mirror of
https://github.com/nesquena/hermes-webui.git
synced 2026-07-19 14:12:01 +00:00
2ea0cc6ed2
* ci: docs-only fast path + minimal docs CI
Skip the full pytest matrix + browser smoke on docs/CHANGELOG/README-only PRs
(required checks still report green fast via a fail-safe 'changes' gate job), and
add a lightweight Docs CI: critical_markdown_check.py (rendering-breaks only, not
style) + lychee broken-link check. Detection fails safe (any uncertainty or any
non-doc path -> full suite runs).
* ci: tighten docs-only detection — extension/type wins over name
A code file whose NAME contains README/CHANGELOG (scripts/CHANGELOG_stamp.py,
static/README_renderer.js) was wrongly classified docs-only, which would SKIP the
test suite on a real code change. Now a path is docs only by doc extension, exact
doc basename, or non-code file under docs/. Verified against 16 cases incl. every
code-with-docs-name trap.
* ci: fix all Fable+Codex gate findings on docs-only fast path
- BLOCKER: drop *.txt from is_docs (requirements.txt is a dep manifest — a bump
would have skipped the whole test matrix). docs = *.md/.markdown/.rst + bare
doc basenames only; strict allowlist, no docs/** denylist.
- Rename hole: use 'git diff --name-only --no-renames' so a rename src/app.py ->
docs.md reveals the code-side deletion instead of collapsing to the doc dest.
- SECURITY: docs-ci.yml no longer interpolates untrusted fork-PR filenames into
run: via ${{ }} (which executes $() in a crafted name). File list flows through
a file + mapfile-as-args; lychee gets a fixed glob, not the attacker list.
Added permissions: contents: read.
- Wedge belt-and-suspenders: 'if: ${{ always() }}' on the required test +
browser-smoke jobs so a failed 'changes' job can't skip them; step guards treat
missing/empty docs_only as run-full.
- critical_markdown_check.py: corrected the core rule — a newline in the whitespace
AROUND a link destination is valid CommonMark (was a false positive); only a
newline INSIDE the destination token, or an unclosed inline link, breaks
rendering. Verified full agreement with the markdown-it-py reference parser +
0 false positives on all 43 repo docs. Also blank 4-space indented code + multi
backtick spans. Reworded 'block the merge' -> 'break rendering' (non-required).
* ci: address Codex re-gate — lint always() + markdown title/unclosed cases
- Add if: always() to the lint job too (not currently required, but future-proof
against the wedge class if it's ever promoted).
- critical_markdown_check.py: handle two more CommonMark cases Codex found —
a newline inside a "title" string is legal (skip), and a newline-terminated
unclosed dest ([x](url\n at EOF/EOL with no close) is broken (flag). After the
destination token ends, valid continuations are ')' or a title opener (" ' ();
bare text after the newline is the real break. Verified full agreement with
markdown-it-py across 13 cases + 0 FP on all 43 repo docs.
* ci: model the CommonMark inline-dest grammar (root-cause fix for markdown checker)
Round-3 gate found the title heuristic caused sibling regressions: a parenthesized
multi-line title (url (a\nb)) was falsely flagged, and a quote glued into the URL
(exa"part) was wrongly treated as a title-start and skipped. Rather than patch more
heuristics, replace the ad-hoc newline logic with _scan_inline_dest(), which walks
the actual grammar: skip leading ws -> bare dest (balanced parens, ends at ws or the
depth-0 ')') or <angle> dest -> after ws the next char must be ')' or a real title
opener (" ' () -> else the destination is split across the line (broken). Verified
FULL agreement with markdown-it-py across 20 adversarial cases (incl. both round-3
regressions, balanced parens, angle dests, multiline titles) + 0 FP on all 43 docs.
* test: pytest suite for critical_markdown_check (42 cases)
Durable, repeatable verification for the docs-CI markdown checker: 19 verdict cases
+ 19 cross-checked against the markdown-it-py CommonMark reference (skips cleanly if
the lib is absent) + 3 code-span-safety cases + empty/no-link inputs. Covers both
round-3 regressions (parenthesized multi-line title valid; quote-glued-in-URL broken),
balanced parens, angle destinations, and multiline titles. 42 passed.
* ci: fix 2 grammar edges from Codex round-4 (escaped-> in angle dest, unbalanced bare-dest parens)
- Angle dest <...> now honors backslash escapes: [x](<foo\>bar>) renders (the \> is
escaped), was a false positive.
- Bare dest must have BALANCED parens: [x](foo(\n)) does not render (a '(' stays open
when whitespace ends the token) — now returns split, was a false negative.
Both verified against markdown-it-py + added as pytest cases. 46 passed, 0 FP on 43 docs.
* ci: escaped-newline in angle dest is still a raw newline (Codex round-5)
<...> escape handling skipped the char after backslash including a newline, so
[x](<foo\<nl>>) returned ok but doesn't render (blockquote on line 2). An escaped
newline inside an angle destination is still a raw newline -> split. Preserves
[x](<foo\>bar>). Added regression case. 48 pytest cases pass, 0 FP on 43 docs.
* ci: mirror escaped-newline guard to bare dest (Codex round-6, GFM-correct)
The angle branch already treated backslash-newline as split; the bare branch skipped
it, so [x](foo\<nl>bar) returned ok. GFM/CommonMark forbid line endings in bare
destinations (GitHub's cmark-gfm won't render it), though markdown-it-py permissively
does. Since these docs are GitHub-rendered we follow GFM: flag it. Added as a
SPEC_DIVERGENT test case (verdict-asserted, excluded from the permissive parser
cross-check). 49 pytest pass, escaped paren/space still valid, 0 FP on 43 docs.
* ci: delimiter-aware title scan (Codex round-7 unclosed-link false negatives)
Naive text.find(')') matched the TITLE's own ')' not the link's outer ')', so
[x](foo (title), [x](<foo> (title), [x](foo "title" all returned ok despite being
unclosed links. Now parse the title to its actual closing delimiter ("..", '..',
or a (..) that forbids nested unescaped '(' per CommonMark), then require the link's
own ')' after optional whitespace. Also catches the nested-paren-title break
[x](foo (a (b) c)). Verified vs markdown-it-py; escaped parens + single-quoted
titles containing parens still valid. 61 pytest pass, 0 FP on 43 docs.
* ci: remove unused variable (ruff F841 in critical_markdown_check)
The CI lint gate (ruff forward E9+F+B on new lines) caught a dead 'stripped =
line.lstrip()' leftover from an earlier refactor in _blank_code — the fence
detection matches on the raw line. Removed. No behavior change (61 pytest pass).
---------
Co-authored-by: nesquena-hermes <nesquena-hermes@users.noreply.github.com>
253 lines
12 KiB
YAML
253 lines
12 KiB
YAML
name: Tests
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [master]
|
|
push:
|
|
branches: [master]
|
|
|
|
# Docs-only fast path: a CHANGELOG/README/docs-only PR does not need the full pytest
|
|
# matrix or the JS/lint runtime guards — nothing executable changed. But the `test (…)`
|
|
# shards and `lint` are REQUIRED status checks in the master ruleset, and a *skipped*
|
|
# required check reports as pending forever (auto-merge would hang). So we keep the jobs
|
|
# running and reporting green, but SHORT-CIRCUIT their expensive work when every changed
|
|
# path is documentation. Detection FAILS SAFE: if anything is uncertain (no base to diff,
|
|
# any non-doc path touched), docs_only=false and the full suite runs.
|
|
jobs:
|
|
changes:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
docs_only: ${{ steps.detect.outputs.docs_only }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Detect docs-only change set
|
|
id: detect
|
|
env:
|
|
BASE_SHA: ${{ github.event.pull_request.base.sha }}
|
|
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
|
|
run: |
|
|
# Fail-safe: this step ALWAYS exits 0 and ALWAYS emits docs_only (default
|
|
# 'false' = run the full suite). If the `changes` job ever failed, the
|
|
# required test/browser jobs (needs: changes) would be SKIPPED and their
|
|
# required contexts would never report — wedging the PR in perpetual
|
|
# pending. So the detector can never fail; worst case it over-runs CI.
|
|
docs_only="false"
|
|
emit() { echo "docs_only=$docs_only" >> "$GITHUB_OUTPUT"; }
|
|
trap emit EXIT
|
|
set -uo pipefail
|
|
# STRICT ALLOWLIST — a path counts as "docs" ONLY if it is unambiguously
|
|
# documentation. Everything else runs the full suite (fail-open to safety).
|
|
# A file is docs iff:
|
|
# * it has a doc extension: *.md / *.markdown / *.rst, OR
|
|
# * its basename is an extensionless doc file (LICENSE/README/CHANGELOG/…).
|
|
# NOT docs (deliberately): *.txt (requirements.txt controls deps!), anything
|
|
# under docs/ that isn't a doc extension (docs/Makefile, docs/build.py,
|
|
# docs/*.json), and any code file whose NAME merely contains README/CHANGELOG
|
|
# (scripts/CHANGELOG_stamp.py, static/README_renderer.js). Extension/type
|
|
# wins over name, and a non-doc extension is never docs.
|
|
is_docs() {
|
|
f="$1"; low="$(printf '%s' "$f" | tr '[:upper:]' '[:lower:]')"; base="${f##*/}"
|
|
case "$low" in
|
|
*.md|*.markdown|*.rst) return 0 ;;
|
|
esac
|
|
case "$base" in
|
|
LICENSE|README|CHANGELOG|NOTICE|AUTHORS|CONTRIBUTING) return 0 ;;
|
|
esac
|
|
return 1
|
|
}
|
|
|
|
# Resolve the changed-file list. PR event = base..head; push = before..after.
|
|
if [ -n "${BASE_SHA:-}" ] && [ -n "${HEAD_SHA:-}" ]; then
|
|
git fetch --no-tags --depth=1 origin "$BASE_SHA" 2>/dev/null || git fetch --no-tags origin master || true
|
|
RANGE="$BASE_SHA...$HEAD_SHA"
|
|
else
|
|
RANGE="${{ github.event.before }}...${{ github.sha }}"
|
|
fi
|
|
|
|
# --no-renames so a rename shows BOTH sides: `git mv src/app.py docs.md` must
|
|
# reveal the src/app.py deletion (a code change) instead of collapsing to the
|
|
# docs.md destination and being mis-classified as docs-only.
|
|
if ! FILES="$(git diff --name-only --no-renames "$RANGE" 2>/dev/null)"; then
|
|
echo "Could not diff $RANGE — running full suite (fail-safe)."; exit 0
|
|
fi
|
|
if [ -z "$FILES" ]; then
|
|
echo "Empty diff — running full suite (fail-safe)."; exit 0
|
|
fi
|
|
|
|
echo "Changed files:"; echo "$FILES"
|
|
result="true"
|
|
while IFS= read -r f; do
|
|
[ -z "$f" ] && continue
|
|
if ! is_docs "$f"; then
|
|
echo "Non-docs path -> full suite required: $f"
|
|
result="false"
|
|
break
|
|
fi
|
|
done <<< "$FILES"
|
|
docs_only="$result"
|
|
echo "docs_only=$docs_only"
|
|
|
|
lint:
|
|
needs: changes
|
|
# `lint` is not currently a required check, but add always() anyway so it can
|
|
# never wedge if it's promoted to required later — same rationale as the test/
|
|
# browser-smoke jobs; a failed `changes` degrades to running the full lint.
|
|
if: ${{ always() }}
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Docs-only short-circuit
|
|
if: needs.changes.outputs.docs_only == 'true'
|
|
run: echo "Docs-only change set — skipping lint/runtime guards (nothing executable changed)."
|
|
|
|
- uses: actions/checkout@v4
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
with:
|
|
# Need history so the gate can diff against the merge-base with master.
|
|
fetch-depth: 0
|
|
|
|
- name: Set up Python
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: '3.12'
|
|
|
|
- name: Install ruff
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
run: pip install ruff
|
|
|
|
- name: Ensure origin/master ref is available for the diff gate
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
run: git fetch --no-tags --depth=1 origin master || true
|
|
|
|
# Whole-tree Python syntax gate. The Python analog of the JS `node --check`
|
|
# pass. The ruff E9 gate below is diff-scoped (new/changed lines only), so a
|
|
# SyntaxError/IndentationError whose parser-reported line sits on an UNTOUCHED
|
|
# line (e.g. a dedented `try:` above an unchanged import) can slip the diff
|
|
# filter and only surface as a confusing mass-failure of every test shard at
|
|
# the conftest server-boot fixture. compileall fails in ~2s with a clear
|
|
# file:line, before the matrix suite runs. Whole-tree + unconditional so it
|
|
# cannot be bypassed by the diff scope. (#4641)
|
|
- name: Python syntax gate (whole tree — fails fast on any unparseable .py)
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
run: python3 -m compileall -q api server.py bootstrap.py mcp_server.py tests scripts
|
|
|
|
- name: Ruff forward gate (new/changed lines only)
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
run: python3 scripts/ruff_lint.py --diff origin/master
|
|
|
|
- name: Ruff whole-tree report (informational — never blocks)
|
|
if: needs.changes.outputs.docs_only != 'true' && always()
|
|
run: python3 scripts/ruff_lint.py --all
|
|
|
|
# Static-JS runtime-error guards. These catch brick-class bugs that throw only
|
|
# when the browser executes the code — node --check, source-presence tests, and
|
|
# the mocked pytest suite all miss them. Two complementary ESLint passes:
|
|
# * runtime-guard config: no-const-assign / no-import-assign (#3162 class)
|
|
# * scope_undef_gate.py: no-undef across the shared classic-<script> global
|
|
# scope, catching a function defined nested but called from a sibling
|
|
# scope (#3696 — ReferenceError: _sessionAttentionState is not defined).
|
|
- name: Set up Node for ESLint runtime guards
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '20'
|
|
|
|
- name: Install ESLint
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
run: npm install --no-save eslint@^10
|
|
|
|
- name: ESLint runtime-error gate (no-const-assign / no-import-assign, #3162)
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
run: npx eslint --no-config-lookup -c eslint.runtime-guard.config.mjs "static/**/*.js"
|
|
|
|
- name: Scope / undefined-reference gate (#3696)
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
run: python3 scripts/scope_undef_gate.py
|
|
|
|
test:
|
|
needs: changes
|
|
# Belt-and-suspenders: run even if `changes` errored/was skipped. A required job
|
|
# that gets SKIPPED reports its context as pending forever (wedge). With always(),
|
|
# the job runs regardless; the per-step `if: … != 'true'` guards then treat a
|
|
# missing/empty docs_only (which is what a failed `changes` yields) as "run full
|
|
# CI" — so a detector failure degrades to running everything, never to a wedge.
|
|
if: ${{ always() }}
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
# Don't cancel the other shards/versions when one fails — we want the full
|
|
# failure picture across the matrix in a single run.
|
|
fail-fast: false
|
|
matrix:
|
|
python-version: ['3.11', '3.12', '3.13']
|
|
# Split the suite across 5 parallel shards per Python version. pytest-shard
|
|
# partitions tests deterministically by test-id hash; the suite was made
|
|
# shard-safe (no cross-test state leakage) so every shard passes
|
|
# independently. See docs/agent-memory note on test-suite shard-safety.
|
|
# NOTE: pytest-shard is 0-indexed — shard ids must be 0..num_shards-1.
|
|
# Using 1-based ids would crash the out-of-range job AND silently skip
|
|
# shard 0's tests.
|
|
shard: [0, 1, 2, 3, 4]
|
|
|
|
steps:
|
|
- name: Docs-only short-circuit
|
|
if: needs.changes.outputs.docs_only == 'true'
|
|
run: echo "Docs-only change set — skipping pytest shard ${{ matrix.shard }} (no executable change)."
|
|
|
|
- uses: actions/checkout@v4
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
|
|
- name: Set up Python ${{ matrix.python-version }}
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: ${{ matrix.python-version }}
|
|
cache: 'pip'
|
|
cache-dependency-path: |
|
|
**/setup.cfg
|
|
**/requirements*.txt
|
|
**/pyproject.toml
|
|
|
|
- name: Install dependencies
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
# Office parsers stay optional at runtime; CI installs them explicitly for the workspace preview tests.
|
|
pip install "pyyaml>=6.0" pytest pytest-timeout pytest-asyncio pytest-shard python-docx openpyxl python-pptx playwright
|
|
# ruff is installed so tests/test_ruff_forward_lint.py runs its E9/F821
|
|
# tree-clean assertions in-suite (mirrors how eslint is available for
|
|
# tests/test_static_js_runtime_lint.py). If install fails the test
|
|
# skips cleanly — it never blocks the matrix.
|
|
pip install ruff || echo "ruff install failed — test_ruff_forward_lint.py will skip"
|
|
# Install the `mcp` package so tests/test_mcp_server.py runs in CI.
|
|
# The package is an optional runtime dep of mcp_server.py — users
|
|
# who run the MCP integration install it themselves; CI installs
|
|
# it so test coverage exists. If mcp install fails (Python 3.13
|
|
# wheel not yet available, etc.), tests/test_mcp_server.py uses
|
|
# importorskip and the matrix stays green.
|
|
pip install mcp || echo "mcp install failed — test_mcp_server.py will importorskip"
|
|
|
|
- name: Get Playwright version
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
id: pw-version
|
|
run: echo "version=$(pip show playwright | grep '^Version:' | cut -d' ' -f2)" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Cache Playwright browsers
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: ~/.cache/ms-playwright
|
|
key: ${{ runner.os }}-playwright-${{ steps.pw-version.outputs.version }}
|
|
restore-keys: |
|
|
${{ runner.os }}-playwright-
|
|
|
|
- name: Install Playwright browsers
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
run: python -m playwright install --with-deps chromium
|
|
|
|
- name: Run tests (shard ${{ matrix.shard }} of 5)
|
|
if: needs.changes.outputs.docs_only != 'true'
|
|
run: pytest tests/ -v --timeout=60 --shard-id=${{ matrix.shard }} --num-shards=5
|