Skip to content

chore: retire the legacy examples/ directory#6334

Draft
desimone wants to merge 2 commits into
mainfrom
chore/remove-stale-examples
Draft

chore: retire the legacy examples/ directory#6334
desimone wants to merge 2 commits into
mainfrom
chore/remove-stale-examples

Conversation

@desimone

@desimone desimone commented May 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Remove the stale example content from the root examples/ directory and leave an examples/README.md stub pointing readers to pomerium/documentation/content/examples/. Most of these examples hadn't been maintained since 2020-2022 and either duplicated content already in the docs repo, referenced removed features such as forward-auth, used deprecated tooling, or depended on dev-tag images. The one example still worth preserving, mutual-tls/, was migrated in pomerium/documentation#2193, so this PR depends on that landing first.

The PR also removes the remaining root examples/ references in go.mod, .golangci.yml, .pre-commit-config.yaml, and the Makefile cover: target. Tag-pinned links (tree/v0.30.0/examples/...) keep working, and links to main/examples/... land on the redirect stub instead of a hard 404.

Related issues

Depends on pomerium/documentation#2193. PR is draft until that merges.

User Explanation

Code that used to live at github.com/pomerium/pomerium/tree/main/examples/... now lives at github.com/pomerium/documentation/tree/main/content/examples/.... The redirect stub gives anyone landing on the old URL a pointer to the new home.

Checklist

  • reference any related issues
  • updated unit tests — n/a, no source code touched
  • add appropriate label (chore)
  • ready for review — currently draft

AI assistance

Drafted and reviewed with Claude and codex; verified the diff and ran make build, make test, make lint, and make cover locally.

desimone added 2 commits May 9, 2026 19:30
@desimone
chore: remove the legacy examples directory
adcfb8f 
The examples/ directory at the root of pomerium/pomerium has been silently
drifting for years: most subdirectories haven't been touched since 2020-2022,
several were duplicated in (and superseded by) the documentation site's own
content/examples/ tree, and a few of the configs were outright broken
(example-config base64 keys long since rotated, helm scripts using helm
del --purge, kubernetes manifests pinned to pomerium:main).

The one subdirectory worth keeping (mutual-tls) was migrated to
pomerium/documentation in PR #2193 along with the three docs links that
referenced this directory. After both PRs land, no part of our workspace
links to the legacy examples directory; one external third-party link
(sighupio/module-auth) is acceptable as out-of-scope.

Cleanup of stale maintenance exceptions left behind:

- go.mod: drop ./examples from the ignore (...) block.
- .golangci.yml (3 sites): drop ^examples/ from a path-alternation regex
  and remove the two examples$ entries from the linter and formatter
  exclusion lists.
- .pre-commit-config.yaml: drop examples/.* from the end-of-file-fixer
  exclusion alternation and remove the standalone check-yaml exclude.
  Verified the entire YAML tree parses cleanly afterwards (zero offenders
  in integration/tpl/files/, config/testdata/, or anywhere else), so the
  hook does not need a replacement scoped exclusion.
- Makefile: remove the now-dead `sed -i.bak '/\/examples\/:/d' coverage.txt`
  line in the cover target.

Verified: make build, make test, make lint, make cover all clean. yamlcheck
across the full tree clean. git diff --check clean. Cross-repo grep across
documentation, pomerium, pomerium-zero, pomerium-console, cli,
ingress-controller in active branches returns zero hits for
github.com/pomerium/pomerium/.../examples.
@desimone
examples: leave a redirect stub README
aee6e9c 
External tutorials, blog posts, and third-party catalog entries that link to
github.com/pomerium/pomerium/tree/main/examples/* will 404 once the rest of
this directory is retired. Leaving a single README at examples/README.md
points anyone who lands here at the new home in the documentation repo,
avoiding a hard 404 for soft third-party traffic.

Per reviewer feedback on the parent commit. Tagged-version links
(tree/v0.30.0/examples/...) keep working — only main/master ones break.
@github-actions

github-actions Bot commented May 10, 2026

Copy link
Copy Markdown

✅ Acceptance Test Summary

Result Count
✅ Passed 68
❌ Failed 0
⊘ Skipped 0
⏱️ Duration 61.3s

Feature Coverage

Category Tests Status Features
Authentication 19 OIDC Auth Code Flow, Session Cookies, Scope Negotiation, Sign Out, HMAC-Signed URLs, Session Termination
Authorization 28 Email Domain Policy, Group Claims, AND/OR Logic, Claim Matching, Deny Rules, Policy Precedence
Headers 21 Cookie Security Flags, HttpOnly, SameSite, CORS Preflight, Cross-Origin Requests, X-Forwarded-Host

⏱️ Slowest Tests

  1. authn/token-refresh.spec.ts › Token Refresh › should maintain access after token expiry through refresh (22.4s)
  2. authn/token-refresh.spec.ts › Token Refresh › should preserve session cookie after refresh (21.8s)
  3. authn/pkce.spec.ts › PKCE › multiple PKCE cookies can coexist (2.7s)
📋 All Tests by Category

Authentication (19)

  • ✅ should reject callback with missing state parameter (859ms)
  • ✅ should reject callback with empty state parameter (834ms)
  • ✅ should validate CSRF cookie matches state (1.5s)
  • ✅ should reject callback without CSRF cookie (1.4s)
  • ✅ should redirect unauthenticated user to Keycloak login (1.6s)
  • ✅ should complete login flow and set session cookie (1.8s)
  • ✅ should preserve target URL after login redirect (1.6s)
  • ✅ should request correct OIDC scopes (864ms)
  • ✅ should clear session cookie on logout (1.9s)
  • ✅ should require authentication after logout (2.4s)
  • ✅ unsigned sign_out redirects to authenticate service (1.5s)
  • ✅ sign_out flow clears session via confirmation page (2.1s)
  • ✅ login should set PKCE query parameters (717ms)
  • ✅ login should fail with missing PKCE cookie (1.3s)
  • ✅ login should fail with tampered PKCE cookie (1.3s)
  • ✅ login should fail with replayed PKCE cookie (2.5s)
  • ✅ multiple PKCE cookies can coexist (2.7s)
  • ✅ should maintain access after token expiry through refresh (22.4s)
  • ✅ should preserve session cookie after refresh (21.8s)

Authorization (28)

  • ✅ should allow access for user with matching email domain (1.1s)
  • ✅ should deny access for user with non-matching email domain (1.3s)
  • ✅ should enforce domain policy independent of groups (1.3s)
  • ✅ should deny explicitly denied user (1.3s)
  • ✅ deny rule should take precedence over allow (1.4s)
  • ✅ should allow user with matching group (1.1s)
  • ✅ should deny user without matching group (1.3s)
  • ✅ should allow user with both group AND claim (1.1s)
  • ✅ should deny user with group but missing claim (1.3s)
  • ✅ should enforce multiple groups requirement (1.1s)
  • ✅ user in wrong group should not reach upstream (1.3s)
  • ✅ should accept valid client certificate signed by root CA (692ms)
  • ✅ should accept certificate signed by intermediate CA (639ms)
  • ✅ should reject certificate from untrusted CA (561ms)
  • ✅ should reject request without client certificate (479ms)
  • ✅ should allow access without certificate on non-mTLS domain (1.0s)
  • ✅ public endpoints should be accessible without authentication (186ms)
  • ✅ programmatic login endpoint should be accessible (175ms)
  • ✅ protected internal endpoints should require authentication (174ms)
  • ✅ protected endpoints should not be reachable via traversal variants (202ms)
  • ✅ route traversal under /.pomerium should not bypass auth (187ms)
  • ✅ protected internal endpoints should succeed after authentication (1.4s)
  • ✅ public endpoints should remain accessible after authentication (1.6s)
  • ✅ session pages should not expose user data when unauthenticated (273ms)
  • ✅ session pages should expose session data after authentication (1.1s)
  • ✅ JWT endpoint should not bypass authentication when disabled (1.1s)
  • ✅ sign_out should redirect to signed authenticate endpoint (178ms)
  • ✅ webauthn endpoint should reject unsigned requests even when authenticated (991ms)

Headers (21)

  • ✅ session cookie should have all required security properties (1.1s)
  • ✅ CSRF cookie should have required security properties (1.1s)
  • ✅ should set fresh cookies on new login (1.8s)
  • ✅ should pass OPTIONS preflight with cors_allow_preflight enabled (182ms)
  • ✅ should not allow unauthenticated access even when preflight is enabled (210ms)
  • ✅ should redirect OPTIONS without cors_allow_preflight (186ms)
  • ✅ should allow actual cross-origin GET after preflight (214ms)
  • ✅ should allow cross-origin POST with cors_allow_preflight (198ms)
  • ✅ should block cross-origin request without cors_allow_preflight (193ms)
  • ✅ should append x-forwarded-host when host rewrite is active (1.1s)
  • ✅ should append x-forwarded-host when default auto host rewrite is active (1.0s)
  • ✅ should preserve the original host when preserve_host_header is enabled (1.0s)
  • ✅ should allow removing x-forwarded-host after host rewrite (973ms)
  • ✅ claim headers should be passed to upstream (1.0s)
  • ✅ JWT claims should be accessible via /.pomerium/user endpoint (1.1s)
  • ✅ identity claims should match claim headers (1.1s)
  • ✅ should upgrade authenticated connection to WebSocket (1.5s)
  • ✅ should send and receive WebSocket messages (1.0s)
  • ✅ should reject WebSocket connection for unauthenticated user (183ms)
  • ✅ should work with preserve_host_header option (1.7s)
  • ✅ should handle binary WebSocket messages (1.2s)

@coveralls

coveralls commented May 10, 2026

Copy link
Copy Markdown

Coverage Report for CI Build 25617805785

Coverage decreased (-0.01%) to 45.424%

Details

  • Coverage decreased (-0.01%) from the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • 25 coverage regressions across 8 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

25 previously-covered lines in 8 files lost coverage.

File Lines Losing Coverage Coverage
pkg/storage/postgres/backend.go 10 75.73%
pkg/storage/postgres/postgres.go 4 88.08%
internal/databroker/server_clustered_follower.go 2 48.3%
internal/fileutil/watcher.go 2 92.78%
pkg/fanout/fanout.go 2 89.19%
pkg/fanout/receive.go 2 90.91%
pkg/grpc/databroker/syncer.go 2 85.67%
pkg/ssh/manager.go 1 80.13%

Coverage Stats

Coverage Status
Relevant Lines: 78425
Covered Lines: 35624
Line Coverage: 45.42%
Coverage Strength: 113.94 hits per line
💛 - Coveralls

@desimone desimone mentioned this pull request May 10, 2026
Draft
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@desimone @coveralls