test: pin AI-review workflow Codex-action contract#528
Conversation
Add TestWorkflowCodexActionContract to tests/test_openai_review.py pinning the load-bearing wiring of .github/workflows/ai_pr_review.yml as producer<->consumer couplings (not just string presence): - openai/codex-action@v1 pin + prompt-file input - compiled-prompt path agrees between the build step (PROMPT=) and the action input (prompt-file:) - final-message output flows from the id:-tagged Codex step into the post-comment step (broken id => blank comment, caught) - the three unified-diff exclude pathspecs (real-data JSON/CSV + .ipynb) - comment markers + the invariant that the prev-review fetch filter is a prefix shared by both the canonical and rerun markers These cover the elements not already guarded by TestWorkflowPromptHardening (wrapper/close-tag sanitization), TestWorkflowCommentPosting (rerun gates), or TestWorkflowDoesNotExecutePRHeadCode (sandbox: read-only). Closes the TODO row "AI review CI: pin workflow contract via test" (#416); removes it from the Testing/Docs table and the Tier B backlog. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Address local AI-review feedback on the new TestWorkflowCodexActionContract: - P2: assertions scanned the whole workflow text, so drift could pass if a literal appeared in a comment or an unrelated step. Bind each assertion to the specific step block (Run Codex / Build review prompt / Post PR comment / Fetch previous AI review) via a `_step_block` helper that mirrors the sibling TestWorkflowDoesNotExecutePRHeadCode._extract_step_block. The final-message test now asserts the post-comment ref id equals the Codex step's actual `id:` (not just "some `id:` exists somewhere"). Verified: a stray action pin in a comment with a different action in the real step now fails (global check would have passed). - P3: reworded the class docstring "Tracks TODO.md ..." -> "Covers the former TODO.md item ..." since the row is removed in the same change. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Address local AI-review R2-P2 (test robustness): within a step block the
assertions still used bare substrings, so a literal left in a same-step
comment after the real key was commented out / moved could pass spuriously.
Anchor each check to the live key line / JS assignment (start-of-line,
MULTILINE): `^\s*uses: openai/codex-action@v1$`, `^\s*prompt-file: ...$`,
`^\s*PROMPT=...$`, the `^\s*CODEX_FINAL_MESSAGE: ${{ steps.<id>.outputs.
final-message }}$` env mapping (plus a check that the JS reads
process.env.CODEX_FINAL_MESSAGE), `const marker =`/`const rerunMarker =`
JS assignments, and the `.includes("<!-- ai-pr-review:codex:")` filter.
The pathspec check now requires a live (non-comment) command line.
Verified: a commented-out action pin / marker that the bare-substring
check accepted now fails the anchored check.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Overall Assessment✅ Looks good Executive Summary
MethodologyNo findings. Severity: N/A Code QualityNo P0/P1 findings. Severity: P3 PerformanceNo findings. Severity: N/A MaintainabilityNo findings. Severity: N/A Tech DebtNo findings. Severity: N/A SecurityNo findings. Severity: N/A Documentation/TestsNo blocking findings. Severity: P3 |
CI Codex R1 P3: this was the one assertion still using a bare substring while the class comment claims all checks anchor to live lines. Anchor it to the live `const msg = (process.env.CODEX_FINAL_MESSAGE ...` JS assignment (start-of-line, MULTILINE) for internal consistency — a same-step JS comment containing the literal no longer satisfies it. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
🔁 AI review rerun (requested by @igerber) Head SHA: Overall Assessment✅ Looks good Executive Summary
MethodologyNo findings. Severity: N/A Code QualityNo findings. Severity: N/A PerformanceNo findings. Severity: N/A MaintainabilityNo findings. Severity: N/A Tech DebtNo findings. Severity: N/A SecurityNo findings. Severity: N/A Documentation/TestsNo blocking findings. Severity: P3 |
1 participant
Summary
TestWorkflowCodexActionContracttotests/test_openai_review.py(7 tests) pinning the AI-review workflow (.github/workflows/ai_pr_review.yml) Codex-action wiring as producer↔consumer couplings, not just string presence:openai/codex-action@v1pin +prompt-fileinput (scoped to the Run Codex step)PROMPT=) and the action input (prompt-file:)final-messageoutput wired from theid:-tagged Codex step →CODEX_FINAL_MESSAGEenv → JS body of the post-comment step (the ref id must equal the Codex step's actualid:).ipynb)_step_blockhelper mirroring the siblingTestWorkflowDoesNotExecutePRHeadCode._extract_step_block) and anchors to the live key line / JS assignment (start-of-line, MULTILINE), so a literal left in a same-step comment can't make the pin pass spuriously.Methodology references (required if estimator / math changes)
Validation
tests/test_openai_review.py— newTestWorkflowCodexActionContract(7 tests); full file 250 passed.id:wiring that bare-substring checks would have accepted.Security / privacy
🤖 Generated with Claude Code