ci: goldens-drift job — validator goldens vs data-ingestors @ pin (cli#287)#308
Conversation
…i#287) New dedicated workflow (goldens-drift.yml): checks out tracebloc/data-ingestors at the pinned ref (scripts/.data-ingestors-ref), installs its runtime requirements, and runs scripts/sync-validator-goldens.sh --check — failing any PR whose committed parity goldens have drifted from the REAL validators at the pin. Closes the wired-into-no-CI hole: until now the goldens were only regenerated by hand, so a corpus/generator/pin change could land with stale goldens and CI stayed green. Triggers: PRs touching internal/push/**, the pin, or the sync harness; weekly Monday cron as a backstop; manual dispatch. Cross-repo access: data-ingestors is currently PUBLIC (verified via gh), so the default workflow token suffices — the cli#62 precedent (install-path-persist.yml) also checks out a sibling repo with no secret. The job still prefers an org secret CROSS_REPO_READ_TOKEN when present and skips-with-warning (never hard-fails) if the repo becomes unreadable, so a future privatization flips to 'create the secret' instead of redding every open PR. Deps: pip install -r data-ingestors/requirements.txt, not just pandas+pillow — the generator's import chain also needs sqlalchemy, tenacity, ijson et al (verified in a clean venv; pandas+pillow alone fails on import). requirements.txt is all light pure-python wheels. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
👋 Heads-up — Code review queue is at 48 / 30 Above the WIP limit. The team convention is to review existing PRs before opening new work. Open PRs currently in Code review (oldest first):
Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.) |
|
@BugBot run |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
1 issue from previous review remains unresolved.
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 4dc10f1. Configure here.
saadqbal
left a comment
There was a problem hiding this comment.
👍 Well-built gate — pins to .data-ingestors-ref (no floating-branch cross-repo reddening), least-privilege contents: read, and the skip-with-warning fallback if the repo goes private is exactly right (better than hard-failing every internal/push PR). The check ran green here, so the full path works and goldens are in sync.
|
Status: approved, but 1 open Cursor Bugbot finding blocks merge: Invalid PAT skips token fallback (goldens-drift.yml:87) — an invalid-but-present |
…i#287) A set-but-invalid CROSS_REPO_READ_TOKEN (expired / wrong scope) made the readability probe pick only the PAT, fail, and skip the whole drift check while data-ingestors is still public and the default token would work. Probe now tries the PAT, and if it fails falls back to github.token before marking access failed — only skip-with-warning when BOTH fail. It emits a `use_pat` selector so the checkout uses exactly the token the probe validated, keeping the two in lockstep. Still read-only, least-privilege, skip-not-hard-fail. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
saadqbal
left a comment
There was a problem hiding this comment.
Re-approving — Bugbot fix verified: the probe now tries CROSS_REPO_READ_TOKEN, falls back to the default workflow token if the PAT is invalid, and only skips-with-warning when BOTH fail (with use_pat keeping the checkout in sync). Closes the invalid-PAT-strands-the-check gap. 👍

Fixes #287. Part of epic tracebloc/backend#1106 (WS-C.2).
What
New dedicated workflow
.github/workflows/goldens-drift.yml(nothing appended tobuild.yml): checks outtracebloc/data-ingestorsat the pinned ref fromscripts/.data-ingestors-ref, installs the ingestor's runtime deps, and runsscripts/sync-validator-goldens.sh --check. A PR whose committedinternal/push/testdata/parity/goldens.jsonhas drifted from the REAL validators at the pin now fails CI — closing the wired-into-no-CI hole (the goldens were previously regenerated only by hand).Triggers: PRs touching
internal/push/**,scripts/.data-ingestors-ref, the sync script/generator, or the workflow itself; weekly cron (Mon 05:30 UTC);workflow_dispatch.Cross-repo access — reality differs from the ticket
The ticket assumes data-ingestors is private and asks to reuse the #62 secret. Two findings:
tracebloc/client) rides the defaultgithub.token.gh repo view tracebloc/data-ingestors→PUBLIC), so the default token suffices here too. (It's also why the unauthenticatedraw.githubusercontent.comcurl insync-schema.shworks at all.)So the job runs out of the box with no new secret required today. To stay robust against a future privatization, the workflow:
secrets.CROSS_REPO_READ_TOKENwhen present (token: ${{ secrets.CROSS_REPO_READ_TOKEN || github.token }}), andgit ls-remote) and skips with a loud warning — never hard-fails — when the repo is unreachable with the available tokens, naming the exact secret to create.@LukasWodka (admin): nothing to create now. If/when data-ingestors goes private, create org secret
CROSS_REPO_READ_TOKEN(fine-grained PAT,contents:readontracebloc/data-ingestors) and the job picks it up unchanged. Deviation from the ticket's skip-when-secret-absent wording: skipping whenever the secret is absent would mean the job never runs today (the secret doesn't exist and isn't needed), so the guard keys on actual repo reachability instead.Deviation:
pip install pandas pillowis not enoughThe ticket's dep list fails at import time — the generator's chain (
validators_mapping→ ingestors) also needssqlalchemy,tenacity,ijson,tqdm,requests… (verified in a clean venv:pandas+pillowalone →ModuleNotFoundError: sqlalchemy). The job installs-r data-ingestors/requirements.txtinstead — all light pure-python wheels, and future-proof against upstream dep changes.Verification (what actually ran locally)
pip install -r requirements.txt(from a data-ingestors checkout at the pin8f89aec) +scripts/sync-validator-goldens.sh --check→validator goldens in sync.actionlintclean; YAML parses.--check.Note: this PR's own diff doesn't touch
internal/push/**, so the new job won't self-trigger here beyond its own workflow path filter.🤖 Generated with Claude Code
Note
Low Risk
CI-only change with no runtime or application code; cross-repo access is read-only with graceful skip when the upstream repo is unreachable.
Overview
Adds
.github/workflows/goldens-drift.yml, a standalone job that closes the gap whereinternal/push/testdata/parity/goldens.jsoncould go stale while CI stayed green.On each run it reads the pin from
scripts/.data-ingestors-ref, probes whethertracebloc/data-ingestorsis reachable (PAT with fallback to the default token; skip with a warning only if both fail), checks out that repo at the pin, installsdata-ingestors/requirements.txt, and runsscripts/sync-validator-goldens.sh --check.Triggers: PRs touching
internal/push/**, the pin, sync/generator scripts, or this workflow; weekly Monday cron;workflow_dispatch. Uses read-onlycontentspermission and PR-scoped concurrency cancel.Reviewed by Cursor Bugbot for commit e190f21. Bugbot is set up for automated code reviews on this repo. Configure here.