ci: add an aggregation layer to CI to allow blocking merge more dynamically#239
Conversation
a7f6f55 to
c86d1d7
Compare
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughCI workflow hardens GitHub Actions through commit SHA pinning across all jobs, adds actionlint validation for kebab-case action inputs, replaces shell globbing with deterministic array-based wheel discovery, and introduces a ChangesCI Hardening: Action Pinning, Wheel Determinism, and Status Aggregation
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/actions/test-status/action.yaml (1)
57-64:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winMissing trailing newline.
YAML files should end with a newline.
Proposed fix
retention-days: 1 if-no-files-found: error +🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/actions/test-status/action.yaml around lines 57 - 64, The YAML file is missing a trailing newline at EOF; open the action step block containing the "Upload status" job (the step with name: "Upload status" and uses: actions/upload-artifact@v6, including the with keys name and path) and add a single newline character at the end of the file so the file ends with a newline.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yaml:
- Around line 54-57: Add a SHA-256 integrity check for the downloaded actionlint
tarball before extracting it: after downloading
"${RUNNER_TEMP}/actionlint.tar.gz" (actionlint_1.7.12_linux_amd64.tar.gz)
compute its SHA-256 (e.g., with sha256sum) and compare it to the expected hash
"8aca8db96f1b94770f1b0d72b6dddcb1ebb8123cb3712530b08cc387b349a3d8"; if the
checksum does not match, fail the workflow (exit non‑zero) and do not run tar
-xzf; if it matches, proceed to extract into "${RUNNER_TEMP}/actionlint".
---
Outside diff comments:
In @.github/actions/test-status/action.yaml:
- Around line 57-64: The YAML file is missing a trailing newline at EOF; open
the action step block containing the "Upload status" job (the step with name:
"Upload status" and uses: actions/upload-artifact@v6, including the with keys
name and path) and add a single newline character at the end of the file so the
file ends with a newline.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 14684629-4350-4ffa-97ef-6f357545d471
📒 Files selected for processing (2)
.github/actions/test-status/action.yaml.github/workflows/ci.yaml
|
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yaml:
- Around line 627-718: Modify the "Wait for contributing jobs" and "Check test
statuses" steps so we fail when an expected contributing job has no status
artifact: fetch the completed job list from the GH API (same endpoint used in
the waiting loop) and build the set of contributor job names (exclude
non-contributors via the existing excluded_jobs array / is_excluded function),
then when processing artifacts in the "Check test statuses" step compare that
contributor set against the names extracted from the downloaded
test-status-*.json files (the jq '.name' values); if any contributor is missing,
emit an error and set failure (exit non-zero) instead of silently passing. Keep
the existing artifact parsing, summary table, and existing
excluded_jobs/is_excluded logic but add the missing-check before the existing
total==0 check so timeouts/canceled jobs cause CI to fail.
- Around line 48-49: Replace all floating action refs in the CI workflow (e.g.,
actions/checkout@v6, actions/download-artifact@v8 and other `@v`* refs such as
docker/login-action, setup-uv, upload-artifact) with their pinned commit SHAs;
locate occurrences by searching for those action names in the file and update
each uses: entry to the corresponding commit SHA. Additionally, in the ci-status
aggregation job (named ci-status) and the coverage-comment flow, ensure every
job you wait for actually produced a test-status artifact by adding a validation
step after the wait that checks for the existence of each expected
test-status-...-*.json artifact (or alternatively call the GitHub Actions API to
derive job conclusions) and fail/mark missing artifacts so the gate decision
reflects missing or failed jobs rather than silently ignoring them.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 792072f2-163c-44b6-888c-8e561aed197e
📒 Files selected for processing (3)
.github/actionlint.yaml.github/actions/test-status/action.yaml.github/workflows/ci.yaml
✅ Files skipped from review due to trivial changes (1)
- .github/actionlint.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/actions/test-status/action.yaml
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/actions/test-status/action.yaml (1)
83-89:⚠️ Potential issue | 🟠 MajorPin
actions/upload-artifactto a commit SHA (immutable ref).
Upload statusin.github/actions/test-status/action.yamluses the floating refactions/upload-artifact@v6, leaving a supply-chain gap.Snippet
- name: Upload status uses: actions/upload-artifact@v6 with: name: ${{ steps.write.outputs.artifact-name }} path: ${{ steps.write.outputs.status-file }} retention-days: 1 if-no-files-found: error🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/actions/test-status/action.yaml around lines 83 - 89, The workflow step named "Upload status" currently uses the floating ref actions/upload-artifact@v6; replace that with an immutable commit SHA for actions/upload-artifact (e.g., actions/upload-artifact@<commit-sha>) to pin the dependency and remove the supply-chain risk, keeping the rest of the step (name, with: name: ${{ steps.write.outputs.artifact-name }}, path: ${{ steps.write.outputs.status-file }}, retention-days: 1, if-no-files-found: error) unchanged; update the uses value for the "Upload status" step to the specific commit SHA from the official repository.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yaml:
- Around line 35-39: The "Record test start" step using
./.github/actions/test-status (name: Detect Path Changes, phase: start) runs
after actions/checkout so failures during checkout never emit the start marker;
move or add an inline pre-checkout step that emits the same start marker (same
name and phase) before any actions/checkout occurs for this job (or update the
ci-status reconciler to query the Actions API for jobs with missing markers) so
the job always opts into CI status even if checkout fails.
---
Outside diff comments:
In @.github/actions/test-status/action.yaml:
- Around line 83-89: The workflow step named "Upload status" currently uses the
floating ref actions/upload-artifact@v6; replace that with an immutable commit
SHA for actions/upload-artifact (e.g., actions/upload-artifact@<commit-sha>) to
pin the dependency and remove the supply-chain risk, keeping the rest of the
step (name, with: name: ${{ steps.write.outputs.artifact-name }}, path: ${{
steps.write.outputs.status-file }}, retention-days: 1, if-no-files-found: error)
unchanged; update the uses value for the "Upload status" step to the specific
commit SHA from the official repository.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 19fb22bc-26b4-4462-9923-4aff9f825c94
📒 Files selected for processing (2)
.github/actions/test-status/action.yaml.github/workflows/ci.yaml
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yaml:
- Line 34: The checkout steps using
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 leave GITHUB_TOKEN in
git config; update every actions/checkout step in the workflow (all uses of
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10) to include a with:
persist-credentials: false block so the token is not persisted to git config;
ensure you add the setting to each occurrence (including any checkout used
before pushes or commits) and verify no other checkout steps omit this option.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 4f2bf4e4-94a1-42a3-8a5b-71992deff69c
📒 Files selected for processing (1)
.github/workflows/ci.yaml
Signed-off-by: Brooke Storm <brookes@nvidia.com>
Signed-off-by: Brooke Storm <brookes@nvidia.com>
Signed-off-by: Brooke Storm <brookes@nvidia.com>
Signed-off-by: Brooke Storm <brookes@nvidia.com>
Signed-off-by: Brooke Storm <brookes@nvidia.com>
Signed-off-by: Brooke Storm <brookes@nvidia.com>
Signed-off-by: Brooke Storm <brookes@nvidia.com>
…hat to not block Signed-off-by: Brooke Storm <brookes@nvidia.com>
16988cd to
5ef6046
Compare
Besides the aggregation layer for the workflow, this also adds an actionlint check to ensure github actions stay high quality.
Summary by CodeRabbit