CI: streamline risk-scoped PR verification#454
Conversation
Add conservative change classification, an always-reporting required aggregate, production-backed offline RAG contracts, and a fast critical UI gate with advisory regression coverage. Verified with verify:cheap, verify:pr-local, 124 Chromium tests, and CI workflow guards.
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
📝 WalkthroughWalkthroughThe PR adds path-scoped CI classification, local PR verification, offline RAG preflight checks, critical/advisory UI test commands, a consolidated required gate, and updated Codex review-policy and process documentation. ChangesPR verification and merge gating
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant GitHubActions
participant changes
participant ScopedJobs
participant pr-required
participant release-browser-matrix
GitHubActions->>changes: classify changed files
changes->>ScopedJobs: provide scope outputs
ScopedJobs->>pr-required: report job results
pr-required->>release-browser-matrix: provide required aggregate status
🚥 Pre-merge checks | ✅ 10 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (10 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e66c2a9fc6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@scripts/ci-change-scope.mjs`:
- Around line 292-294: Update the GITHUB_ACTIONS fallback in classify() so
unknown-base changes also trigger RAG evaluation: add a sentinel path matching
ragEvalPatterns (or return an explicit force_all scope), and ensure the
corresponding CI output/job consumes it to run offline RAG verification.
- Around line 255-259: Prevent a feature-branch upstream from being used as the
local diff base: in the base-ref selection logic, replace the `return upstream
|| null` fallback after checking known branches with `return null`, or otherwise
classify the scope as full when no recognized base branch is available.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: f8d43e5d-4f6b-455c-b078-3814db08d31a
📒 Files selected for processing (12)
.github/pull_request_template.md.github/workflows/ci.ymlAGENTS.mddocs/branch-review-ledger.mddocs/process-hardening.mdpackage.jsonscripts/check-codex-autofix-workflow.mjsscripts/ci-change-scope.mjsscripts/eval-rag-offline.mjsscripts/verify-pr-local.mjstests/rag-offline-answer.test.tstests/ui-smoke.spec.ts
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
# Conflicts: # AGENTS.md # docs/branch-review-ledger.md # scripts/check-codex-autofix-workflow.mjs
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Summary
Why
The previous required workflow repeated expensive work and made broad browser and migration checks block unrelated pull requests. This keeps deterministic and clinical safety checks while reducing the required UI gate from roughly ten minutes to about thirty seconds.
Verification
npm run verify:cheap: passed; 152 test files passed, 1 skipped; 1,426 tests passed, 1 skipped.npm run verify:pr-local: passed; runtime, full formatting, lint, typecheck, 1,426 unit tests, production Next.js build, and offline RAG preflight completed.npm run eval:rag:offline: passed; 36 fixture cases validated and 57/57 production contract tests passed with providers mocked and credentials removed.npm run test:e2e:critical: passed; 5/5 Chromium contract tests in about 29 seconds.npm run test:e2e:advisory: passed; 119/119 Chromium regression tests in 9.8 minutes.npm run check:ci-scope: passed, including coverage-config, runtime-data, rename, unknown-base, and unstaged-path regression cases.npm run check:github-actions: passed; GitHub Action pin validation completed.npm run check:codex-autofix-workflow: passed; scoped auto-resolve workflow guard completed.npm run format:check: passed; all repository files match Prettier formatting.git diff --check: passed; no whitespace errors.Not Run
Risk and Governance
This is CI, test, and process infrastructure only. The offline RAG gate invokes production retrieval and answer-contract code with credentials removed and providers mocked; live clinical eval requirements remain unchanged for relevant future PRs. Branch protection now requires
CI / PR requiredandSecret Scan / Gitleaks; Semgrep remains advisory.