ci: weekly data-ingestors HEAD-drift canary + mirrored-source alert (cli#289)#312
Conversation
…ert (cli#289) New advisory workflow (head-drift-canary.yml), cron + dispatch only, never blocking: checks data-ingestors develop HEAD (NOT the pin) two ways — 1. goldens check vs HEAD: sync-validator-goldens.sh --check against a checkout of HEAD, catching verdict/value changes the next pin bump would have to adopt. 2. mirrored-source drift: git content comparison (pin vs HEAD) over the upstream surface internal/push + internal/schema mirror (validators/, modalities/, coercion/columns/constants/validators_mapping, csv_ingestor/record_processor/base/preflight, file_transfer, schema_inference, database, schema/) — catching the di#365 class: a new or extended upstream validator with no corpus case, invisible to the goldens check by definition. On either signal it opens or comments on a SINGLE tracking issue keyed by the head-drift-canary marker label (label auto-created idempotently); all-clear runs just emit a notice. Drift never reds the run — the job captures the goldens verdict instead of failing on it. An unreachable pin SHA (rewritten upstream history) is reported as drift too. Verified locally against real history: the path-list diff at the OLD pin 7b4ecac flags exactly the di#358+di#365 surface (9 files incl. mask_id_validator.py, image_validator.py); at the current pin 8f89aec it is empty. Issue-body construction exercised with sample env; goldens check vs HEAD ran green locally. actionlint clean. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
👋 Heads-up — Code review queue is at 55 / 30 Above the WIP limit. The team convention is to review existing PRs before opening new work. Open PRs currently in Code review (oldest first):
Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.) |
|
@BugBot run |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 103a541. Configure here.
saadqbal
left a comment
There was a problem hiding this comment.
👍 Clean advisory canary — cron/dispatch only, succeeds on drift (gates nothing), and the single-issue reuse (comment vs duplicate) keeps it quiet. issues: write is the minimal grant for the alert and it only runs on trusted triggers, so no injection surface. Good offset scheduling vs the other weekly jobs.
Fixes #289. Part of epic tracebloc/backend#1106 (WS-C.4).
What
New dedicated workflow
.github/workflows/head-drift-canary.yml— weekly (Mon 06:00 UTC) +workflow_dispatch, advisory only: no PR trigger, and the run stays green even when drift is found. The signal channel is a single tracking issue, not a red build.It watches data-ingestors develop HEAD (deliberately not the pin) two ways:
scripts/sync-validator-goldens.sh --checkagainst a checkout of HEAD: catches verdict/value changes the next pin bump would have to adopt.internal/push+internal/schemamirror tracks:validators/,modalities/,utils/{coercion,columns,constants,validators_mapping}.py,ingestors/{preflight,csv_ingestor,record_processor,base}.py,file_transfer.py,schema_inference.py,database.py,schema/. This catches the di#365 class: a new or extended upstream validator with no corpus case yet — invisible to the goldens check by definition.On either signal (or an unreachable pin SHA — rewritten upstream history) it opens or comments on ONE tracking issue, keyed by the
head-drift-canarymarker label (created idempotently withgh label create --force; open-issue lookup by label, comment if found, create if not). The issue body carries pin/HEAD SHAs, both verdicts, the changed-file list, and the pin-bump playbook (cli#286 shape).Design notes
github.token(permissions: issues: write). Since GITHUB_TOKEN events don't trigger downstream workflows, the tracking issue will NOT be auto-added to the kanban byadd-to-kanban.yml— it's an operational pointer, the actual work happens via a pin-bump ticket.env:(no${{ }}insiderun:script bodies beyond env mapping); the issue body is built withprintf+--body-file.CROSS_REPO_READ_TOKENpreferred if it ever exists.Verification (what actually ran locally)
git diff --name-only <pin> HEAD -- <paths>at the OLD pin7b4ecacflags precisely the di#358+di#365 surface (9 files, incl.mask_id_validator.py,image_validator.py,coercion.py); at the current pin8f89aecit returns empty. Both directions correct.8f89aec, deps from itsrequirements.txt).actionlintclean; YAML parses. Not run in real Actions (schedule-only; fires once merged — can be smoke-tested withworkflow_dispatchafter merge). No test issue was created against the repo.🤖 Generated with Claude Code
Note
Low Risk
CI-only advisory automation with read/issue permissions; no application runtime or auth paths change, and drift never fails the workflow.
Overview
Adds
.github/workflows/head-drift-canary.yml, a weekly (Mon 06:00 UTC) and manually dispatchable advisory job that comparesscripts/.data-ingestors-refto tracebloc/data-ingestorsdevelopHEAD—not the pinned SHA used in PR CI.It flags stale pins in two ways: running
sync-validator-goldens.sh --checkagainst the HEAD checkout (goldens/verdict drift), and agit diff --name-onlyover the mirrored validator/schema surface between pin and HEAD (upstream changes with no golden flip yet). Unreachable pin SHAs are treated as drift too.When any signal fires, the workflow does not fail; it opens or comments on a single
head-drift-canary-labeled issue with pin/HEAD SHAs, drift details, changed paths, and the pin-bump playbook.issues: writeand cross-repo checkout follow the existing goldens-drift pattern (CROSS_REPO_READ_TOKENoptional).Reviewed by Cursor Bugbot for commit 103a541. Bugbot is set up for automated code reviews on this repo. Configure here.