ci: release CI follow-ups: tighter coverage#832
Open
t1mato wants to merge 4 commits into
Open
Conversation
Rename examples/deep-researcher/utils.py to deep_researcher_utils.py to avoid basename collision with four other ASF-owned utils.py files that Apache RAT skips. Update .rat-excludes and the application import accordingly. Thread --skip-signing through cmd_verify in scripts/apache_release.py so CI can run full artifact verification without GPG keys present. Extend Apache RAT scanning to wheel (.whl) artifacts in addition to source and sdist tarballs, so license header regressions in packaged files are caught before the release vote. Closes apache#747 (partial)
Replace fixed time.sleep(2) with a polling loop on /api/v0/projects so the smoke test waits only as long as necessary and fails fast if the server process exits unexpectedly. Launch the server in its own process group (start_new_session=True) and send SIGTERM to the whole group on teardown so uvicorn child processes are not orphaned. Add GET / check to verify the UI is being served by the installed wheel. Add --cleanup / --no-cleanup flag; defaults to cleanup locally but preserves the workspace in GITHUB_ACTIONS so artifacts are available for upload on failure. Add tests/test_ci_smoke_server.py covering all new testable helpers. Closes apache#747 (partial)
Add _wheel_content_hashes and _compare_wheel_contents to verify_apache_artifacts.py to compare wheels by file content hashes rather than binary equality (zip timestamps make byte-for-byte comparison unreliable). Add compare-wheels subcommand exposing this from the CLI. Add bare-install job: installs the wheel without optional extras and imports core symbols to catch accidental leakage of optional dependencies into core code. Add sdist-wheel-equivalence job: extracts the sdist tarball, rebuilds the wheel from it (including the npm frontend build), and compares content hashes against the CI-built wheel to catch files missing from the sdist. Pin the Apache RAT JAR download with a SHA256 checksum to guard against supply-chain tampering. Closes apache#747 (partial)
Add scripts/check_asf_headers.py: checks that Python, YAML, and shell files carry the ASF license header. Reads .rat-excludes at runtime so known third-party files are automatically respected without duplicating the exclusion list. Wire the script into .pre-commit-config.yaml as a local hook so missing headers are caught before a commit lands. Add weekly cron schedule (Monday 09:00 UTC) to release-validation.yml so dependency drift against main is detected between releases. Add tests/test_check_asf_headers.py with 15 tests covering all helper functions and the main entry point. Closes apache#747
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements all remaining sub-items from #747, covering four areas:
Files & Scripts
examples/deep-researcher/utils.pytodeep_researcher_utils.pyto avoid a RAT basename collision with four other ASF-ownedutils.pyfiles--skip-signingthroughcmd_verifyso CI can verify artifacts without GPG keys.whlartifacts in addition to source and sdist tarballsSmoke Test
time.sleep(2)with a polling loop on/api/v0/projectsthat fails fast if the server exitsGET /check to verify the UI is served--cleanup/--no-cleanupflag (auto-disabled inGITHUB_ACTIONSso workspaces survive for artifact upload)CI Coverage Gaps
bare-installjob that installs the wheel without optional extras and imports core symbols, catching accidental leakage of optional dependenciessdist-wheel-equivalencejob that rebuilds the wheel from the sdist tarball and compares file content hashes against the CI-built wheel, catching missing sdist filesHygiene
scripts/check_asf_headers.pyand wire it as a pre-commit hook that checks Python, YAML, and shell files for the ASF license header, reading.rat-excludesat runtime to stay in sync with RAT automaticallyFiles
.rat-excludes,examples/deep-researcher/— rename and exclusion updatescripts/apache_release.py—--skip-signingincmd_verifyscripts/verify_apache_artifacts.py— RAT on wheels,compare-wheelssubcommandscripts/ci_smoke_server.py— polling, process group, cleanup flag, GET /scripts/check_asf_headers.py— new ASF header checker.pre-commit-config.yaml— newcheck-asf-headershook.github/workflows/release-validation.yml— SHA256 pin,bare-install,sdist-wheel-equivalence, weekly crontests/test_apache_release.py,tests/test_verify_apache_artifacts.py,tests/test_ci_smoke_server.py,tests/test_check_asf_headers.py— test coverage for all of the aboveTest Plan
pytest tests/test_apache_release.py tests/test_verify_apache_artifacts.py tests/test_ci_smoke_server.py tests/test_check_asf_headers.py— all 54 tests passbare-installandsdist-wheel-equivalencejobsCloses #747