's documented
AKIAIOSFODNN7EXAMPLE access key, example.com hostnames, zeroed
signatures, fully redacted tokens). The parser assertions are updated
to match; the parsing path/host/method behaviour is unchanged.

Note: the blobs remain in git history and will be purged in a separate
filter-repo pass before the repo is made public.

* chore: rebrand self-identification strings to nudgebee-node-agent

When the agent identifies itself to other systems, it now says
"nudgebee-node-agent" instead of "coroot-node-agent":

  - prom/remote_writer.go: Prometheus job label and outbound User-Agent
  - logs/otel.go: OpenTelemetry service name and logger name
  - install.sh: SYSTEM_NAME, systemd unit Description and Documentation;
    also fix the download URL to point at github.com/nudgebee/node-agent
    and match the release-workflow artifact pattern
    <binary>-<semver>-<arch>
  - Dockerfile.alpine: binary output name and runtime image paths
  - test_pods_metrics.sh: make namespace, label, and base port
    configurable via env vars (with nudgebee-friendly defaults)

containers/app.go is left alone for the upstream coroot-* entries
(they let us label coroot installs running alongside us), but
nudgebee-node-agent and nudgebee-cluster-agent are added so we
self-detect cleanly.

Note: this changes the `job` label on metrics from coroot-node-agent
to nudgebee-node-agent. Downstream dashboards and alerts must be
updated accordingly; this is also recorded in CHANGELOG.md.

* chore: rename DaemonSet manifest and update image reference

Rename manifests/coroot-node-agent.yaml to nudgebee-node-agent.yaml.
Update:
  - Namespace: coroot -> nudgebee
  - Labels and container/DaemonSet name -> nudgebee-node-agent
  - Image: ghcr.io/coroot/coroot-node-agent -> ghcr.io/nudgebee/node-agent
  - Pin to :latest with imagePullPolicy: IfNotPresent

Users with existing dashboards keyed on the old labels will need
to update their selectors.

* docs: rewrite README and CONTRIBUTING for the nudgebee open-source fork

README:
  - Retitle to "Nudgebee Node Agent" with upstream attribution
  - Update badges to point at the new module path
  - Restructure features into "inherited from upstream" and "added in
    this fork", calling out LLM observability, IP-to-FQDN resolver,
    enhanced L7 detection, PSI metrics, and stability work
  - Replace coroot install/docs links with our k8s manifest,
    install.sh, and ghcr image references (keeping links to upstream
    metric documentation where we haven't yet duplicated it)
  - Add Security section pointing at SECURITY.md
  - Reference NOTICE and the GPL-2.0 LICENSES/ entry for eBPF

CONTRIBUTING:
  - Drop the "thank you for contributing to Coroot" wording
  - Document the eBPF rebuild workflow (cd ebpftracer && make build) —
    the main Dockerfile only runs go build, so this is easy to miss
  - List Go and Linux/library requirements explicitly
  - Brief module layout overview to orient new contributors

* chore: rebrand opt-out env vars and API-key flag help text

  - proc/flags.go: accept both NUDGEBEE_EBPF_PROFILING /
    NUDGEBEE_LOG_MONITORING / NUDGEBEE_EBPF_TRACES (canonical going
    forward) and COROOT_* (backwards compatible) on the env of
    monitored processes. The COROOT_* names are a public opt-out
    contract that may already be set on user workloads; recognise
    both to avoid forcing a same-day migration.
  - containers/container.go: update the corresponding log message to
    reference the new canonical name
  - flags/flags.go: rewrite the --api-key flag help text from
    "Coroot API key" to "API key for the upstream collector"

* chore: add OSS community files and harden CI

Community files (.github/):
  - CODEOWNERS: default reviewers; closer review for eBPF + release surface
  - PULL_REQUEST_TEMPLATE.md: forces contributors to declare eBPF
    regeneration, secrets-in-fixtures check, and CHANGELOG updates
  - ISSUE_TEMPLATE/bug.yml: structured bug report with redaction reminder
  - ISSUE_TEMPLATE/feature.yml: feature-request form
  - ISSUE_TEMPLATE/config.yml: disable blank issues; route security
    reports to GitHub Security Advisories, questions to Discussions
  - dependabot.yml: weekly gomod + actions + docker updates, with
    grouped OTel/k8s/prometheus PRs to reduce noise

CI hardening (.github/workflows/ci.yml):
  - Drop the historical /containers test exclusion. The only test in
    containers/ is llm_test.go, 67 lines of pure provider-detection
    logic with no system deps. Linux CI builds the package today via
    the binary build step, so test coverage is the only thing missing.
  - Add a separate "Secret scan" job running gitleaks-action against
    full history (fetch-depth: 0). Prevents the kind of credentials
    we just scrubbed from being reintroduced. .gitleaks.toml allowlist
    covers the AWS-documented AKIAIOSFODNN7EXAMPLE key and the
    EXAMPLE_*_REDACTED placeholders used in test fixtures.
  - Set explicit `permissions: contents: read` for least-privilege.

* docs: add LLM observability and IP-to-FQDN resolver feature docs

Document the two headline nudgebee-original features. Both pages
mirror the structure used by upstream coroot docs: what it does, how
detection works, what metrics/labels are emitted, sample PromQL,
known limitations.

  - docs/llm-observability.md: provider matrix, the three-signal
    detection pipeline (DNS cache, TLS SNI, late HTTP-header tag),
    OTel-GenAI-aligned metric names, cost model from
    containers/llm_pricing.go, and the HTTP/2 mid-stream-join HPACK
    limitation that requires a workload restart after agent rollout.
  - docs/ip-fqdn-resolver.md: Service/Pod/Node resolution order,
    Workload struct fields, ephemeral-workload aggregation,
    informer-cache memory optimization, and CNI-rewrite limitation.

Update README to link both docs from the "Added in this fork" and
"Metrics" sections so they are discoverable from the entry point.
Also fix the Go Report Card badge to point at the actual module
path (github.com/coroot/coroot-node-agent), since we are intentionally
keeping the upstream module identity.

* chore: address PR #248 review feedback and fix secret-scan CI

Review comments from gemini-code-assist on PR #248:

  - install.sh: extend the generated uninstall script to also stop +
    disable the legacy coroot-node-agent systemd unit (if present) and
    remove its binary, env file, and /var/lib state. Hosts migrating
    from the upstream package no longer leave stale artifacts.

  - manifests/nudgebee-node-agent.yaml: add Pod Security Admission
    labels (enforce, audit, warn = privileged) to the `nudgebee`
    namespace. The agent requires privileged + hostPID; without these
    labels the DaemonSet is rejected on clusters that enforce PSA
    (Kubernetes >= 1.25).

  - manifests/nudgebee-node-agent.yaml: pin to `:1` (major-version
    tag, auto-updated within compatible range) instead of `:latest`.
    The release workflow already publishes major / major.minor / full
    semver tags; document in a comment that production users should
    pin to a fully qualified tag.

CI fix:

  - .github/workflows/ci.yml: replace `gitleaks/gitleaks-action@v2`
    with a direct gitleaks CLI install. The action requires a paid
    licence when run on org-owned repositories ("nudgebee is an
    organization. License key is required."); the CLI itself is
    BSD-licensed and unrestricted.
  - Scope the scan to only the commits introduced by the event
    (PR: base..HEAD; push: before..after), so the historical secrets
    queued for the upcoming git-filter-repo pass don't keep the job
    red on every run.

* ci: re-instate /containers test exclusion (NVML symbol mismatch)

I dropped this exclusion in 71b95e9 on the assumption it was
vestigial, since the only test under containers/ (llm_test.go) is
pure provider-detection logic with no system deps. The fresh CI run
on PR #248 disproved that:

    /tmp/go-build*/b1595/containers.test: symbol lookup error:
    /tmp/go-build*/b1595/containers.test: undefined symbol:
    nvmlDeviceSetMemClkVfOffset
    FAIL  github.com/coroot/coroot-node-agent/containers  0.001s

containers/ transitively imports gpu/, which imports
github.com/NVIDIA/go-nvml/pkg/nvml. The bindings resolve NVML
symbols (including very recent ones like
nvmlDeviceSetMemClkVfOffset that aren't in older libnvidia-ml.so)
at process start, which aborts the test binary on a runner without
a matching NVIDIA driver before any of our actual tests get to run.

Restore `grep -v '/containers$'` so CI is green; the real fix is to
move GPU code behind a build tag (e.g. `//go:build !nognml`) so
non-GPU builds can skip the dynamic-link surface entirely. Tracking
that as a follow-up.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants