feat(ci): Enable pq/t service run action option#3573
Conversation
Adds `pqc-enabled` boolean parameter to `start-up-with-containers` and `start-additional-kas` actions, which when set to true will enable the post-quantum and hybrid PQ/T wrapping option for TDFs in the KAS service.
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces the ability to enable post-quantum and hybrid PQ/T wrapping for TDFs within the KAS service. By adding a configurable input parameter to existing CI actions, it allows for easier testing and deployment of these cryptographic features in containerized environments. Highlights
New Features🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. The quantum threat is looming near, / But hybrid keys will make it clear. / With flags set true in YAML files, / We secure data across the miles. Footnotes
|
|
Warning Review limit reached
More reviews will be available in 40 minutes and 59 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis PR adds post-quantum cryptography (PQC) support to two GitHub Actions that configure KAS test instances. Both actions introduce a new ChangesPost-quantum cryptography support in KAS startup actions
🎯 2 (Simple) | ⏱️ ~10 minutes
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new pqc-enabled input to enable post-quantum and hybrid PQ/T wrapping for TDFs in both test/start-additional-kas/action.yaml and test/start-up-with-containers/action.yaml. Feedback on the changes highlights an issue where using env(PQC_ENABLED) in yq writes a string value instead of a boolean to the YAML configuration, and suggests using a boolean comparison to ensure correct type mapping.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
There was a problem hiding this comment.
Pull request overview
This PR extends the composite CI actions used to start the platform/KAS in tests by introducing a new pqc-enabled input to enable post-quantum / hybrid PQ/T wrapping behavior in KAS.
Changes:
- Add
pqc-enabledinput totest/start-up-with-containersand wire it to KAS config. - Add
pqc-enabledinput totest/start-additional-kasand wire it to generated KAS config.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| test/start-up-with-containers/action.yaml | Adds pqc-enabled input and a step intended to enable hybrid PQ/T wrapping in the main KAS config. |
| test/start-additional-kas/action.yaml | Adds pqc-enabled input and passes it into the additional KAS config generation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Expand input validation in start-additional-kas and start-up-with-containers to cover every parameter, not just a subset. Unvalidated inputs were passed directly into yq expressions and shell filenames, creating YAML-injection and command-injection risk and producing confusing late failures. - start-additional-kas: adds kas-port (numeric 1-65535), ec-tdf-enabled, pqc-enabled, and key-management boolean guards before the existing checks - start-up-with-containers: renames step to "Validate inputs", adds platform-ref (safe-char regex), extra-keys (jq type check), ec-tdf-enabled, pqc-enabled, and provision-policy-fixtures boolean guards Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
dmihalcik-virtru
force-pushed
the
DSPX-3456-actions
branch
from
74e2e5f to
2fbc920
Compare
X-Test Failure Report |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
- start-up-with-containers: move Validate inputs to first step so invalid inputs are caught before checkout and yq mutations consume them - start-up-with-containers: fix YAML structural bug where the PQC config block was injected as duplicate keys inside the Enable ECC wrapping step (YAML last-key-wins silently discarded the ECC if-condition and run block, so ECC wrapping never applied); promote it to a proper step and fix the ECC if-condition from bare value to == 'true' - start-additional-kas: write ec_tdf_enabled as a boolean in yq ((env(EC_TDF_ENABLED) == "true")) consistent with hybrid_tdf_enabled Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/start-additional-kas/action.yaml`:
- Line 157: The key_management value in the action YAML is being set from
env(KEY_MANAGEMENT) as a string; change it to the same boolean conversion used
for other flags (compare env(KEY_MANAGEMENT) == "true") so the generated YAML
emits a true/false boolean for the KASConfig.Preview.key_management field
(referenced by KASConfig.Preview in service/kas/access/provider.go) to keep
types consistent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 16ca6667-a846-4e3b-a73b-dfbed3c7d90e
📒 Files selected for processing (2)
test/start-additional-kas/action.yamltest/start-up-with-containers/action.yaml
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
|
Proposed Changes
pqc-enabledboolean parameter tostart-up-with-containersand
start-additional-kasactions, which when set to true will enablethe post-quantum and hybrid PQ/T wrapping option for TDFs
in the KAS service.
Checklist
Testing Instructions
Summary by CodeRabbit
New Features
pqc-enabledinput option (default:false).