Enable Security's Cypress tests on all PRs #167516
Conversation
oatkiller
force-pushed
the
enable-security-cypress-tests
branch
from
6a36349 to
6421112
Compare
| @@ -82,7 +82,6 @@ const uploadPipeline = (pipelineContent: string | object) => { | |||
| GITHUB_PR_LABELS.includes('ci:all-cypress-suites') | |||
| ) { | |||
| pipeline.push(getPipeline('.buildkite/pipelines/pull_request/security_solution.yml')); | |||
| pipeline.push(getPipeline('.buildkite/pipelines/pull_request/defend_workflows.yml')); | |||
There was a problem hiding this comment.
I moved the body of this file directly into base.yml, so it will always run.
| @@ -1,40 +1,4 @@ | |||
| steps: | |||
| - command: .buildkite/scripts/steps/functional/security_solution.sh | |||
There was a problem hiding this comment.
These were moved to the pull_request base.yml so they will always run.
| @@ -1,18 +1,4 @@ | |||
| steps: | |||
| - command: .buildkite/scripts/steps/functional/osquery_cypress.sh | |||
There was a problem hiding this comment.
This was moved to the base.yml so it will always run.
| @@ -1,26 +0,0 @@ | |||
| steps: | |||
There was a problem hiding this comment.
This was all moved to base.yml
| @@ -80,6 +80,30 @@ steps: | |||
| # - exit_status: '*' | |||
| # limit: 1 | |||
|
|
|||
| - command: .buildkite/scripts/steps/functional/defend_workflows.sh | |||
There was a problem hiding this comment.
Defend Workflows Cypress tests, including serverless tests, will run on all PRs now.
|
🥳 !! How do we feel about including these in the on-merge pipeline too? By expanding the scope to all pull requests, operations will typically be the contact for triage. Our notifications come through via on-merge - too much noise on pull requests. |
Completely agree with this!! @oatkiller when doing that change, please remember to remove our tests from |
There was a problem hiding this comment.
@oatkiller I believe we should do the same for the threat intelligence cypress tests.
@PhilippeOberti may you please confirm if those tests are still owned by us? Thanks!
There was a problem hiding this comment.
@oatkiller I believe we should do the same for the
threat intelligencecypress tests.@PhilippeOberti may you please confirm if those tests are still owned by us? Thanks!
I'd say they are yes, as @lgestc and I are the ones who worked on them, and we're both in the Investigations' team
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
oatkiller
added
the
release_note:skip
This comment was marked as resolved.
This comment was marked as resolved.
| @@ -76,7 +76,6 @@ const uploadPipeline = (pipelineContent: string | object) => { | |||
| GITHUB_PR_LABELS.includes('ci:all-cypress-suites') | |||
| ) { | |||
| pipeline.push(getPipeline('.buildkite/pipelines/pull_request/security_solution.yml')); | |||
There was a problem hiding this comment.
These files now just run:
- cypress burn
- OpenAPI codegen
- Serverless OS Query tests
I don't think these steps match the doAnyChangesMatch call above.
For example, changes to /^fleet_packages.json/ probably shouldn't trigger those actions. Also, all PRs will run our tests now.
With that in mind, I think we need to re-evaluate these filters.
@xcrzx I believe you added the OpenAPI codegen step. Do you know when it needs to run?
@patrykkopycinski Should Serverless Osquery Cypress Tests run on all PRs now?
There was a problem hiding this comment.
@xcrzx I believe you added the OpenAPI codegen step. Do you know when it needs to run?
We need to run it whenever there are changes to schema files (*.schema.yaml) or generated artifacts (*.gen.ts) in Security Solution. But as we're making the codegen script configurable, other teams might also start using it in their plugins.
UPD: We also need to run codegen on any changes to packages/kbn-openapi-generator
There was a problem hiding this comment.
yes, all Servereless Cypress Tests should run on all PRs
We don't have a great UX yet for soft failures. When we had them enabled for serverless tests PR comments displaying |
| @@ -49,66 +49,6 @@ steps: | |||
| - exit_status: '*' | |||
| limit: 1 | |||
|
|
|||
| - command: .buildkite/scripts/steps/functional/security_solution.sh | |||
There was a problem hiding this comment.
These were moved to on_merge.yml
| @@ -114,6 +114,66 @@ steps: | |||
| - exit_status: '*' | |||
| limit: 1 | |||
|
|
|||
| - command: .buildkite/scripts/steps/functional/security_solution.sh | |||
There was a problem hiding this comment.
These were copied from on_merge_unsupported_ftrs.yml
@oatkiller Not a strong opinion on any of the above solutions if both are valid. My only thought is that if possible, would be great to minimize the number of files where our code lives, in this way is going to be easier to maintain the future.
Are we going to move the threat intelligence tests as well?
Agree! It would be nice to merge it if possible after 8.11 branch cut to avoid possible issues. |
|
Hey all. I’m aiming to enable our Cypress e2e tests on all PRs. Can you help me find the right time to merge this? Tomorrow is feature freeze.
cc: @paul-tavares @patrykkopycinski @kevinlog @eyalkraft @tehilashn @peluja1012 @marshallmain @yctercero @asnehalb @YulNaumenko @michaelolo24 @stephmilovic @MindyRS @MadameSheema @charlie-pichette @k-g-elastic @epixa @crowens @arpadkiraly |
|
@oatkiller I vote for option 2, FF is happening tomorrow so the PR cut will arrive soon :) |
|
@oatkiller I agree with @MadameSheema on option 2. |
|
cc: @mchopda |
|
Hey @oatkiller - thanks for the ping. I also think option 2 is best. As a side note: I wonder if some sort of "warning" to others that commit to Kibana should be sent out. I often encounter CI errors while the PR is pending that have nothing to do with the changes introduced by the PR (they are failures in other security solution test suites). I get around them by just keep merging upstream and they eventually generate a 💚 build, but this type of issue (unstable tests - maybe?) will likely a) frustrate others outside of security solution, b) cause an increase in "I need help with your failing tests" in our security team channels. Just a heads up. |
I will move the threat intelligence tests as well. |
Thanks. I'll figure out a way to notify some more people. |
and remove some branches from pipeline.ts that are no longer needed
oatkiller
force-pushed
the
enable-security-cypress-tests
branch
from
40000d0 to
cd133a1
Compare
ensure jobs in on_merge have the same labels and parallelism as the equivalent jobs in the pull_request pipeline ensure all Security cypress tests, including serverless tests, are in on_merge
| limit: 1 | ||
|
|
||
| - command: .buildkite/scripts/steps/functional/defend_workflows_serverless.sh | ||
| label: 'Defend Workflows Cypress Tests on Serverless' |
There was a problem hiding this comment.
@patrykkopycinski is this right?
oatkiller
requested review from
jbudz,
PhilippeOberti,
patrykkopycinski and
xcrzx
|
Update!: Hey all, Thanks for the previous reviews. I have made a few changes:
|
💚 Build Succeeded
Metrics [docs]
History
To update your PR or re-run it, just comment with: |
kibanamachine
added
v8.12.0
backport:skip
## Summary Security Solution writes e2e and other tests using Cypress. In the past, these tests, if they failed on a tracked branch, couldn't be easily skipped. They also weren't run in parallelized jobs. For primarily these reasons, they didn't run on most Kibana PRs. This PR moves these Cypress tests back to the main PR pipeline. Tests that fail on tracked branches create (or update) Github issues which can be used with the skip-test github workflow script to easily skip the failing tests. The pipeline steps are parallelized and run in under 40 minutes. ### Open Questions - [ ] Should this PR enable Serverless Security Defend Workflows Cypress Tests @patrykkopycinski ### Some buildkite pipelines that used to run only on Security PRs now run on all PRs: These steps run on all PRs with these changes - Security Solution Cypress Tests (general tests that haven't been organized into an area team) - Explore tests - Investigations Tests - Defend Workflows Tests - Defend Workflows Serverless - Threat Intel Tests - OS Query Tests - Security Solution Burning Changed Specs (these run only recently changed specs a few extra times) - Security Solution OpenAPI codegen - OSQuery burning - OSQuery Serverless <details> <summary><b>And these already run on all PRs</b></summary> - Serverless Security Cypress Tests - Serverless Explore tests - Serverless Investigations Tests </details> ### Security Cypress tests run in the main `on merge` pipeline instead of the `on merge unsupported ftrs` pipeline: These steps run in the `on merge` pipeline with these changes: - Security Solution Cypress Tests - Explore Cypress Tests - Investigations Cypress Tests - Defend Workflows Cypress Tests - Defend Workflows Serverless Cypress Tests - Threat Intelligence Cypress Tests - Osquery Cypress Tests <details> <summary><b>and these already run on the `on merge` pipeline</b></summary> - Serverless Security Cypress Tests - Serverless Explore - Security Solution Cypress Tests - Serverless Investigations - Security Solution Cypress Tests </details> ### Additional work to be done: We need to consolidate build steps, enhance test skipping to support Cypress-grep flags, avoid out-of-memory errors in cypress, enhance parallelization, improve Cypress reporting, and probably other things. These are tracked separately. Reach out to me if you need details. ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
Summary
Security Solution writes e2e and other tests using Cypress. In the past, these tests, if they failed on a tracked branch, couldn't be easily skipped. They also weren't run in parallelized jobs. For primarily these reasons, they didn't run on most Kibana PRs.
This PR moves these Cypress tests back to the main PR pipeline. Tests that fail on tracked branches create (or update) Github issues which can be used with the skip-test github workflow script to easily skip the failing tests. The pipeline steps are parallelized and run in under 40 minutes.
Open Questions
Some buildkite pipelines that used to run only on Security PRs now run on all PRs:
These steps run on all PRs with these changes
And these already run on all PRs
Security Cypress tests run in the main
on mergepipeline instead of theon merge unsupported ftrspipeline:These steps run in the
on mergepipeline with these changes:and these already run on the `on merge` pipeline
Additional work to be done:
We need to consolidate build steps, enhance test skipping to support Cypress-grep flags, avoid out-of-memory errors in cypress, enhance parallelization, improve Cypress reporting, and probably other things. These are tracked separately. Reach out to me if you need details.
For maintainers