ScriptSmith · ScriptSmith · Apr 25, 2026 · Apr 25, 2026 · Apr 25, 2026 · Apr 25, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -427,9 +427,33 @@ jobs:
       - name: Install uv
         uses: astral-sh/setup-uv@v4
 
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache cargo registry & target
+        uses: Swatinem/rust-cache@v2
+
+      - name: Install build deps for samael
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libxml2-dev libxslt1-dev libxmlsec1-dev pkg-config libssl-dev
+
+      - name: Regenerate Hadrian OpenAPI spec
+        run: cargo run --release -- openapi --output openapi/hadrian.openapi.json
+
+      - name: Verify checked-in spec matches generated
+        run: |
+          if ! git diff --exit-code -- openapi/hadrian.openapi.json; then
+            echo "::error::openapi/hadrian.openapi.json is out of date. Run ./scripts/generate-openapi.sh and commit the result." >&2
+            exit 1
+          fi
+
       - name: Fetch reference specs
         run: ./scripts/fetch-openapi-specs.sh openai
 
+      - name: Test conformance script
+        run: ./scripts/test_openapi_conformance.py
+
       - name: Run conformance check
         run: ./scripts/openapi-conformance.py
 

diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml
@@ -311,6 +311,17 @@ jobs:
           cluster_name: helm-test
           wait: 120s
 
+      # `helm/kind-action`'s `wait` only waits for the control plane to be
+      # Ready. CoreDNS / kube-proxy can still be coming up at that point, and
+      # kicking off `helm install` against a half-warm API server has shown up
+      # as `client rate limiter Wait returned an error: context deadline
+      # exceeded` — helm's discovery calls saturate client-go's QPS budget
+      # while the apiserver is sluggish, then time out.
+      - name: Wait for cluster system pods
+        run: |
+          kubectl wait --for=condition=Ready pods --all -n kube-system --timeout=180s
+          kubectl get pods -A
+
       - name: Add Bitnami repo
         run: helm repo add bitnami https://charts.bitnami.com/bitnami
 
@@ -368,10 +379,15 @@ jobs:
 
       - name: Install chart
         run: |
+          # `--burst-limit` raises client-go's burst from the default 100; the
+          # kind apiserver in CI is slow enough that helm's discovery + readiness
+          # polling can otherwise hit the limiter and fail with
+          # `client rate limiter Wait returned an error: context deadline exceeded`.
           helm install hadrian helm/hadrian \
             -f /tmp/kind-test-values.yaml \
             --wait \
-            --timeout 5m
+            --timeout 5m \
+            --burst-limit 300
 
       - name: Check deployment status
         run: |

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -282,6 +282,7 @@ rust_decimal = { version = "1.40.0", features = ["macros"] }
 serde = { version = "1.0.228", features = ["derive"] }
 serde_json = "1.0.145"
 sha2 = "0.10"
+hmac = "0.12"
 subtle = "2.6.1"
 thiserror = "2.0.17"
 tokio = { version = "1.48.0", features = [
@@ -356,7 +357,7 @@ metrics-exporter-prometheus = { version = "0.16", optional = true }
 open = { version = "5.3.3", optional = true }
 openssl = { version = "0.10", optional = true }
 opentelemetry = { version = "0.31", optional = true }
-opentelemetry-otlp = { version = "0.31", features = ["trace", "logs", "grpc-tonic", "http-proto"], optional = true }
+opentelemetry-otlp = { version = "0.31", features = ["trace", "logs", "grpc-tonic", "gzip-tonic", "http-proto"], optional = true }
 opentelemetry-semantic-conventions = { version = "0.31", optional = true }
 opentelemetry_sdk = { version = "0.31", features = ["rt-tokio", "logs"], optional = true }
 redis = { version = "0.32.7", features = ["aio", "tokio-comp", "cluster-async"], optional = true }