fix(ci): install CodeClone action from repo source for self-checks before PyPI release

Author: orenlab

.github/actions/codeclone/README.md

@@ -16,13 +16,17 @@ and propagate the real gate result.
 The v2 action flow is:
 
 1. set up Python
-2. install `codeclone` from PyPI
+2. install `codeclone`
 3. optionally require a committed baseline
 4. run CodeClone with JSON + optional SARIF output
 5. optionally upload SARIF to GitHub Code Scanning
 6. optionally post or update a PR summary comment
 7. return the real CodeClone exit code as the job result
 
+When the action is used from the checked-out CodeClone repository itself
+(`uses: ./.github/actions/codeclone`), it installs CodeClone from the repo
+source under test. Remote consumers still install from PyPI.
+
 ## Basic usage
 
 ```yaml
@@ -41,8 +45,8 @@ name: CodeClone
 
 on:
   pull_request:
-    types: [opened, synchronize, reopened]
-    paths: ["**/*.py"]
+    types: [ opened, synchronize, reopened ]
+    paths: [ "**/*.py" ]
 
 permissions:
   contents: read
@@ -67,39 +71,39 @@ jobs:
 
 ## Inputs
 
-| Input | Default | Purpose |
-|-------|---------|---------|
-| `python-version` | `3.13` | Python version used to run the action |
-| `package-version` | `""` | CodeClone version from PyPI; empty means latest stable |
-| `path` | `.` | Project root to analyze |
-| `json-path` | `.cache/codeclone/report.json` | JSON report output path |
-| `sarif` | `true` | Generate SARIF and try to upload it |
-| `sarif-path` | `.cache/codeclone/report.sarif` | SARIF output path |
-| `pr-comment` | `true` | Post or update a PR summary comment |
-| `fail-on-new` | `true` | Fail if new clone groups are detected |
-| `fail-on-new-metrics` | `false` | Fail if metrics regress vs baseline |
-| `fail-threshold` | `-1` | Max allowed function+block clone groups |
-| `fail-complexity` | `-1` | Max cyclomatic complexity |
-| `fail-coupling` | `-1` | Max coupling CBO |
-| `fail-cohesion` | `-1` | Max cohesion LCOM4 |
-| `fail-cycles` | `false` | Fail on dependency cycles |
-| `fail-dead-code` | `false` | Fail on high-confidence dead code |
-| `fail-health` | `-1` | Minimum health score |
-| `require-baseline` | `true` | Fail early if the baseline file is missing |
-| `baseline-path` | `codeclone.baseline.json` | Baseline path passed to CodeClone |
-| `metrics-baseline-path` | `codeclone.baseline.json` | Metrics baseline path passed to CodeClone |
-| `extra-args` | `""` | Additional CodeClone CLI arguments |
-| `no-progress` | `true` | Disable progress output |
+| Input                   | Default                         | Purpose                                                                                                           |
+|-------------------------|---------------------------------|-------------------------------------------------------------------------------------------------------------------|
+| `python-version`        | `3.13`                          | Python version used to run the action                                                                             |
+| `package-version`       | `""`                            | CodeClone version from PyPI for remote installs; ignored when the action runs from the checked-out CodeClone repo |
+| `path`                  | `.`                             | Project root to analyze                                                                                           |
+| `json-path`             | `.cache/codeclone/report.json`  | JSON report output path                                                                                           |
+| `sarif`                 | `true`                          | Generate SARIF and try to upload it                                                                               |
+| `sarif-path`            | `.cache/codeclone/report.sarif` | SARIF output path                                                                                                 |
+| `pr-comment`            | `true`                          | Post or update a PR summary comment                                                                               |
+| `fail-on-new`           | `true`                          | Fail if new clone groups are detected                                                                             |
+| `fail-on-new-metrics`   | `false`                         | Fail if metrics regress vs baseline                                                                               |
+| `fail-threshold`        | `-1`                            | Max allowed function+block clone groups                                                                           |
+| `fail-complexity`       | `-1`                            | Max cyclomatic complexity                                                                                         |
+| `fail-coupling`         | `-1`                            | Max coupling CBO                                                                                                  |
+| `fail-cohesion`         | `-1`                            | Max cohesion LCOM4                                                                                                |
+| `fail-cycles`           | `false`                         | Fail on dependency cycles                                                                                         |
+| `fail-dead-code`        | `false`                         | Fail on high-confidence dead code                                                                                 |
+| `fail-health`           | `-1`                            | Minimum health score                                                                                              |
+| `require-baseline`      | `true`                          | Fail early if the baseline file is missing                                                                        |
+| `baseline-path`         | `codeclone.baseline.json`       | Baseline path passed to CodeClone                                                                                 |
+| `metrics-baseline-path` | `codeclone.baseline.json`       | Metrics baseline path passed to CodeClone                                                                         |
+| `extra-args`            | `""`                            | Additional CodeClone CLI arguments                                                                                |
+| `no-progress`           | `true`                          | Disable progress output                                                                                           |
 
 For numeric gate inputs, `-1` means "disabled".
 
 ## Outputs
 
-| Output | Meaning |
-|--------|---------|
-| `exit-code` | CodeClone process exit code |
-| `json-path` | Resolved JSON report path |
-| `sarif-path` | Resolved SARIF report path |
+| Output          | Meaning                                                    |
+|-----------------|------------------------------------------------------------|
+| `exit-code`     | CodeClone process exit code                                |
+| `json-path`     | Resolved JSON report path                                  |
+| `sarif-path`    | Resolved SARIF report path                                 |
 | `pr-comment-id` | PR comment id when the action updated or created a comment |
 
 ## Exit behavior
@@ -148,6 +152,12 @@ with:
   package-version: "2.0.0b3"
 ```
 
+Local/self-repo validation:
+
+- `uses: ./.github/actions/codeclone` installs CodeClone from the checked-out
+  repository source, so beta branches and unreleased commits do not depend on
+  PyPI publication.
+
 ## Notes and limitations
 
 - For private repositories without GitHub Advanced Security, SARIF upload may

.github/actions/codeclone/_action_impl.py

@@ -11,6 +11,7 @@
 import subprocess
 from dataclasses import dataclass
 from pathlib import Path
+from typing import Literal
 
 COMMENT_MARKER = "<!-- codeclone-report -->"
 
@@ -45,6 +46,12 @@ class RunResult:
     sarif_exists: bool
 
 
+@dataclass(frozen=True, slots=True)
+class InstallTarget:
+    requirement: str
+    source: Literal["repo", "pypi-version", "pypi-latest"]
+
+
 def parse_bool(value: str) -> bool:
     return value.strip().lower() == "true"
 
@@ -99,6 +106,27 @@ def write_outputs(path: str, values: dict[str, str]) -> None:
             handle.write(f"{key}={value}\n")
 
 
+# codeclone: ignore[dead-code]
+def resolve_install_target(
+    *,
+    action_path: str,
+    workspace: str,
+    package_version: str,
+) -> InstallTarget:
+    action_root = Path(action_path).resolve().parents[2]
+    workspace_root = Path(workspace).resolve()
+    if action_root == workspace_root:
+        return InstallTarget(requirement=str(action_root), source="repo")
+
+    normalized_version = package_version.strip()
+    if normalized_version:
+        return InstallTarget(
+            requirement=f"codeclone=={normalized_version}",
+            source="pypi-version",
+        )
+    return InstallTarget(requirement="codeclone", source="pypi-latest")
+
+
 def run_codeclone(inputs: ActionInputs) -> RunResult:
     ensure_parent_dir(inputs.json_path)
     if inputs.sarif:

.github/actions/codeclone/action.yml

@@ -16,7 +16,7 @@ inputs:
     default: "3.13"
 
   package-version:
-    description: "CodeClone version from PyPI (empty = latest stable)"
+    description: "CodeClone version from PyPI for remote installs (ignored when the action runs from the checked-out CodeClone repo)"
     required: false
     default: ""
 
@@ -138,17 +138,46 @@ runs:
         python-version: ${{ inputs.python-version }}
         cache: pip
 
-    - name: Install CodeClone
+    - name: Resolve CodeClone install target
+      id: resolve-install
       shell: bash
       env:
         CODECLONE_VERSION: ${{ inputs.package-version }}
+      run: |
+        python - <<'PY'
+        import os
+        import sys
+
+        sys.path.insert(0, os.environ["GITHUB_ACTION_PATH"])
+
+        from _action_impl import resolve_install_target, write_outputs
+
+        target = resolve_install_target(
+            action_path=os.environ["GITHUB_ACTION_PATH"],
+            workspace=os.environ["GITHUB_WORKSPACE"],
+            package_version=os.environ.get("CODECLONE_VERSION", ""),
+        )
+        print(f"Resolved CodeClone install source: {target.source} ({target.requirement})")
+        github_output = os.environ.get("GITHUB_OUTPUT")
+        if github_output:
+            write_outputs(
+                github_output,
+                {
+                    "install-spec": target.requirement,
+                    "install-source": target.source,
+                },
+            )
+        PY
+
+    - name: Install CodeClone
+      shell: bash
+      env:
+        INSTALL_SPEC: ${{ steps.resolve-install.outputs.install-spec }}
+        INSTALL_SOURCE: ${{ steps.resolve-install.outputs.install-source }}
       run: |
         python -m pip install --upgrade pip
-        if [ -n "${CODECLONE_VERSION}" ]; then
-          python -m pip install "codeclone==${CODECLONE_VERSION}"
-        else
-          python -m pip install codeclone
-        fi
+        echo "Installing CodeClone from ${INSTALL_SOURCE}: ${INSTALL_SPEC}"
+        python -m pip install "${INSTALL_SPEC}"
 
     - name: Verify baseline
       if: ${{ inputs.require-baseline == 'true' }}
@@ -270,4 +299,9 @@ runs:
       if: ${{ always() }}
       shell: bash
       run: |
-        exit "${{ steps.analysis.outputs.exit-code }}"
+        status="${{ steps.analysis.outputs.exit-code }}"
+        if [ -z "${status}" ]; then
+          echo "CodeClone analysis did not produce an exit code." >&2
+          exit 2
+        fi
+        exit "${status}"

.github/workflows/codeclone.yml

@@ -27,7 +27,6 @@ jobs:
         uses: ./.github/actions/codeclone
         with:
           python-version: "3.13"
-          package-version: "2.0.0b3"
           fail-on-new: "true"
           fail-health: "60"
           sarif: "true"

tests/test_github_action_helpers.py

@@ -10,7 +10,7 @@
 import sys
 from pathlib import Path
 from types import ModuleType
-from typing import cast
+from typing import Any, cast
 
 
 def _load_action_impl() -> ModuleType:
@@ -35,6 +35,20 @@ def _assert_contains_all(text: str, expected_parts: tuple[str, ...]) -> None:
         assert expected in text
 
 
+def _resolve_install_target(
+    *,
+    action_path: Path,
+    workspace: Path,
+    package_version: str,
+) -> Any:
+    action_impl = _load_action_impl()
+    return action_impl.resolve_install_target(
+        action_path=str(action_path),
+        workspace=str(workspace),
+        package_version=package_version,
+    )
+
+
 def test_build_codeclone_args_includes_enabled_gates_and_paths() -> None:
     action_impl = _load_action_impl()
     inputs = action_impl.ActionInputs(
@@ -130,3 +144,51 @@ def test_render_pr_comment_uses_canonical_report_summary() -> None:
             "`2.0.0b3`",
         ),
     )
+
+
+def test_resolve_install_target_uses_repo_source_for_local_action_checkout(
+    tmp_path: Path,
+) -> None:
+    repo_root = tmp_path / "codeclone"
+    action_path = repo_root / ".github" / "actions" / "codeclone"
+    action_path.mkdir(parents=True)
+
+    target = _resolve_install_target(
+        action_path=action_path,
+        workspace=repo_root,
+        package_version="2.0.0b3",
+    )
+
+    assert target.source == "repo"
+    assert target.requirement == str(repo_root.resolve())
+
+
+def test_resolve_install_target_uses_pypi_for_remote_checkout(tmp_path: Path) -> None:
+    workspace_root = tmp_path / "consumer"
+    action_repo = tmp_path / "_actions" / "orenlab" / "codeclone" / "main"
+    action_path = action_repo / ".github" / "actions" / "codeclone"
+    action_path.mkdir(parents=True)
+    workspace_root.mkdir()
+
+    pinned = _resolve_install_target(
+        action_path=action_path,
+        workspace=workspace_root,
+        package_version="2.0.0b3",
+    )
+    latest = _resolve_install_target(
+        action_path=action_path,
+        workspace=workspace_root,
+        package_version="",
+    )
+
+    assert (
+        pinned.source,
+        pinned.requirement,
+        latest.source,
+        latest.requirement,
+    ) == (
+        "pypi-version",
+        "codeclone==2.0.0b3",
+        "pypi-latest",
+        "codeclone",
+    )