Skip to content

ci(integration-tests): Add workflow for integration tests.#2334

Draft
quinntaylormitchell wants to merge 12 commits into
y-scope:mainfrom
quinntaylormitchell:integration-tests-gh-workflow
Draft

ci(integration-tests): Add workflow for integration tests.#2334
quinntaylormitchell wants to merge 12 commits into
y-scope:mainfrom
quinntaylormitchell:integration-tests-gh-workflow

Conversation

@quinntaylormitchell

@quinntaylormitchell quinntaylormitchell commented Jun 15, 2026

Copy link
Copy Markdown
Collaborator

Description

This PR adds an automated workflow for integration tests. The workflow runs task tests:integration.

Checklist

  • The PR satisfies the contribution guidelines.
  • This is a breaking change and that has been indicated in the PR title, OR this isn't a
    breaking change.
  • Necessary docs have been updated, OR no docs need to be updated.

Validation performed

Summary by CodeRabbit

  • Chores
    • Automated integration testing workflow added to run on pull requests, pushes, and scheduled daily intervals.

@quinntaylormitchell quinntaylormitchell requested a review from a team as a code owner June 15, 2026 15:12
@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f460ef1a-4428-4e34-bd36-ddc57cd19804

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Walkthrough

A new GitHub Actions workflow file (.github/workflows/clp-integration-tests.yaml) is added. It defines the clp-integration-tests workflow with PR/push triggers (ignoring .github/** and docs/**), a daily cron at 00:30 UTC, and manual dispatch. A single integration-tests job runs on ubuntu-24.04, checks out the repository with submodules, installs pinned Go task and uv versions via local composite actions, and executes task tests:integration.

Changes

Integration Tests CI Workflow

Layer / File(s) Summary
Integration tests workflow definition
.github/workflows/clp-integration-tests.yaml
Adds the full workflow with PR/push path-filtered triggers, a daily cron, manual dispatch, in-progress run cancellation (except on main), and an ubuntu-24.04 job that installs pinned Go task and uv tooling then runs task tests:integration.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: adding a GitHub Actions workflow for integration tests.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/clp-integration-tests.yaml:
- Line 6: The path-ignore pattern `.github/*` uses a single wildcard which only
matches immediate children of the `.github/` directory and will not match nested
subdirectories like `.github/workflows/`. To ensure consistency with the
recursive matching pattern (`**`) used in lines 7-8 and to properly ignore all
changes under the entire `.github/` directory, update the pattern from
`.github/*` to `.github/**`.
- Around line 29-31: The actions/checkout step in the workflow defaults to
persist-credentials: true, which stores the GitHub token in the git config and
could expose it if untrusted code is executed during the task tests:integration
command. Add persist-credentials: false to the with section of the
actions/checkout action to disable credential persistence, unless subsequent
workflow steps explicitly require authenticated git operations.
- Around line 23-43: The workflow currently lacks an explicit permissions block,
which means it inherits default GitHub Actions permissions that may be broader
than necessary. Add a top-level permissions block after the concurrency block
(if present) to define minimal explicit permissions required for the integration
tests workflow. Set all default permissions to false and only enable specific
permissions that the integration tests genuinely require (such as contents: read
for checking out code). If the integration tests need additional access like
pulling from GitHub Container Registry, add packages: read accordingly. This
follows the principle of least privilege and reduces security risk if the
workflow or its dependencies are compromised.
- Line 24: Add a descriptive `name` field to the `integration-tests` job
definition in the workflow file. After the job ID `integration-tests:`, add a
`name` property with a clear, human-readable description of what the job does.
This improves visibility and readability in the GitHub Actions UI when viewing
workflow runs.
- Around line 37-39: The uv installation action in the install-uv step specifies
the version as "0.8" in shorthand format, but the uv package manager requires
the complete semantic versioning format with the patch version included. Change
the version parameter value from "0.8" to "0.8.0" to match the canonical semver
format that uv uses for official releases.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c447b93e-4b15-4cc2-93bc-6464d321aa04

📥 Commits

Reviewing files that changed from the base of the PR and between 653d2be and 35c0813.

📒 Files selected for processing (1)
  • .github/workflows/clp-integration-tests.yaml

on:
pull_request:
paths-ignore: &ignored_paths
- ".github/*"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Inconsistent path-ignore pattern may not match subdirectories.

The pattern .github/* uses a single wildcard that only matches immediate children of .github/, not subdirectories like .github/workflows/. Lines 7-8 use ** for recursive matching. If the intent is to ignore all changes under .github/ (as suggested by the summary mentioning "ignoring .github/**"), use .github/** for consistency.

📝 Proposed fix
-      - ".github/*"
+      - ".github/**"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- ".github/*"
- ".github/**"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/clp-integration-tests.yaml at line 6, The path-ignore
pattern `.github/*` uses a single wildcard which only matches immediate children
of the `.github/` directory and will not match nested subdirectories like
`.github/workflows/`. To ensure consistency with the recursive matching pattern
(`**`) used in lines 7-8 and to properly ignore all changes under the entire
`.github/` directory, update the pattern from `.github/*` to `.github/**`.

Comment on lines +23 to +43
jobs:
integration-tests:

# Runs only on Ubuntu Noble (24.04) because the integration test suite can't run on macOS.
runs-on: "ubuntu-24.04"
steps:
- uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
with:
submodules: "recursive"

- uses: "./tools/yscope-dev-utils/exports/github/actions/install-go-task"
with:
version: "3.48.0"

- uses: "./tools/yscope-dev-utils/exports/github/actions/install-uv"
with:
version: "0.8"

- name: "Run integration tests"
shell: "bash"
run: "task tests:integration"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Define explicit minimal permissions for the workflow.

No explicit permissions block means the workflow inherits default permissions, which may grant broader access than required. Integration tests typically need minimal permissions. Following the principle of least privilege reduces the security risk if the workflow or its dependencies are compromised.

🔐 Recommended permissions block

Add at the top level after the concurrency block:

 concurrency:
   group: "${{github.workflow}}-${{github.ref}}"
   # Cancel in-progress jobs for efficiency; Exclude the `main` branch.
   cancel-in-progress: "${{github.ref != 'refs/heads/main'}}"
 
+permissions:
+  contents: read
+
 jobs:
   integration-tests:

Adjust permissions if the integration tests require additional access (e.g., packages: read if pulling from GitHub Container Registry).

As per static analysis tool zizmor, which flagged "overly broad permissions (excessive-permissions)".

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 29-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[info] 24-24: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/clp-integration-tests.yaml around lines 23 - 43, The
workflow currently lacks an explicit permissions block, which means it inherits
default GitHub Actions permissions that may be broader than necessary. Add a
top-level permissions block after the concurrency block (if present) to define
minimal explicit permissions required for the integration tests workflow. Set
all default permissions to false and only enable specific permissions that the
integration tests genuinely require (such as contents: read for checking out
code). If the integration tests need additional access like pulling from GitHub
Container Registry, add packages: read accordingly. This follows the principle
of least privilege and reduces security risk if the workflow or its dependencies
are compromised.

Source: Linters/SAST tools

cancel-in-progress: "${{github.ref != 'refs/heads/main'}}"

jobs:
integration-tests:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Consider adding a descriptive name field to the job.

The job has an ID (integration-tests) but no name field. Adding a name improves readability in the GitHub Actions UI.

📝 Proposed addition
 jobs:
   integration-tests:
+    name: "Integration Tests"
     # Runs only on Ubuntu Noble (24.04) because the integration test suite can't run on macOS.
     runs-on: "ubuntu-24.04"

As per static analysis tool zizmor, which noted "workflow or action definition without a name (anonymous-definition)".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
integration-tests:
integration-tests:
name: "Integration Tests"
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 24-44: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)


[info] 24-24: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/clp-integration-tests.yaml at line 24, Add a descriptive
`name` field to the `integration-tests` job definition in the workflow file.
After the job ID `integration-tests:`, add a `name` property with a clear,
human-readable description of what the job does. This improves visibility and
readability in the GitHub Actions UI when viewing workflow runs.

Source: Linters/SAST tools

Comment on lines +29 to +31
- uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
with:
submodules: "recursive"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Disable credential persistence to prevent token leakage.

The checkout action defaults to persist-credentials: true, which stores the GitHub token in the local git config. If the task tests:integration command builds or executes untrusted code, or if dependencies are compromised, the token could be leaked. Set persist-credentials: false unless git operations are required in subsequent steps.

🔐 Proposed fix
       - uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"  # v6.0.2
         with:
           submodules: "recursive"
+          persist-credentials: false

As per static analysis tool zizmor, which flagged "credential persistence through GitHub Actions artefacts (artipacked)".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
with:
submodules: "recursive"
- uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
with:
submodules: "recursive"
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 29-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/clp-integration-tests.yaml around lines 29 - 31, The
actions/checkout step in the workflow defaults to persist-credentials: true,
which stores the GitHub token in the git config and could expose it if untrusted
code is executed during the task tests:integration command. Add
persist-credentials: false to the with section of the actions/checkout action to
disable credential persistence, unless subsequent workflow steps explicitly
require authenticated git operations.

Source: Linters/SAST tools

Comment on lines +37 to +39
- uses: "./tools/yscope-dev-utils/exports/github/actions/install-uv"
with:
version: "0.8"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check the install-uv action's expected version format by examining its inputs definition.

# Check the action.yml for the install-uv action to see version format requirements
fd -t f 'action.ya?ml' tools/yscope-dev-utils/exports/github/actions/install-uv/ --exec cat {}

Repository: y-scope/clp

Length of output: 200


🏁 Script executed:

fd -t f 'action.ya?ml'

Repository: y-scope/clp

Length of output: 37


🏁 Script executed:

fd -t d 'install-uv'

Repository: y-scope/clp

Length of output: 37


🏁 Script executed:

rg -t yaml 'install-uv' --max-count=10

Repository: y-scope/clp

Length of output: 37


🏁 Script executed:

cat -n .github/workflows/clp-integration-tests.yaml

Repository: y-scope/clp

Length of output: 1512


🏁 Script executed:

git ls-files | grep -i 'yscope\|install-uv'

Repository: y-scope/clp

Length of output: 553


🏁 Script executed:

find . -name 'action.yml' -o -name 'action.yaml' 2>/dev/null | head -20

Repository: y-scope/clp

Length of output: 208


🏁 Script executed:

cat .gitmodules 2>/dev/null || echo "No .gitmodules file"

Repository: y-scope/clp

Length of output: 178


🏁 Script executed:

ls -la tools/yscope-dev-utils/ 2>/dev/null | head -20

Repository: y-scope/clp

Length of output: 164


🏁 Script executed:

find tools/yscope-dev-utils -name 'action.ya?ml' 2>/dev/null

Repository: y-scope/clp

Length of output: 37


🌐 Web query:

yscope-dev-utils install-uv GitHub action version format

💡 Result:

There is no GitHub Action officially named yscope-dev-utils/install-uv. The primary action for setting up uv in GitHub Actions workflows is astral-sh/setup-uv [1][2]. If you are looking to specify the version format for the astral-sh/setup-uv action, the version input accepts the following formats [3]: - Specific Version: A concrete semver string (e.g., "0.4.4") [3]. - Latest: The string "latest" (default behavior if no version is specified) [3]. - Version Ranges: Semver ranges (e.g., ">=0.4.0") [3]. - Configuration Files: You can use the version-file input to point to a pyproject.toml or uv.toml file, and the action will resolve the required version from those files [3]. If you are using the y-scope/yscope-dev-utils repository [4], it appears to be a collection of C++ linting configurations, scripts, and internal tools, rather than a provider of a uv installation action [4][5]. If you have encountered a workflow referring to yscope-dev-utils, it may be a private or custom reference unique to your project's internal tooling [4].

Citations:


🌐 Web query:

uv package manager version format "0.8" valid

💡 Result:

The version string "0.8" is generally not a valid, canonical version format for a release of the uv package manager itself, nor is it typically used as a complete version identifier in Python packaging contexts. Official releases of the uv package manager follow a major.minor.patch versioning scheme (e.g., 0.8.0) [1][2][3]. Versions like "0.8.0" are valid and were officially released [1][2]. In Python packaging more broadly—which uv adheres to [4]—version specifiers and version identifiers must follow PEP 440 standards [4]. A simple "0.8" string is often interpreted as a truncated version identifier. While some systems or tools might permit such shorthand during input, it is generally normalized to a canonical form like "0.8.0" for internal operations, comparison, and metadata [4]. If you are referring to the uv package manager's own versioning policy: - uv uses a custom scheme where the minor version is bumped for breaking changes and the patch version is bumped for non-breaking changes [5][6]. - "0.8" is not used as a full release identifier; the project explicitly uses "0.8.0", "0.8.1", etc. [2] If you are using "0.8" in a dependency constraint (e.g., in a pyproject.toml file), it may be accepted by some resolvers as a prefix or shorthand, but using the explicit canonical format (e.g., "==0.8.0" or ">=0.8.0") is recommended to ensure compatibility and avoid ambiguity [7].

Citations:


🌐 Web query:

uv Python installer version format requirements

💡 Result:

The uv Python installer supports several flexible formats for requesting Python versions, which can be used in commands (such as uv python install or --python), configuration files (like.python-version), or inline script metadata [1][2][3]. Supported request formats include: Version numbers: Simple strings specifying the version (e.g., 3, 3.12, 3.12.3) [1][2]. Version constraints: Standard PEP 440 specifiers (e.g., >=3.12,<3.13) [1][2][4]. Specific build variants: Versions with suffixes (e.g., 3.13t, 3.12.0d) [1][2]. Build metadata/freethreaded: Versions with + markers (e.g., 3.13+freethreaded, 3.12.0+debug, 3.14+gil) [1][2]. Implementation identifiers: Names (e.g., cpython or cp) [1][2]. Implementation with version: Combinations using @ (e.g., cpython@3.12) or shorthand prefixes (e.g., cpython3.12, cp312) [1][2]. Implementation with constraints: Combinations using constraints (e.g., cpython>=3.12,<3.13) [1][2]. Full platform identifiers: Specific build strings (e.g., cpython-3.12.3-macos-aarch64-none) [1][2]. Additionally, uv supports requesting specific local system interpreters by providing a file path (e.g., /opt/homebrew/bin/python3), an environment name (e.g., mypython3), or a directory path (e.g., /some/environment/) [1][2]. When using these formats, uv respects project-level configurations like.python-version files (which can contain any of the supported formats) and requires-python fields in pyproject.toml [1][2][5]. While most formats are broadly supported, requests involving specific local file paths are generally restricted to flags (e.g., --python) and are not used for general installation requests [1][2]. Using a simple version number is recommended for better interoperability with other tools [1][2].

Citations:


Correct the uv version format to include patch version.

The version string should be "0.8.0" instead of "0.8". The uv package manager uses major.minor.patch versioning (e.g., official releases are 0.8.0, 0.8.1, etc.), not major.minor only. While some installation actions may accept and normalize shorthand versions, using the canonical semver format "0.8.0" is the recommended practice.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/clp-integration-tests.yaml around lines 37 - 39, The uv
installation action in the install-uv step specifies the version as "0.8" in
shorthand format, but the uv package manager requires the complete semantic
versioning format with the patch version included. Change the version parameter
value from "0.8" to "0.8.0" to match the canonical semver format that uv uses
for official releases.

@quinntaylormitchell quinntaylormitchell marked this pull request as draft June 15, 2026 15:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant