Some checks failed
GitHub never sees Forgejo PRs, so pull_request-gated workflows never ran on the mirror for feature branches. Per the hybrid workflow guide convention, smoke + lane-shas now also trigger on non-main branch pushes. - Job guards (github.server_url) keep the Forgejo Act host from running each branch twice (push + pull_request) — the run #167 OOM class. - lane-shas extends its skip-safe pin-relevant-path policy to branch pushes (merge-base vs origin/main); main pushes keep always-verify. - full-pytest stays main-only (a per-push ~73-min trigger would torch the Actions minute budget). Note: GitHub-side runs stay dead until the AssetOverflow account billing lock is cleared ('job was not started because your account is locked').
129 lines
4.9 KiB
YAML
129 lines
4.9 KiB
YAML
name: lane-shas
|
|
|
|
# Verify that every ADR-0092..0104 lane produces its pinned SHA-256
|
|
# report. A failing job means a lane's deterministic output changed
|
|
# without an explicit ADR-tracked pin update via:
|
|
#
|
|
# python scripts/verify_lane_shas.py --update
|
|
#
|
|
# Single source of truth for the pinned values is scripts/verify_lane_shas.py.
|
|
#
|
|
# PR path policy (job-level, not workflow-level):
|
|
# Pin bytes can move from Python, packs, eval fixtures/corpora, teaching
|
|
# corpora, dependency pins, CLAIMS.md, or this workflow. When none of those
|
|
# paths change on a PR, we skip the multi-minute runners and exit success so
|
|
# a required check never sits "Waiting" forever (workflow-level `paths:`
|
|
# would omit the job entirely and hang required status checks).
|
|
# Main pushes always verify.
|
|
|
|
on:
|
|
push:
|
|
# main: post-merge verify (always runs, any host).
|
|
# other branches: hybrid mirror CI — GitHub-hosted runners stand in for
|
|
# the Forgejo pull_request gate (PR metadata lives on Forgejo only). The
|
|
# job guard below skips branch pushes on the Forgejo Act host to avoid
|
|
# double-running each branch (push + pull_request).
|
|
branches: ['**']
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: lane-shas-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
verify:
|
|
name: verify pinned lane SHAs
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 45
|
|
if: >-
|
|
github.event_name == 'pull_request' ||
|
|
github.ref_name == 'main' ||
|
|
github.server_url == 'https://github.com'
|
|
|
|
steps:
|
|
- name: checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
# Need base..head for PR path detection.
|
|
fetch-depth: 0
|
|
|
|
- name: detect pin-relevant paths
|
|
id: paths
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
# Always verify on main pushes.
|
|
if [ "${{ github.event_name }}" = "push" ] && [ "${{ github.ref_name }}" = "main" ]; then
|
|
echo "run=true" >> "$GITHUB_OUTPUT"
|
|
echo "Pin-relevant path check: always run on main push"
|
|
exit 0
|
|
fi
|
|
|
|
if [ "${{ github.event_name }}" = "push" ]; then
|
|
# Feature-branch push (GitHub mirror): same skip-safe policy as the
|
|
# Forgejo PR gate, diffing against the merge-base with main.
|
|
BASE="$(git merge-base origin/main HEAD)"
|
|
HEAD="$(git rev-parse HEAD)"
|
|
else
|
|
BASE="${{ github.event.pull_request.base.sha }}"
|
|
HEAD="${{ github.event.pull_request.head.sha }}"
|
|
fi
|
|
# Paths that can change pin bytes or CLAIMS generation inputs.
|
|
# Keep in sync with docs/testing-lanes.md § CI policy.
|
|
PATTERN='(\.py$|^packs/|^evals/|^teaching/|^CLAIMS\.md$|^pyproject\.toml$|^uv\.lock$|^\.github/workflows/lane-shas\.yml$)'
|
|
if git diff --name-only "$BASE" "$HEAD" | grep -E "$PATTERN" >/dev/null; then
|
|
echo "run=true" >> "$GITHUB_OUTPUT"
|
|
echo "Pin-relevant paths changed; running lane SHA verification"
|
|
git diff --name-only "$BASE" "$HEAD" | grep -E "$PATTERN" || true
|
|
else
|
|
echo "run=false" >> "$GITHUB_OUTPUT"
|
|
echo "No pin-relevant paths changed; skipping lane SHA verification (job still green)"
|
|
fi
|
|
|
|
# setup-uv (not actions/setup-python) provisions Python on the aarch64
|
|
# self-hosted runner; actions/setup-python has no arm64 build for the
|
|
# pinned 3.12.13. Matches smoke.yml / full-pytest.yml.
|
|
- name: set up uv
|
|
if: steps.paths.outputs.run == 'true'
|
|
uses: astral-sh/setup-uv@v5
|
|
with:
|
|
python-version: '3.12.13'
|
|
enable-cache: true
|
|
|
|
- name: install dependencies
|
|
if: steps.paths.outputs.run == 'true'
|
|
run: |
|
|
uv pip install -e . pyyaml pytest
|
|
|
|
- name: verify lane SHAs
|
|
if: steps.paths.outputs.run == 'true'
|
|
env:
|
|
PYTHONPATH: ${{ github.workspace }}
|
|
# public_demo wall-clock is soft by default (see evals/public_demo/runner.py).
|
|
# Do not set CORE_SHOWCASE_HARD_BUDGET here — cold Act runners exceed 60s.
|
|
# Content cases (claims, determinism, pure composition) remain hard gates.
|
|
run: |
|
|
uv run python scripts/verify_lane_shas.py
|
|
|
|
- name: verify CLAIMS.md is current
|
|
if: steps.paths.outputs.run == 'true'
|
|
env:
|
|
PYTHONPATH: ${{ github.workspace }}
|
|
run: |
|
|
uv run python scripts/generate_claims.py --check
|
|
|
|
- name: emit machine-readable report (on failure)
|
|
if: failure() && steps.paths.outputs.run == 'true'
|
|
env:
|
|
PYTHONPATH: ${{ github.workspace }}
|
|
run: |
|
|
uv run python scripts/verify_lane_shas.py --json || true
|
|
|
|
- name: skip notice
|
|
if: steps.paths.outputs.run != 'true'
|
|
run: |
|
|
echo "::notice title=lane-shas skipped::No pin-relevant paths in this PR; verification skipped (success)."
|