steve/restic-manager
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases 1 Wiki Activity

ci: shard test job + cheap argon2 in test mode
CI / Test (store) (pull_request) Successful in 38s
Details
CI / Test (rest) (pull_request) Successful in 48s
Details
CI / Test (server-http) (pull_request) Successful in 1m10s
Details
CI / Lint (pull_request) Successful in 33s
Details
CI / Build (linux/amd64) (pull_request) Successful in 24s
Details
CI / Build (windows/amd64) (pull_request) Successful in 48s
Details
CI / Build (linux/arm64) (pull_request) Successful in 23s
Details

Browse Source 
Test job was wall-clocked by `internal/server/http` (~156s on the
self-hosted runner under -race). Two changes here cut that:

1. Matrix-shard the test job by package group: server-http, store,
   and "rest" (everything else, computed via `go list | grep -v`).
   Each shard runs on its own runner so the heavy package isn't
   CPU-starved by siblings.

2. `auth.HashPassword` drops to cheap argon2id params (8 KiB / 1
   iter / 1 lane) when `testing.Testing()` returns true. Production
   params are unchanged. VerifyPassword reads params from the
   encoded hash so cheap-params hashes verify identically — no test
   call sites need to change.
This commit is contained in:
Steve Cliff
2026-05-05 08:40:50 +01:00
parent 6fd16ace81
commit 03e5ec31f1
2 changed files with 48 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/auth/passwords.go
+19 -2
View File
@@ -9,6 +9,7 @@ import (
"errors"
"fmt"
"strings"
"testing"
"golang.org/x/crypto/argon2"
)
@@ -27,22 +28,38 @@ const (
defaultKeyLen = 32
)
// Cheap params used only when the binary is a `go test` binary
// (testing.Testing() == true). Argon2id at production params costs
// 300500 ms per hash and dominates wall time on CI runners under
// `-race`. Tests don't need real KDF strength — VerifyPassword reads
// params from the encoded hash, so verifying a cheap-params hash
// works the same way.
const (
testMemoryKiB = 8
testIterations = 1
testParallel = 1
)
// HashPassword returns an argon2id-encoded string of the form
//
// $argon2id$v=19$m=...,t=...,p=...$<salt>$<hash>
//
// safe to store in a TEXT column. The salt is freshly random per call.
func HashPassword(password string) (string, error) {
mem, iter, par := uint32(defaultMemoryKiB), uint32(defaultIterations), uint8(defaultParallel)
if testing.Testing() {
mem, iter, par = testMemoryKiB, testIterations, testParallel
}
salt := make([]byte, defaultSaltLen)
if _, err := rand.Read(salt); err != nil {
return "", fmt.Errorf("auth: read salt: %w", err)
}
hash := argon2.IDKey([]byte(password), salt,
defaultIterations, defaultMemoryKiB, defaultParallel, defaultKeyLen)
iter, mem, par, defaultKeyLen)
return fmt.Sprintf("$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s",
argon2.Version,
defaultMemoryKiB, defaultIterations, defaultParallel,
mem, iter, par,
base64.RawStdEncoding.EncodeToString(salt),
base64.RawStdEncoding.EncodeToString(hash),
), nil