ci: GitHub Actions Tests workflow — pytest matrix + mypy + gitleaks (closes #13)#19
Merged
ci: GitHub Actions Tests workflow — pytest matrix + mypy + gitleaks (closes #13)#19
Conversation
) There was no CI on this repository — 137 unit tests in tests/ were only ever run when a developer remembered to run them locally. A regression that broke CLI parity, exclusion rules, exporter output, alias inference, or search filtering could land on master with no gate. New workflow `.github/workflows/tests.yml`: - Triggers on every push to master and every pull request. - Single ubuntu-latest runner, Python 3.12. - Installs only what the tests need (flask, fpdf2). pywebview from requirements.txt is the desktop-launcher dep and pulls GTK / Qt system packages — out of scope for the unittest suite, so it is deliberately omitted from the CI install. The unittest suite imports neither. - Runs `python -m unittest discover tests -v`. Local sanity-check with the same command on Python 3.12: 137/137 OK.
Replace @v4 / @v5 tag refs with the matching commit SHAs on actions/checkout and actions/setup-python. Tags are mutable — a compromised maintainer can repoint them, silently swapping the code that runs in our CI runner. SHAs are immutable and remove that class of supply-chain risk. Verified each SHA against the live tag on github.com: gh api repos/actions/checkout/git/ref/tags/v4 \ --jq '.object.sha' # 34e114876b0b11c390a56381ad16ebd13914f8d5 gh api repos/actions/setup-python/git/ref/tags/v5 \ --jq '.object.sha' # a26af69be951a213d495a4c3e4e4022e16d87065 The trailing `# v4` / `# v5` comments preserve the major-version intent so future bumps stay deliberate. The leading comment block documents the bump procedure for the next person.
…oses #13) The previous shape was a single ubuntu-latest / Python 3.12 unittest job. Expanded to match the broader gate quality the team adopted on the-claw: - unittest: 3 OSes × 3 Pythons = 9 cells (3.11 / 3.12 / 3.13 across ubuntu-latest, macos-latest, windows-latest). Catches Python version drift and the rare path / line-ending issue single-OS hides. fail-fast false so cells run independently. - typecheck: mypy on Python 3.12. Codebase already has 70+ typed functions across 30 .py files, so mypy actually does work. Lenient config (--ignore-missing-imports, --no-strict-optional) + continue-on-error step until the surface is clean. - secret-scan: gitleaks 8.21.2 with checksum verification (mirrors the-claw's setup verbatim). No project-specific .gitleaks.toml; uses defaults for standard credential patterns. Concurrency block added so a new push to the same ref cancels the in-flight run, reducing CI minutes. Action SHAs unchanged from the previous workflow (already pinned).
📝 WalkthroughWalkthroughAdds a GitHub Actions workflow ChangesCI Workflow: Unit Tests, Type Checking, and Secret Scanning
🎯 3 (Moderate) | ⏱️ ~20 minutes
🚥 Pre-merge checks | ✅ 2 | ❌ 3❌ Failed checks (1 warning, 2 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/tests.yml:
- Around line 1-12: Add an explicit top-level permissions block to the "Tests"
workflow to enforce least-privilege for GITHUB_TOKEN: insert a permissions map
under the workflow root (below the name/on/concurrency keys) that lists only the
scopes this CI actually needs (for typical test workflows that is usually
permissions: contents: read, and add only any additional scopes required such as
pull-requests: write or packages: read) so the Tests workflow no longer inherits
broad repository/org defaults; update the permissions to the minimal set and
remove any unnecessary scopes.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: fc934e6d-864d-4073-a7f6-27389fc46331
📒 Files selected for processing (1)
.github/workflows/tests.yml
#19) Adds workflow-level `permissions: contents: read` so a compromised action step in any matrix cell can't write back to the repo. None of the jobs (unittest, typecheck, secret-scan) need write access — no commits, PR comments, or release publishes. Read-only is enough.
bradjin8
approved these changes
May 8, 2026
Collaborator
bradjin8
left a comment
bradjin8
left a comment
There was a problem hiding this comment.
Check the comments, both are optional.
Please confirm with the team for cost/scope before moving forward.
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/tests.yml (1)
49-50: ⚡ Quick winAdd upper version bounds to prevent CI breakage on major releases.
Unbounded
>=constraints risk sudden failures when upstream publishes major versions with breaking changes. mypy 2.0.0 was just released with breaking changes; adding upper bounds is essential for deterministic pipelines. For Flask and fpdf2, upper bounds provide future-proofing as well.Suggested patch
- python -m pip install 'flask>=3.0' 'fpdf2>=2.7' + python -m pip install 'flask>=3.0,<4.0' 'fpdf2>=2.7,<3.0' ... - python -m pip install 'flask>=3.0' 'fpdf2>=2.7' 'mypy>=1.10' + python -m pip install 'flask>=3.0,<4.0' 'fpdf2>=2.7,<3.0' 'mypy>=1.10,<2.0'🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/tests.yml around lines 49 - 50, The CI workflow uses unbounded >= constraints for dependencies; update the pip install command to add conservative upper bounds to prevent breakage on future major releases by changing the package specs to include upper limits (e.g., constrain flask to <4.0 and fpdf2 to <3.0) so replace "flask>=3.0" with "flask>=3.0,<4.0" and "fpdf2>=2.7" with "fpdf2>=2.7,<3.0" in the python -m pip install line.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/tests.yml:
- Around line 19-25: The workflow comment and job name claim cross-OS coverage
but the job is Ubuntu-only; update the unit test comment and the "unittest" job
name to reflect Ubuntu-only scope (or convert the matrix to include multiple
OSes) so they are accurate: edit the comment block above the unittest job and
the job name string that currently uses "${{ matrix.os }} / Python ${{
matrix.python-version }}" and either remove/mutate references to matrix.os or
adjust the matrix to include other OSes; ensure consistency between the comment,
the matrix definition, and the unittest job name.
---
Nitpick comments:
In @.github/workflows/tests.yml:
- Around line 49-50: The CI workflow uses unbounded >= constraints for
dependencies; update the pip install command to add conservative upper bounds to
prevent breakage on future major releases by changing the package specs to
include upper limits (e.g., constrain flask to <4.0 and fpdf2 to <3.0) so
replace "flask>=3.0" with "flask>=3.0,<4.0" and "fpdf2>=2.7" with
"fpdf2>=2.7,<3.0" in the python -m pip install line.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: a6f50cc2-2c57-4e4f-a757-f0b4140bebf5
📒 Files selected for processing (1)
.github/workflows/tests.yml
Comment on lines
+19
to
+25
| # ── Unit tests: matrix across OS and Python version ─────────────────────── | ||
| # Closes #13. The unittest suite is the merge gate. Multi-OS catches the | ||
| # rare path / line-ending issue that a single-OS run hides; multi-Python | ||
| # catches API drift across LTS / current / latest interpreters. | ||
| unittest: | ||
| name: Unit tests (${{ matrix.os }} / Python ${{ matrix.python-version }}) | ||
| runs-on: ${{ matrix.os }} |
There was a problem hiding this comment.
Update matrix comments/name to match actual Ubuntu-only scope.
Line 19–23 describes cross-OS coverage, but Line 29 is Ubuntu-only. This is misleading during triage and maintenance.
✏️ Suggested patch
- # ── Unit tests: matrix across OS and Python version ───────────────────────
+ # ── Unit tests: matrix across Python versions on Ubuntu ───────────────────
# Closes `#13`. The unittest suite is the merge gate. Multi-OS catches the
- # rare path / line-ending issue that a single-OS run hides; multi-Python
+ # rare path / line-ending issue that a single-OS run hides; multi-Python
# catches API drift across LTS / current / latest interpreters.
unittest:
- name: Unit tests (${{ matrix.os }} / Python ${{ matrix.python-version }})
+ name: Unit tests (Ubuntu / Python ${{ matrix.python-version }})Also applies to: 29-29
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/tests.yml around lines 19 - 25, The workflow comment and
job name claim cross-OS coverage but the job is Ubuntu-only; update the unit
test comment and the "unittest" job name to reflect Ubuntu-only scope (or
convert the matrix to include multiple OSes) so they are accurate: edit the
comment block above the unittest job and the job name string that currently uses
"${{ matrix.os }} / Python ${{ matrix.python-version }}" and either
remove/mutate references to matrix.os or adjust the matrix to include other
OSes; ensure consistency between the comment, the matrix definition, and the
unittest job name.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
First in-repo CI workflow for cppa-cursor-browser.
What this gates
[ubuntu-latest, macos-latest, windows-latest]×[3.11, 3.12, 3.13]). Required.--ignore-missing-imports --no-strict-optional) + step-levelcontinue-on-error: trueuntil the surface is clean.Why this scope
What this PR deliberately does NOT add:
ruff.tomlorpyproject.toml); separate decisionmypyandgitleaksare OS-agnostic, multi-OS would be wasted CI minutesTest plan
python -m unittest discover tests— 137 tests pass locallypython yaml.safe_load+actionlintclean on the workflow@v4/@v5mutable tags)continue-on-error)Closes #13.
Summary by CodeRabbit