[Audit] Fix CI/tooling version drift across config files (#1957)#2003
Open
mvillmow wants to merge 4 commits into
Open
[Audit] Fix CI/tooling version drift across config files (#1957)#2003mvillmow wants to merge 4 commits into
mvillmow wants to merge 4 commits into
Conversation
…itleaks - Create .github/pixi-version canonical file (v0.67.2) - Implement scripts/check_ci_version_sync.py with three independent checks: 1. Pixi version consistency (canonical file vs workflows/Containerfile) 2. setup-pixi action SHA consistency (v0.9.5 now unified) 3. Gitleaks version consistency (v8.30.1 across all sources) - Add pre-commit hook to enforce drift detection - Update .github/actions/setup-pixi/action.yml to read from canonical version - Update .github/workflows/_required.yml pixi-check job to read from canonical - Add artifact upload step for built distributions (retention: 7 days) - Add comprehensive unit tests (24 test cases covering all three checks) Addresses issue #1957 acceptance criteria: - Single source of truth for pixi version - Single source of truth for gitleaks version - just typecheck path already correct - Docker SHA divergence documented with operational rationale - Build artifacts now uploaded on success - Root Dockerfile already removed Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
- Restore pixi.lock to main (pixi.toml unchanged; swarm reformatted lock) - Replace list(set)[0] with next(iter(...)) in check_ci_version_sync.py Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
…xer) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
…n and _required.yml After rebasing onto current main, the composite action pinned setup-pixi to v0.9.5 (1b2de7f) while _required.yml used v0.9.6 (5185adf). The new check-ci-version-sync hook (this PR) requires a single consistent SHA, so align the composite action to v0.9.6. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Unified CI tooling version management across config files with mechanical drift detection.
Addresses all six acceptance criteria from issue #1957:
just typecheckpath already correct at src/scylla//Dockerfilealready removed from repoImplementation
.github/pixi-version: Canonical pixi version file (v0.67.2)scripts/check_ci_version_sync.py: Pre-commit drift checker with three independent validations:.pre-commit-config.yaml: New hook to prevent version drift.github/actions/setup-pixi/action.yml: Reads canonical version dynamically.github/workflows/_required.yml: pixi-check job reads canonical version; build job uploads artifactstests/unit/scripts/test_check_ci_version_sync.py: 24 comprehensive test casesTesting
✅ All 24 unit tests pass
✅ Pre-commit hook validates current repo state
✅ No backup files
✅ All code formatted and type-checked
Closes #1957