Skip to content

ci: release CI follow-ups: tighter coverage#832

Open
t1mato wants to merge 4 commits into
apache:mainfrom
t1mato:ci/release-ci-followups
Open

ci: release CI follow-ups: tighter coverage#832
t1mato wants to merge 4 commits into
apache:mainfrom
t1mato:ci/release-ci-followups

Conversation

@t1mato

@t1mato t1mato commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Implements all remaining sub-items from #747, covering four areas:

Files & Scripts

  • Rename examples/deep-researcher/utils.py to deep_researcher_utils.py to avoid a RAT basename collision with four other ASF-owned utils.py files
  • Thread --skip-signing through cmd_verify so CI can verify artifacts without GPG keys
  • Extend Apache RAT scanning to .whl artifacts in addition to source and sdist tarballs

Smoke Test

  • Replace the hardcoded time.sleep(2) with a polling loop on /api/v0/projects that fails fast if the server exits
  • Launch the server in its own process group and send SIGTERM to the whole group on teardown to prevent orphaned uvicorn processes
  • Add a GET / check to verify the UI is served
  • Add --cleanup/--no-cleanup flag (auto-disabled in GITHUB_ACTIONS so workspaces survive for artifact upload)

CI Coverage Gaps

  • Add a bare-install job that installs the wheel without optional extras and imports core symbols, catching accidental leakage of optional dependencies
  • Add an sdist-wheel-equivalence job that rebuilds the wheel from the sdist tarball and compares file content hashes against the CI-built wheel, catching missing sdist files
  • Pin the Apache RAT JAR download with a SHA256 checksum

Hygiene

  • Add scripts/check_asf_headers.py and wire it as a pre-commit hook that checks Python, YAML, and shell files for the ASF license header, reading .rat-excludes at runtime to stay in sync with RAT automatically
  • Add a weekly cron (Mondays 09:00 UTC) to the release validation workflow to catch dependency drift between releases

Files

  • .rat-excludes, examples/deep-researcher/ — rename and exclusion update
  • scripts/apache_release.py--skip-signing in cmd_verify
  • scripts/verify_apache_artifacts.py — RAT on wheels, compare-wheels subcommand
  • scripts/ci_smoke_server.py — polling, process group, cleanup flag, GET /
  • scripts/check_asf_headers.py — new ASF header checker
  • .pre-commit-config.yaml — new check-asf-headers hook
  • .github/workflows/release-validation.yml — SHA256 pin, bare-install, sdist-wheel-equivalence, weekly cron
  • tests/test_apache_release.py, tests/test_verify_apache_artifacts.py, tests/test_ci_smoke_server.py, tests/test_check_asf_headers.py — test coverage for all of the above

Test Plan

  • Run pytest tests/test_apache_release.py tests/test_verify_apache_artifacts.py tests/test_ci_smoke_server.py tests/test_check_asf_headers.py — all 54 tests pass
  • Release Validation workflow runs clean on this PR, including the new bare-install and sdist-wheel-equivalence jobs
  • Pre-commit hook fires on a staged Python file missing the ASF header

Closes #747

t1mato added 4 commits July 1, 2026 15:13
Rename examples/deep-researcher/utils.py to deep_researcher_utils.py to
avoid basename collision with four other ASF-owned utils.py files that
Apache RAT skips. Update .rat-excludes and the application import accordingly.

Thread --skip-signing through cmd_verify in scripts/apache_release.py so
CI can run full artifact verification without GPG keys present.

Extend Apache RAT scanning to wheel (.whl) artifacts in addition to source
and sdist tarballs, so license header regressions in packaged files are
caught before the release vote.

Closes apache#747 (partial)
Replace fixed time.sleep(2) with a polling loop on /api/v0/projects so
the smoke test waits only as long as necessary and fails fast if the
server process exits unexpectedly.

Launch the server in its own process group (start_new_session=True) and
send SIGTERM to the whole group on teardown so uvicorn child processes
are not orphaned.

Add GET / check to verify the UI is being served by the installed wheel.

Add --cleanup / --no-cleanup flag; defaults to cleanup locally but
preserves the workspace in GITHUB_ACTIONS so artifacts are available
for upload on failure.

Add tests/test_ci_smoke_server.py covering all new testable helpers.

Closes apache#747 (partial)
Add _wheel_content_hashes and _compare_wheel_contents to
verify_apache_artifacts.py to compare wheels by file content hashes
rather than binary equality (zip timestamps make byte-for-byte
comparison unreliable). Add compare-wheels subcommand exposing this
from the CLI.

Add bare-install job: installs the wheel without optional extras and
imports core symbols to catch accidental leakage of optional
dependencies into core code.

Add sdist-wheel-equivalence job: extracts the sdist tarball, rebuilds
the wheel from it (including the npm frontend build), and compares
content hashes against the CI-built wheel to catch files missing from
the sdist.

Pin the Apache RAT JAR download with a SHA256 checksum to guard
against supply-chain tampering.

Closes apache#747 (partial)
Add scripts/check_asf_headers.py: checks that Python, YAML, and shell
files carry the ASF license header. Reads .rat-excludes at runtime so
known third-party files are automatically respected without duplicating
the exclusion list.

Wire the script into .pre-commit-config.yaml as a local hook so missing
headers are caught before a commit lands.

Add weekly cron schedule (Monday 09:00 UTC) to release-validation.yml
so dependency drift against main is detected between releases.

Add tests/test_check_asf_headers.py with 15 tests covering all helper
functions and the main entry point.

Closes apache#747
@github-actions github-actions Bot added area/ci Workflows, build, release scripts area/examples Relates to /examples labels Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/ci Workflows, build, release scripts area/examples Relates to /examples

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Release CI follow-ups: tighter coverage

1 participant