ci(kwok): implement tiered testing strategy per ADR-003

[mchmarny]

Implements #424 (ADR-003)

Summary

• Implements ADR-003 tiered KWOK testing strategy to replace flat "test every overlay on every PR" model
• Splits discovery into three tiers: generic PR gate (Tier 1), diff-aware accelerator tests (Tier 2), and full matrix on merge/nightly (Tier 3)
• Fixes kube-prometheus-stack emptyDir: null CRD rejection in KWOK clusters by post-processing bundle values

Details

Workflow changes (.github/workflows/kwok-recipes.yaml)

Tier	When	What	Jobs
Tier 1	Every PR + push	Generic overlays (no accelerator)	~11
Tier 2	PR only, conditional	Diff-affected accelerator overlays	0–25
Tier 3	Push to main + nightly	Full overlay matrix	36+

Tier 2 diff-aware selection traces three dependency paths:

1. Direct overlay file changes
2. Ancestor overlays in the spec.base chain
3. Component valuesFile references from the overlay and its base chain

Concurrency: Tier 3 uses per-SHA concurrency group (cancel-in-progress: false) so successive merges to main never cancel in-flight runs. PRs keep cancel-in-progress: true.

Nightly schedule added at 03:00 UTC as a Tier 3 backstop per ADR-003.

KWOK fix (kwok/scripts/validate-scheduling.sh)

Cloud overlays (EKS, AKS) set storageSpec.emptyDir: null + volumeClaimTemplate for PVC storage. The Prometheus CRD rejects emptyDir: null in Kind/KWOK clusters. Added post-bundle processing to restore emptyDir and remove volumeClaimTemplate for KWOK tests.

Impact

• ~70% reduction in PR runner time (36 → 11 jobs for typical PRs)
• Full coverage preserved on every merge to main and nightly
• Branch protection: KWOK Test Summary job aggregates all tiers

Test plan

• Unit tests pass (make test)
• YAML lint passes
• KWOK tested 23/36 recipes across all 4 services (aks, eks, gke, kind) — zero failures
• Verified emptyDir fix triggers correctly for cloud overlays and skips for kind/base overlays
• Pre-existing lint failure (gke-tcpxo-networking.md sidebar) confirmed unrelated

[github-actions]

Coverage Report ✅

Metric	Value
Coverage	73.5%
Threshold	70%
Status	Pass

Coverage Badge

![Coverage](https://img.shields.io/badge/coverage-73.5%25-green)

No Go source files changed in this PR.

[yuanchen8911]

Review findings (ordered by severity):

1. High: PRs that touch recipes/registry.yaml or recipes/overlays/base.yaml can merge without any accelerator coverage.
   In discover, Tier 2 is explicitly skipped for those changes (L116-L121), while Tier 3 is disabled on PRs (L294-L296).
   Impact: high-risk recipe graph changes are only validated post-merge/nightly.

2. Medium: Nightly schedule currently runs Tier 1 in addition to Tier 3.
   test-tier1 has no event filter (L217-L219), so scheduled runs execute both Tier 1 and Tier 3.
   Impact: duplicate coverage and extra nightly runtime/cost.

3. Medium: Tier 2 diff computation can silently degrade to “no changed files”.
   git diff --name-only ... || true suppresses failures (L114).
   Impact: if diff resolution fails, Tier 2 may be empty and the PR can pass with missing accelerator checks.

Open question:

• Is skipping accelerator validation for registry.yaml / base.yaml changes an intentional ADR-003 tradeoff, or should those cases force Tier 2-all (or Tier 3 on PR)?

[dims]

LGTM

[xdu31]

lgtm

[mchmarny]

Thanks for the review — all three points are valid. Addressed in 9ffc89d:

1. High (registry.yaml/base.yaml → no accelerator coverage): Fixed. When registry.yaml or base.yaml changes, all accelerator overlays are now promoted to Tier 2 instead of being skipped. This ensures PR-time validation for high-risk recipe graph changes.

2. Medium (duplicate Tier 1 on schedule): Fixed. Tier 1 now skips on schedule events since Tier 3 already runs the full matrix (which is a superset of Tier 1).

3. Medium (silent diff failure): Fixed. git diff failure now fails the discover job loudly with ::error:: annotation instead of silently producing an empty Tier 2.

To the open question: Skipping accelerator validation for registry.yaml/base.yaml was the ADR-003 tradeoff (Tier 3 catches it post-merge). But the reviewer is right that these are high-risk changes — promoting to Tier 2-all on PR is the safer choice without significant cost increase (25 additional jobs only when base/registry changes, which is infrequent).

[iamkhaledh]

lgtm

[yuanchen8911]

/lgtm