| #!/usr/bin/env bash | |
| # Measure Docker build context size with and without .dockerignore | |
| # Covers: legacy Docker builder, BuildKit (via buildx), and Podman | |
| # | |
| # Run from the repo root where .dockerignore lives. | |
| # The script temporarily moves .dockerignore aside to measure "without", | |
| # then restores it to measure "with". | |
| set -uo pipefail |
| #!/usr/bin/env bash | |
| # KRM exec function: sets securityContext.runAsNonRoot=true on every | |
| # container and initContainer in LLMInferenceServiceConfig resources. | |
| # | |
| # Skips resources labeled opendatahub.io/config-type=accelerator | |
| # (minimal overrides that inherit securityContext from the base template). | |
| # | |
| # Receives a ResourceList on stdin, emits modified ResourceList on stdout. | |
| exec yq eval ' |
make precommit takes ~101s on a clean tree. 79% of time is in generate (57.7s)
and manifests (33.8s), which run unconditionally even when no relevant files changed.
Deep tool-level analysis uncovered additional waste:
manifests (16.4s) can be batched into 5 calls (1.3s)go vet on main module is redundant (5.1s) -- golangci-lint already includes govet
| #!/bin/bash | |
| # Reproducer: Attempt to chain 10 tokens (token proliferation attack) | |
| MAAS_URL="${MAAS_URL:-maas.$(oc get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}')}" | |
| echo "=== Token Proliferation Test ===" | |
| echo "Attempting to create a chain of 10 tokens using each to issue the next" | |
| echo "" | |
| # Start with OpenShift identity token |
| #!/bin/bash | |
| # Reproducer: SA tokens should NOT be able to issue new tokens | |
| MAAS_URL="${MAAS_URL:-maas.$(oc get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}')}" | |
| echo "=== Step 1: Get token using OpenShift identity (expected: success) ===" | |
| TOKEN=$(curl -sSk -X POST \ | |
| -H "Authorization: Bearer $(oc whoami -t)" \ | |
| -H "Content-Type: application/json" \ | |
| -d '{"expiration":"10m"}' \ |
| 2025-12-10T12:11:49.4445925Z Current runner version: '2.329.0' | |
| 2025-12-10T12:11:49.4552758Z ##[group]Runner Image Provisioner | |
| 2025-12-10T12:11:49.4556489Z Hosted Compute Agent | |
| 2025-12-10T12:11:49.4559478Z Version: 20251124.448 | |
| 2025-12-10T12:11:49.4563146Z Commit: fda5086b43ec66ade217e5fcd18146c879571177 | |
| 2025-12-10T12:11:49.4586950Z Build Date: 2025-11-24T21:16:26Z | |
| 2025-12-10T12:11:49.4590227Z ##[endgroup] | |
| 2025-12-10T12:11:49.4593197Z ##[group]Operating System | |
| 2025-12-10T12:11:49.4596722Z Ubuntu | |
| 2025-12-10T12:11:49.4599576Z 24.04.3 |
| [ | |
| { | |
| "op": "add", | |
| "path": "/spec/replicas", | |
| "value": 1 | |
| }, | |
| { | |
| "op": "add", | |
| "path": "/spec/strategy", | |
| "value": { |
| apiVersion: kustomize.config.k8s.io/v1beta1 | |
| kind: Kustomization | |
| metadata: | |
| name: facebook-opt-125m-simulated | |
| namespace: llm | |
| namePrefix: facebook-opt-125m- |
| apiVersion: dscinitialization.opendatahub.io/v1 | |
| kind: DSCInitialization | |
| metadata: | |
| name: default | |
| spec: | |
| applicationsNamespace: opendatahub | |
| monitoring: | |
| managementState: Managed | |
| namespace: opendatahub | |
| apiVersion: datasciencecluster.opendatahub.io/v1 |