make precommit takes ~101s on a clean tree. 79% of time is in generate (57.7s)
and manifests (33.8s), which run unconditionally even when no relevant files changed.
Deep tool-level analysis uncovered additional waste:
manifests (16.4s) can be batched into 5 calls (1.3s)go vet on main module is redundant (5.1s) -- golangci-lint already includes govet
| #!/bin/bash | |
| # Reproducer: Attempt to chain 10 tokens (token proliferation attack) | |
| MAAS_URL="${MAAS_URL:-maas.$(oc get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}')}" | |
| echo "=== Token Proliferation Test ===" | |
| echo "Attempting to create a chain of 10 tokens using each to issue the next" | |
| echo "" | |
| # Start with OpenShift identity token |
| #!/bin/bash | |
| # Reproducer: SA tokens should NOT be able to issue new tokens | |
| MAAS_URL="${MAAS_URL:-maas.$(oc get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}')}" | |
| echo "=== Step 1: Get token using OpenShift identity (expected: success) ===" | |
| TOKEN=$(curl -sSk -X POST \ | |
| -H "Authorization: Bearer $(oc whoami -t)" \ | |
| -H "Content-Type: application/json" \ | |
| -d '{"expiration":"10m"}' \ |
| 2025-12-10T12:11:49.4445925Z Current runner version: '2.329.0' | |
| 2025-12-10T12:11:49.4552758Z ##[group]Runner Image Provisioner | |
| 2025-12-10T12:11:49.4556489Z Hosted Compute Agent | |
| 2025-12-10T12:11:49.4559478Z Version: 20251124.448 | |
| 2025-12-10T12:11:49.4563146Z Commit: fda5086b43ec66ade217e5fcd18146c879571177 | |
| 2025-12-10T12:11:49.4586950Z Build Date: 2025-11-24T21:16:26Z | |
| 2025-12-10T12:11:49.4590227Z ##[endgroup] | |
| 2025-12-10T12:11:49.4593197Z ##[group]Operating System | |
| 2025-12-10T12:11:49.4596722Z Ubuntu | |
| 2025-12-10T12:11:49.4599576Z 24.04.3 |
| [ | |
| { | |
| "op": "add", | |
| "path": "/spec/replicas", | |
| "value": 1 | |
| }, | |
| { | |
| "op": "add", | |
| "path": "/spec/strategy", | |
| "value": { |
| apiVersion: kustomize.config.k8s.io/v1beta1 | |
| kind: Kustomization | |
| metadata: | |
| name: facebook-opt-125m-simulated | |
| namespace: llm | |
| namePrefix: facebook-opt-125m- |
| apiVersion: dscinitialization.opendatahub.io/v1 | |
| kind: DSCInitialization | |
| metadata: | |
| name: default | |
| spec: | |
| applicationsNamespace: opendatahub | |
| monitoring: | |
| managementState: Managed | |
| namespace: opendatahub | |
| apiVersion: datasciencecluster.opendatahub.io/v1 |
| apiVersion: gateway.networking.k8s.io/v1 | |
| kind: HTTPRoute | |
| metadata: | |
| creationTimestamp: "2025-09-26T21:16:42Z" | |
| generation: 1 | |
| labels: | |
| app.kubernetes.io/component: llminferenceservice-router | |
| app.kubernetes.io/name: facebook-opt-125m-single-simulated | |
| app.kubernetes.io/part-of: llminferenceservice | |
| name: facebook-opt-125m-single-simulated-kserve-route |
| openapi: 3.0.3 | |
| info: | |
| title: MaaS Billing API | |
| description: Model as a Service Billing and Management API | |
| version: "1.0" | |
| servers: | |
| - url: http://localhost:8080 | |
| paths: | |
| /health: | |
| get: |
| apiVersion: serving.kserve.io/v1alpha1 | |
| kind: LLMInferenceService | |
| metadata: | |
| name: llm-inference-service-model-fb-opt-125m-router-managed-workload | |
| namespace: kserve-ci-e2e-test | |
| spec: | |
| baseRefs: | |
| - name: model-fb-opt-125m | |
| - name: router-managed | |
| - name: workload-single-cpu |