Skip to content

fix: fail input drift for new integrations#42

Merged
risheetperi merged 3 commits into
masterfrom
fail-new-integration-config-input-drift
Jun 1, 2026
Merged

fix: fail input drift for new integrations#42
risheetperi merged 3 commits into
masterfrom
fail-new-integration-config-input-drift

Conversation

@TheRealAgentK

@TheRealAgentK TheRealAgentK commented May 25, 2026

Copy link
Copy Markdown
Collaborator

Summary

This changes config/code input drift from warning-only to failure for brand-new integrations, while preserving warning-only behavior for existing integrations.

Key code changes

  • scripts/check_config_sync.py

    • Adds --base-ref <ref>.
    • Verifies --base-ref resolves to a local commit before classifying integrations, returning exit code 2 for missing/unfetched refs.
    • Adds _is_new_integration(...) to detect whether <integration>/config.json existed at the base ref.
    • Handles renamed integration directories by using git rename detection for config.json and treating renamed integrations as existing.
    • Keeps action mismatches as hard failures for all integrations.
    • Converts input drift warnings into failures only when the integration is new at --base-ref.
  • scripts/check_code.py

    • Adds --base-ref <ref>.
    • Passes the base ref into check_config_sync(...) during the code check step.
  • action.yml

    • Passes the composite action's base_ref input into scripts/check_code.py --base-ref ..., so PR CI gets the new behavior automatically.

Cases now enforced for new integrations

These still warn for existing integrations, but fail for new integrations:

  • Parameter accessed in code but missing from config.json input_schema.
  • Parameter defined in input_schema but never accessed in code.
  • Parameter marked required in schema but accessed with inputs.get(...).
  • Parameter optional in schema but accessed directly with inputs["param"].

Tests and fixtures

  • .github/workflows/self-test.yml

    • Adds coverage that input drift warns for existing integrations via check_config_sync.py.
    • Adds coverage that input drift fails for new integrations via check_config_sync.py.
    • Adds wrapper-layer coverage for both warn/fail behavior through check_code.py --base-ref HEAD.
    • Adds an invalid --base-ref definitely-not-a-ref regression expecting exit code 2.
  • tests/examples/input-drift/

    • New fixture covering all four input-drift cases while keeping action names in sync.

Docs updated

  • README.md
  • LOCAL_DEVELOPMENT.md
  • scripts/docs/check_code.md
  • scripts/docs/check_config_sync.md

Validation

  • PYTHONDONTWRITEBYTECODE=1 .venv/bin/python -m py_compile scripts/check_config_sync.py scripts/check_code.py tests/examples/input-drift/input_drift.py
  • .venv/bin/ruff check --config ruff.toml scripts/check_config_sync.py scripts/check_code.py tests/examples/input-drift/input_drift.py
  • .venv/bin/ruff format --check --config ruff.toml scripts/check_config_sync.py scripts/check_code.py tests/examples/input-drift/input_drift.py
  • .venv/bin/python scripts/check_code.py --base-ref HEAD tests/examples/good-integration
  • .venv/bin/python scripts/check_code.py --base-ref HEAD tests/examples/input-drift
  • Verified new integration input drift fails via check_code.py --base-ref HEAD tmp-input-drift.
  • Verified invalid base refs return exit code 2 from check_config_sync.py.

@TheRealAgentK

Copy link
Copy Markdown
Collaborator Author

This change comes out of a case of a new integration failing the build instantly become of config/code drift.

@Autohive-AI Autohive-AI deleted a comment from chatgpt-codex-connector Bot May 25, 2026
@risheetperi

risheetperi commented May 25, 2026

Copy link
Copy Markdown

🚫 Blocker

1. Verify base_ref resolves before classifying integrations as new

File: scripts/check_config_sync.py — add at the top of check_config_sync()

def check_config_sync(dir_path: str, *, base_ref: str | None = None) -> int:
    if base_ref:
        verify = subprocess.run(
            ["git", "rev-parse", "--verify", "--quiet", f"{base_ref}^{{commit}}"],
            capture_output=True, text=True,
        )
        if verify.returncode != 0:
            print(f"❌ base-ref '{base_ref}' not resolvable — check fetch-depth or ref name", file=sys.stderr)
            return 2
    # ... existing body

Without this, a misconfigured caller (shallow clone, unfetched ref) flips every existing integration to "new" → false-positive failures.


⚠️ Should-fix

2. Handle renamed integrations

File: scripts/check_config_sync.py:171-182

Either detect renames via git diff --name-status --find-renames <base_ref> HEAD -- <dir>/config.json (treat R... entries as existing), or document explicitly in scripts/docs/check_config_sync.md that renamed integrations are subject to new-integration rules.

3. Extend self-tests to wrapper layers

File: .github/workflows/self-test.yml

  • Add a check_code.py --base-ref HEAD test against the input-drift fixture. Either add requirements.txt with the SDK to the fixture so upstream checks pass, or grep on the config-sync substring rather than overall exit code.
  • Add a copied-fixture variant expecting fail through check_code.py.
  • After (1) lands: add a --base-ref definitely-not-a-ref regression expecting exit 2.

@risheetperi

Copy link
Copy Markdown

I have asked AMP to have a look at the PR

@TheRealAgentK

Copy link
Copy Markdown
Collaborator Author

I have asked AMP to have a look at the PR

All addressed, thx @risheetperi - item 2 I went with detecting the rename instead of documenting the gap.

@risheetperi

Copy link
Copy Markdown

Code Review Notes

  1. Blocker — rename detection is still broken.
    git diff --find-renames <base> HEAD -- <new>/config.json reports the renamed config as A, not R..., so renamed existing integrations are still treated as brand-new and can falsely fail input-drift checks.
    Fix: Remove the destination pathspec and scan --diff-filter=R results for the new config path.

  2. Should-fix — git base-ref logic is CWD-dependent.
    check_config_sync.py --base-ref HEAD /absolute/path/to/integration fails when run outside the repo because git commands run from process CWD, not the integration's repo.
    Fix: Resolve repo root with git -C <integration-dir> rev-parse --show-toplevel and run all git commands with -C <repo_root>.

  3. Should-fix — check_code.py collapses config-sync exit code 2 to 1.
    Invalid/unfetched base refs are processing errors in check_config_sync.py, but wrapper output becomes the generic "config and code are out of sync."
    Fix: Preserve sync_result == 2, return 2, and capture stderr into the displayed config-sync section.

  4. Test improvement — wrapper failure test is too weak.
    The copied-fixture check_code.py test only checks nonzero exit, so any earlier lint/import/security failure would pass it.
    Fix: Grep for the specific config-sync message: "New integrations must keep config.json input_schema in sync with code".

  5. Minor — docs consistency.
    Some README/local docs summaries still omit or inconsistently describe the fetch-pattern step and the updated exit-code behavior.

@risheetperi risheetperi left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me,
Just a few things:

  1. High finding (directory interpolation)
    Non-blocking: Directory values are interpolated unquoted into shell - technically injection-prone, but in practice these are repo-sourced integration names so risk is low. Worth hardening later via env vars + a Bash array (read -r -a DIR_ARGS <<< "$DIRS" → "${DIR_ARGS[@]}").

  2. Medium finding (base_ref vs directories)
    Docs nit: Docs say base_ref is optional when directories is set, but without it README checks run with an empty ref and version checks are skipped. Trivial fix - update docs to say base_ref is always required; directories is just an auto-detection override.

Overall summary
Approving - no blockers.

@risheetperi risheetperi merged commit acfa286 into master Jun 1, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants