feat: datetime reports, auto-commit on verify, register pruning EP
- Include time in TAP report filename (ISO 8601: date + HHmmssZ) - Add changed_when: false to report write task — verify play now shows changed=0 on a clean run (all green recap) - make verify auto-commits new reports to repo after a passing run; exits non-zero before committing if assertions fail - Register EP-RAIL-001: report pruning extension point for future implementation when reports/ accumulates beyond a threshold Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
9
Makefile
9
Makefile
@@ -198,11 +198,14 @@ status: ## Show live security state of all hosts (UFW, fail2ban, SSH hardening)
|
||||
@echo ""
|
||||
@echo "--- Hint: run 'make verify' for a structured pass/fail report ---"
|
||||
|
||||
verify: ## Run Goss test suite against all hosts — exits non-zero on failure
|
||||
verify: ## Run Goss test suite against all hosts, commit TAP reports — exits non-zero on failure
|
||||
@echo "Running Goss baseline assertions..."
|
||||
@cd $(ANS_DIR) && ansible-playbook playbooks/verify.yaml -u $(SSH_USER) && \
|
||||
echo "All assertions passed." || \
|
||||
@cd $(ANS_DIR) && ansible-playbook playbooks/verify.yaml -u $(SSH_USER) || \
|
||||
(echo "One or more assertions FAILED — see reports/ for TAP output." && exit 1)
|
||||
@echo "All assertions passed."
|
||||
@git add reports/ && \
|
||||
git diff --cached --quiet && echo "No new reports to commit." || \
|
||||
git commit -m "chore: Goss verification reports $$(date -u +%Y-%m-%dT%H%M%SZ)"
|
||||
|
||||
converge: ## Converge all hosts to the baseline (idempotent)
|
||||
cd $(ANS_DIR) && ansible-playbook $(PLAY) -u $(SSH_USER)
|
||||
|
||||
@@ -50,7 +50,8 @@
|
||||
- name: Write TAP report locally
|
||||
ansible.builtin.copy:
|
||||
content: "{{ goss_result.stdout }}"
|
||||
dest: "{{ playbook_dir }}/../../reports/goss-{{ inventory_hostname }}-{{ ansible_date_time.date }}.tap"
|
||||
dest: "{{ playbook_dir }}/../../reports/goss-{{ inventory_hostname }}-{{ ansible_date_time.date }}T{{ ansible_date_time.hour }}{{ ansible_date_time.minute }}{{ ansible_date_time.second }}Z.tap"
|
||||
mode: "0644"
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
changed_when: false
|
||||
|
||||
@@ -0,0 +1,53 @@
|
||||
---
|
||||
type: extension-point
|
||||
id: EP-RAIL-001
|
||||
title: "Goss TAP report pruning"
|
||||
target_org: railiance
|
||||
target_repo: railiance-hosts
|
||||
status: open
|
||||
created: "2026-03-09"
|
||||
source_repo: railiance-hosts
|
||||
related_workstream_id: ""
|
||||
---
|
||||
|
||||
# EP-RAIL-001: Goss TAP Report Pruning
|
||||
|
||||
## Context
|
||||
|
||||
`make verify` commits a new TAP report file to `reports/` on every run:
|
||||
|
||||
```
|
||||
reports/goss-Railiance01-2026-03-09T154855Z.tap
|
||||
```
|
||||
|
||||
As the fleet grows and verify runs more frequently, `reports/` will accumulate
|
||||
indefinitely and bloat the repository history.
|
||||
|
||||
## Extension Point
|
||||
|
||||
Add a `make prune-reports` target (or integrate into `make verify`) that:
|
||||
|
||||
- Keeps the N most recent reports per host (suggested default: N=30)
|
||||
- Removes older files and commits the deletion
|
||||
- Is configurable via a Makefile variable (`REPORTS_KEEP ?= 30`)
|
||||
|
||||
Suggested implementation sketch:
|
||||
|
||||
```makefile
|
||||
REPORTS_KEEP ?= 30
|
||||
|
||||
prune-reports: ## Remove old Goss TAP reports, keep REPORTS_KEEP most recent per host
|
||||
@for host in $$(ls reports/goss-*.tap 2>/dev/null | sed 's|reports/goss-||;s|-[0-9T]*Z\.tap||' | sort -u); do \
|
||||
ls -t reports/goss-$$host-*.tap | tail -n +$$(($(REPORTS_KEEP)+1)) | xargs -r rm -v; \
|
||||
done
|
||||
@git add reports/ && git diff --cached --quiet || \
|
||||
git commit -m "chore: prune Goss reports older than $(REPORTS_KEEP) per host"
|
||||
```
|
||||
|
||||
## Trigger
|
||||
|
||||
Implement when any of the following is true:
|
||||
|
||||
- `reports/` contains more than 200 files, OR
|
||||
- Repository size grows noticeably due to reports, OR
|
||||
- verify is integrated into CI with high frequency runs
|
||||
Reference in New Issue
Block a user