Skip to content

ci: goldens-drift job — validator goldens vs data-ingestors @ pin (cli#287)#308

Merged
saadqbal merged 2 commits into
developfrom
ci/287-goldens-drift
Jul 14, 2026
Merged

ci: goldens-drift job — validator goldens vs data-ingestors @ pin (cli#287)#308
saadqbal merged 2 commits into
developfrom
ci/287-goldens-drift

Conversation

@LukasWodka

@LukasWodka LukasWodka commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Fixes #287. Part of epic tracebloc/backend#1106 (WS-C.2).

What

New dedicated workflow .github/workflows/goldens-drift.yml (nothing appended to build.yml): checks out tracebloc/data-ingestors at the pinned ref from scripts/.data-ingestors-ref, installs the ingestor's runtime deps, and runs scripts/sync-validator-goldens.sh --check. A PR whose committed internal/push/testdata/parity/goldens.json has drifted from the REAL validators at the pin now fails CI — closing the wired-into-no-CI hole (the goldens were previously regenerated only by hand).

Triggers: PRs touching internal/push/**, scripts/.data-ingestors-ref, the sync script/generator, or the workflow itself; weekly cron (Mon 05:30 UTC); workflow_dispatch.

Cross-repo access — reality differs from the ticket

The ticket assumes data-ingestors is private and asks to reuse the #62 secret. Two findings:

  1. PR ci: cross-repo fresh-shell PATH-persistence guard for install.sh #62 uses no secret — its cross-repo checkout (tracebloc/client) rides the default github.token.
  2. data-ingestors is currently PUBLIC (gh repo view tracebloc/data-ingestorsPUBLIC), so the default token suffices here too. (It's also why the unauthenticated raw.githubusercontent.com curl in sync-schema.sh works at all.)

So the job runs out of the box with no new secret required today. To stay robust against a future privatization, the workflow:

  • prefers secrets.CROSS_REPO_READ_TOKEN when present (token: ${{ secrets.CROSS_REPO_READ_TOKEN || github.token }}), and
  • probes readability first (git ls-remote) and skips with a loud warning — never hard-fails — when the repo is unreachable with the available tokens, naming the exact secret to create.

@LukasWodka (admin): nothing to create now. If/when data-ingestors goes private, create org secret CROSS_REPO_READ_TOKEN (fine-grained PAT, contents:read on tracebloc/data-ingestors) and the job picks it up unchanged. Deviation from the ticket's skip-when-secret-absent wording: skipping whenever the secret is absent would mean the job never runs today (the secret doesn't exist and isn't needed), so the guard keys on actual repo reachability instead.

Deviation: pip install pandas pillow is not enough

The ticket's dep list fails at import time — the generator's chain (validators_mapping → ingestors) also needs sqlalchemy, tenacity, ijson, tqdm, requests… (verified in a clean venv: pandas+pillow alone → ModuleNotFoundError: sqlalchemy). The job installs -r data-ingestors/requirements.txt instead — all light pure-python wheels, and future-proof against upstream dep changes.

Verification (what actually ran locally)

  • The workflow's exact recipe end-to-end: fresh venv + pip install -r requirements.txt (from a data-ingestors checkout at the pin 8f89aec) + scripts/sync-validator-goldens.sh --checkvalidator goldens in sync.
  • Also green on a second environment (pandas 2.3.3/py3.9 vs pandas 3.x pins) — verdicts are stable across pandas versions for the current corpus.
  • actionlint clean; YAML parses.
  • Update after opening: the job also ran in real Actions on this very PR (its own workflow path is in the trigger filter) — passed in 21s, including the probe, cross-repo checkout @ pin, dep install, and --check.

Note: this PR's own diff doesn't touch internal/push/**, so the new job won't self-trigger here beyond its own workflow path filter.

🤖 Generated with Claude Code


Note

Low Risk
CI-only change with no runtime or application code; cross-repo access is read-only with graceful skip when the upstream repo is unreachable.

Overview
Adds .github/workflows/goldens-drift.yml, a standalone job that closes the gap where internal/push/testdata/parity/goldens.json could go stale while CI stayed green.

On each run it reads the pin from scripts/.data-ingestors-ref, probes whether tracebloc/data-ingestors is reachable (PAT with fallback to the default token; skip with a warning only if both fail), checks out that repo at the pin, installs data-ingestors/requirements.txt, and runs scripts/sync-validator-goldens.sh --check.

Triggers: PRs touching internal/push/**, the pin, sync/generator scripts, or this workflow; weekly Monday cron; workflow_dispatch. Uses read-only contents permission and PR-scoped concurrency cancel.

Reviewed by Cursor Bugbot for commit e190f21. Bugbot is set up for automated code reviews on this repo. Configure here.

…i#287)

New dedicated workflow (goldens-drift.yml): checks out
tracebloc/data-ingestors at the pinned ref (scripts/.data-ingestors-ref),
installs its runtime requirements, and runs
scripts/sync-validator-goldens.sh --check — failing any PR whose committed
parity goldens have drifted from the REAL validators at the pin. Closes
the wired-into-no-CI hole: until now the goldens were only regenerated by
hand, so a corpus/generator/pin change could land with stale goldens and
CI stayed green.

Triggers: PRs touching internal/push/**, the pin, or the sync harness;
weekly Monday cron as a backstop; manual dispatch.

Cross-repo access: data-ingestors is currently PUBLIC (verified via gh),
so the default workflow token suffices — the cli#62 precedent
(install-path-persist.yml) also checks out a sibling repo with no secret.
The job still prefers an org secret CROSS_REPO_READ_TOKEN when present and
skips-with-warning (never hard-fails) if the repo becomes unreadable, so a
future privatization flips to 'create the secret' instead of redding every
open PR.

Deps: pip install -r data-ingestors/requirements.txt, not just
pandas+pillow — the generator's import chain also needs sqlalchemy,
tenacity, ijson et al (verified in a clean venv; pandas+pillow alone fails
on import). requirements.txt is all light pure-python wheels.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@LukasWodka
LukasWodka requested a review from saadqbal July 14, 2026 12:30
@LukasWodka

Copy link
Copy Markdown
Contributor Author

👋 Heads-up — Code review queue is at 48 / 30

Above the WIP limit. The team convention is to review existing PRs before opening new work.

Open PRs currently in Code review (oldest first):

  • averaging-service#181 — feat(weights): normalize-on-read — mixed cycles average instead of rejecting (SEC-03 §8 step 2) · author: @shujaatTracebloc · no reviewer assigned
  • averaging-service#182 — feat(weights): averaging writes SafeTensors (TF + PyTorch) — SEC-03 §8 step 4 · author: @shujaatTracebloc · no reviewer assigned
  • backend#1079 — feat(global_meta): edge dataset_meta exposure + attributes contract at ingest (#924 G4a) · author: @divyasinghds · no reviewer assigned
  • backend#1086 — docs(rfc): SafeTensors weight-format migration — SEC-03 Phase 1 (RFC 0004) · author: @shujaatTracebloc · no reviewer assigned
  • backend#1093 — chore(deps): bump django from 5.2.14 to 5.2.15 · author: @dependabot · no reviewer assigned
  • backend#1095 — feat(experiment): configurable preprocessing knobs incl. tabular scaler — RFC 0003 L1 + L1b (#1094) · author: @LukasWodka · no reviewer assigned
  • backend#1100 — fix(boot): pin SDK install to tracebloc==0.11.2, drop 404 dev line (#1098) · author: @LukasWodka · reviewer: @saqlainsyed007
  • backend#1105 — perf(api): query micro-fixes — notifications N+1, cached data_scientist, composite index, sampling (#975) · author: @aptracebloc · no reviewer assigned
  • backend#1107 — perf(experiments): prefetch ExperimentListSerializer relations + cache carbon intensity (#977) · author: @aptracebloc · reviewer: @saqlainsyed007
  • cli#266 — main - > enhance CLI features and tests · author: @saadqbal · no reviewer assigned

Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.)

Comment thread .github/workflows/goldens-drift.yml
@LukasWodka

Copy link
Copy Markdown
Contributor Author

@BugBot run

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

1 issue from previous review remains unresolved.

Fix All in Cursor

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 4dc10f1. Configure here.

@LukasWodka LukasWodka self-assigned this Jul 14, 2026
saadqbal
saadqbal previously approved these changes Jul 14, 2026

@saadqbal saadqbal left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Well-built gate — pins to .data-ingestors-ref (no floating-branch cross-repo reddening), least-privilege contents: read, and the skip-with-warning fallback if the repo goes private is exactly right (better than hard-failing every internal/push PR). The check ran green here, so the full path works and goldens are in sync.

@saadqbal

Copy link
Copy Markdown
Collaborator

Status: approved, but 1 open Cursor Bugbot finding blocks merge: Invalid PAT skips token fallback (goldens-drift.yml:87) — an invalid-but-present CROSS_REPO_READ_TOKEN would skip the github.token fallback. Fix/resolve and it's ready.

…i#287)

A set-but-invalid CROSS_REPO_READ_TOKEN (expired / wrong scope) made the
readability probe pick only the PAT, fail, and skip the whole drift check
while data-ingestors is still public and the default token would work.

Probe now tries the PAT, and if it fails falls back to github.token before
marking access failed — only skip-with-warning when BOTH fail. It emits a
`use_pat` selector so the checkout uses exactly the token the probe
validated, keeping the two in lockstep. Still read-only, least-privilege,
skip-not-hard-fail.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

@saadqbal saadqbal left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-approving — Bugbot fix verified: the probe now tries CROSS_REPO_READ_TOKEN, falls back to the default workflow token if the PAT is invalid, and only skips-with-warning when BOTH fail (with use_pat keeping the checkout in sync). Closes the invalid-PAT-strands-the-check gap. 👍

@saadqbal
saadqbal merged commit 9c15fdd into develop Jul 14, 2026
20 checks passed
@saadqbal
saadqbal deleted the ci/287-goldens-drift branch July 14, 2026 16:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants