ci: shorten PR workflow critical path#331
Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Re-review: all four findings fixed (Claude)Re-reviewed the fix batch (tip
Nice turnaround. The only open item is the owner-policy decision, which is A Codex re-review of the fix batch is being run in parallel; will follow up if it Reviewed by Claude Opus 4.8. |
Correction to my previous re-review (Claude + Codex)My earlier comment said "all four findings fixed." That was wrong — I tested Still open1. (must-fix, security) save-if: ${{ github.event_name == 'push' && contains(fromJSON('["main", "master", "development", "dev"]'), github.ref_name)
|| github.event_name == 'pull_request' }}The extracted line is just 2. (must-fix) python-test path filter is still under-inclusive. 3. (should-fix) Confirmed genuinely fixed (credit where due)
VerdictNot mergeable as-is: #1 and #2 should block (the first is a required security Apologies for the premature "all fixed" — this supersedes that comment. Reviewed by Claude Opus 4.8 and Codex (gpt-5.5) — adversarial cross-review. |
- parse multiline YAML cache guards before validating cache-write policy - expand Python and Rust workflow path filters for example and bootstrap script changes - make python-release artifact collection fail closed and count llvm wheels Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
@ciaranra this may now be ready |
Review of
|
Address adversarial review of 826619f (findings A, B, C). Cache-write guard (A/B): replace the bypassable syntax blacklist in dependency-integrity-check.sh with a structural allowlist. cache_guard_ok extracts the actual YAML scalar for the step's guard key and requires a top-level "&&" chain (no top-level "||", no unary negation) containing an exact `github.event_name == 'push'` predicate and a canonical trusted-ref predicate (contains(fromJSON('[trusted set]'), github.ref_name) or an explicit github.ref_name == '<branch>' disjunction over exactly the trusted set). This rejects the !(...), `!= 'push'`, and contains-on-literal bypasses, the multiline `|| pull_request` tail, and block scalars, while accepting valid reordered branch chains. Removes the now-unused blacklist helpers. Release collector (C): the rslib loop glob `wheel-pecos-rslib-*` also matched `wheel-pecos-rslib-llvm-*`, which the llvm loop had already emptied, causing a hard `exit 1` on any release containing LLVM wheels. Exclude `*-llvm-*` dirs from the rslib loop so both families collect independently. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Pushed A/B (cache-write guard). Agreed the syntax blacklist was the wrong tool. Replaced it with a structural allowlist ( Verified by execution against your three accepted bypasses ( C (release collector regression). Confirmed: The post-merge-only core-test policy remains a separate maintainer decision; happy to adjust the PR description wording if you'd like. |
|
Here also I am running out of usefulness and am happy to let you finish. |
… with a shared detect script
…selene, python collector output)
cf07314 to
42f7610
Compare
Summary
This PR reduces PR-path CI latency by splitting Python lanes, moving heavyweight validation to trusted push/tag/manual contexts, tightening workflow triggers, and fixing CI reliability regressions discovered during rollout.
Changes in this PR
Python CI lane split and PR fast path (
.github/workflows/python-test.yml,Justfile)python-lint,python-core,python-compat-smoke-build,python-compat-smoke, andpython-slow-postmerge.python-coreuses a PR fast-path check; full core tests remain on trusted branch pushes.Justfileand fixed thepytestrecipe shell block.Python compat-smoke correctness + robustness (
.github/workflows/python-test.yml)build-llvm: truewhereinclude-llvm: true).rgonly when missing.Python artifacts PR optimization (
.github/workflows/python-release.yml)Docs CI stabilization + PR fast path (
.github/workflows/test-docs-examples.yml,docs/user-guide/qec-guppy.md)python,skipto avoid timeout.Rust PR-path optimization + trigger coverage fixes (
.github/workflows/rust-test.yml)exp/**andCargo.lock.Workflow trigger scoping (
.github/workflows/julia-release.yml,.github/workflows/julia-test.yml,.github/workflows/python-test.yml,.github/workflows/python-release.yml)pyproject.toml,ruff.toml,.pre-commit-config.yaml).Dependency integrity policy hardening (
scripts/dependency-integrity-check.sh)main/master/development/dev).save-if/save-cache/actions/cache/savegating.Current PR CI status
python-compat-smoke-build (windows-2022)at ~15 minutes.