ci(diff-guard): raise rocky_10 detection threshold to 20%#169
Merged
Conversation
rocky_10 is a young, small-baseline detection target that repeatedly trips the global 5% `vuls diff detection` threshold on routine upstream Rocky Linux 10 errata batches: - run 26731457315 (2026-06-01): baseline 122 -> 164, +42, 34.4% - run 27508894556 (2026-06-14): baseline 205 -> 227, +22, 10.7% Both were confirmed upstream-driven (new RLSA advisories for major_version 10; raw moved, extractor and vuls2 builder unchanged). As the baseline grows the relative swings shrink, so a per-target override of 20% covers the current regime while still catching genuinely anomalous churn, mirroring the existing debian_13=20 entry. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Keep the DB Nightly workflow's detection overrides in sync with db-main; rocky_10 trips the same small-baseline churn there. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Raises the diff-guard vuls diff detection change-rate threshold specifically for the rocky_10 detection target in the DB workflow to prevent upstream-driven Rocky Linux 10 errata batches from repeatedly failing CI due to a small baseline.
Changes:
- Add
rocky_10=20toDETECTION_CHANGE_RATE_THRESHOLD_OVERRIDESin.github/workflows/db-main.yml, increasing the per-target threshold from the global 5% to 20%.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Add a per-target diff-guard override
rocky_10=20toDETECTION_CHANGE_RATE_THRESHOLD_OVERRIDESin both DB workflows —.github/workflows/db-main.yml(DB) and.github/workflows/db-nightly.yml(DB Nightly) — raising thevuls diff detectionchange-rate threshold forrocky_10from the global 5% to 20% and keeping the two workflows in sync.Why
rocky_10is a young, small-baseline detection target. Routine upstream Rocky Linux 10 errata batches produce a large relative change rate against the small baseline and repeatedly trip the global 5% threshold, failing the DB workflow even though the candidate DB is sound:Both failures were triaged as upstream-driven:
rocky-erratamoved — newRLSA-2026:*advisories withaffected_products[].major_version == 10(e.g. the 06-14 run added 8 such advisories: RLSA-2026:24985, 25111, 25112, 25115, 25191, 25216, 25225, 25237).pkg/extract/rockyorpkg/fetch/rockyin the affected window).created_byin baseline vs candidate DB metadata).i.e. legitimate new Rocky 10 errata, faithfully extracted — not a pipeline regression.
Choice of 20%
As the
rocky_10baseline grows (122 → 205 over two weeks), equivalent upstream batches shrink in relative terms, so a 20% per-target override covers the current regime while still catching genuinely anomalous churn. This mirrors the existingdebian_13=20entry for the same class of recent-release / small-baseline churn.Note: the 2026-06-01 spike (34.4%, baseline 122) predates this threshold and would not have been covered by 20% — it reflects the initial post-launch seeding of Rocky 10 coverage rather than the steady-state regime this override targets.
🤖 Generated with Claude Code