ci: switch to ubuntu-latest & revised matrixes

[danielbrunt57]

Updated GitHub Actions workflow

• runs-on: ubuntu-latest ✅ uses the most available runner pool
• max-parallel: 1 ✅ lets jobs start as soon as one runner is free (no “need 3 at once” bottleneck)
• python-version: "3.12" ✅ reduces runner demand to a single job (fast feedback) for general PRs.
• retains existing full matrix for main PRs

Summary by CodeRabbit

• Chores
  • Restructured CI into a fast-feedback PR workflow and a full matrix workflow for main/master pushes; PR job now runs a single fast Python path while main runs a broader matrix. Expanded triggers to include pushes to main/master, improved checkout behavior, enhanced coverage reporting with token usage, and added legacy compatibility and markdown link checks.
• Tests
  • Expanded Python test matrix to cover 3.10–3.12.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Split CI into a fast pr job (pull_request, Python 3.12) and a main job (push to main/master, Python 3.10–3.12 matrix); upgraded actions, switched Codecov to v5 with token, removed Coveralls, added legacy public checks and set fetch-depth: 0.

Changes

Cohort / File(s)	Summary
GitHub Actions workflow \.github/workflows/pull-test.yml	Replaced single build job with pr (PR-fast path, Python 3.12) and main (push to main/master, Python 3.10–3.12 matrix). Upgraded actions/checkout@v4, actions/setup-python@v5, switched codecov-action → v5 and added CODECOV_TOKEN; removed Coveralls steps; added legacy public jobs (build_39, markdown_link_check); set fetch-depth: 0 and constrained matrix parallelism.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub
    participant Runner as Actions Runner
    participant Checkout as actions/checkout@v4
    participant Setup as actions/setup-python@v5
    participant Tests as Test runner (tox)
    participant Codecov as Codecov Action (v5)

    Dev->>GH: open PR or push to main/master
    GH->>Runner: trigger `pr` (pull_request) or `main` (push)
    Runner->>Checkout: checkout repo (fetch-depth: 0)
    Runner->>Setup: setup Python (matrix or single version)
    Runner->>Tests: install deps and run tests (tox)
    Tests->>Codecov: upload coverage (CODECOV_TOKEN)
    Codecov-->>Runner: ack

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

Two CI paths now split the road,
Quick PR sprint, main bears the load.
Actions bumped, reports align,
Old checks linger, sentinel fine. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title 'ci: switch to ubuntu-latest & revised matrixes' directly and specifically describes the main changes: switching to ubuntu-latest and revising the job matrices in the CI workflow.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/pull-test.yml:
- Around line 18-21: Remove the invalid job-level key "build:" from the workflow
so the job parses; specifically delete the stray "build:" line that appears
above "name: PR (Python 3.12)" (the job block containing the conditional "if:
github.event_name == 'pull_request'") so the YAML only contains valid job keys.
- Around line 54-56: Replace the deprecated action reference
codecov/codecov-action@v1 with the current v5 release (e.g.
codecov/codecov-action@v5) and add the required token input if you’re not using
OIDC by including token: ${{ secrets.CODECOV_TOKEN }} in the action step; update
both occurrences (the step that currently shows verbose: true and the other
occurrence around lines 96-98) so the workflow uses the v5 action and supplies
the token parameter.

[danielbrunt57]

@alandtse,
CI is no longer blocked — workflows are running correctly now.
The remaining “Expected — Waiting for status” checks are due to branch protection still requiring legacy checks (build (3.9) and markdown-link-check) that are no longer produced by any workflow.
Those required checks need to be updated or removed in branch protection for PRs to merge.

[alandtse]

With ci changes, please test in your own fork with test prs and confirm they pass. It can be a hassle if they break the main repo.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/pull-test.yml:
- Around line 111-123: The markdown_link_check job currently uses the deprecated
action gaurav-nelson/github-action-markdown-link-check@v1; replace that "uses"
line in the markdown_link_check job with a maintained alternative such as
lycheeverse/lychee-action@v2 or nosborn/github-action-markdown-cli@v1 and update
the job's step inputs to the new action's parameters (e.g., for lychee set args
to check markdown files or configure patterns; for markdown-cli adapt to its CLI
options), ensuring the step name remains "Check markdown links" and preserving
the runs-on/if/checkout step so branch-protection behavior is unchanged.

🧹 Nitpick comments (1)

.github/workflows/pull-test.yml (1)

101-110: Placeholder job for legacy branch protection.

This job exists solely to satisfy a branch protection rule requiring a "build (3.9)" check. Consider adding a comment about removing this once branch protection is updated, or document the intent more explicitly.

📝 Suggested comment enhancement

   # Legacy required checks for branch protection
+  # TODO: Remove this placeholder once branch protection rules are updated
   build_39:
     name: build (3.9)
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request'
     steps:
       - name: Compatibility status
         run: |
           echo "Legacy required check for branch protection."

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/pull-test.yml:
- Around line 101-110: The workflow contains a stub job build_39 (name: "build
(3.9)") that only echoes a message and gives false confidence about Python 3.9
testing; either replace the stub with a real Python 3.9 matrix entry (add 3.9 to
the existing `pr` matrix and run the same steps as other Python builds), remove
the build_39 job and coordinate removing the corresponding branch-protection
requirement, or at minimum rename the job to make it explicit it's a stub (e.g.,
change the `name` from "build (3.9)" to "build (3.9) - STUB"); update any
references to build_39 in branch protection or docs accordingly.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/pull-test.yml:
- Around line 53-56: The Codecov action invocation (codecov/codecov-action@v5)
uses the secrets.CODECOV_TOKEN unguarded which causes CI failures for forked PRs
or when the secret is missing; update the workflow step to conditionally run or
provide the token only when the secret is present (e.g., guard on
github.repository_owner == github.event.pull_request.head.repo.owner or check if
secrets.CODECOV_TOKEN) or enable OIDC by setting use_oidc: true so uploads
succeed without the secret; modify the step that references token: ${{
secrets.CODECOV_TOKEN }} (and add use_oidc: true as an alternative) so the
action is skipped or uses OIDC when the token is unavailable.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

Codecov v5 action authentication token requirements github actions

💡 Result:

• Default (token-based auth): codecov/codecov-action@v5 can authenticate uploads with a Codecov upload token provided either as with: token: ... or env: CODECOV_TOKEN: .... (github.com)
• When a token is required (per Codecov):
  • Private repos: token always required. (docs.codecov.com)
  • Public repos: token is required for protected-branch uploads unless your Codecov org has disabled token authentication for public repositories. (docs.codecov.com)
  • Public repos, “unprotected” (e.g., fork-prefixed) branches: token not required. (docs.codecov.com)
• Tokenless option 1 (OIDC): Set use_oidc: true; any provided token is ignored, and your workflow/job must grant permissions: id-token: write. (github.com)
• Tokenless option 2 (org setting for public repos): In Codecov org settings (“Global Upload Token”), admins can set tokens to Not required for public repos (available with action > v5.0). (docs.codecov.com)

Citations:

• 1: https://github.com/codecov/codecov-action?utm_source=openai
• 2: https://docs.codecov.com/docs/codecov-tokens?utm_source=openai
• 3: https://docs.codecov.com/docs/codecov-tokens?utm_source=openai
• 4: https://docs.codecov.com/docs/codecov-tokens?utm_source=openai
• 5: https://github.com/codecov/codecov-action?utm_source=openai
• 6: https://docs.codecov.com/docs/codecov-tokens?utm_source=openai

---

🌐 Web query:

GitHub Actions secrets forked pull requests external contributors

💡 Result:

• Forked PRs (external contributors) don’t get your repo secrets. Workflows triggered by pull_request from forks run with no access to repository secrets, and the provided GITHUB_TOKEN is read-only. [1]
• You may also need to manually approve runs. For public repos, GitHub can require maintainer approval before running workflows for some outside contributors (by default, first-time contributors), configurable under Settings → Actions → General → “Approval for running fork pull request workflows from contributors.” [2]
• How to approve a pending run: maintainers with write access can review the PR (especially any .github/workflows/ changes) and click “Approve workflows to run.” Runs awaiting approval for >30 days are deleted. [3]
• If you need secrets on PRs, use pull_request_target very carefully. pull_request_target runs in the context of the base repo and can access secrets, but it’s risky if you run untrusted fork code (e.g., by checking out the fork and executing it). Also, enterprise policies note pull_request_target runs regardless of fork-approval settings. [4]
• Private/internal repos can be configured to allow more—but it’s dangerous. Admin policies can allow fork PR workflows to receive write tokens and even secrets, and/or require approval first. [4]
• Dependabot PRs are treated like forks. Their workflow runs get a read-only GITHUB_TOKEN and no secrets. [5]

Sources:
[1] https://github.blog/security/supply-chain-security/four-tips-to-keep-your-github-actions-workflows-secure/
[2] https://docs.github.com/en/enterprise-cloud%40latest/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository
[3] https://docs.github.com/en/actions/how-tos/managing-workflow-runs-and-deployments/managing-workflow-runs/approving-workflow-runs-from-public-forks
[4] https://docs.github.com/github-ae%40latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise
[5] https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

---

🌐 Web query:

Codecov tokenless upload OIDC github actions

💡 Result:

Tokenless vs OIDC (GitHub Actions + Codecov)

1) “Tokenless upload” (no CODECOV_TOKEN)
Codecov will accept uploads without a token only when either:

• the repo is public and your Codecov org has disabled token authentication for public repositories, or
• the repo is public and the upload is for a commit on an “unprotected” branch (e.g. forkname:main). [2]

2) OIDC (no Codecov upload token, but still authenticated)
With the official Codecov GitHub Action, you can authenticate uploads using GitHub OIDC by setting use_oidc: true and granting id-token: write. Any token you pass will be ignored. [1]

permissions:
  contents: read
  id-token: write

steps:
  - uses: actions/checkout@v4
  - uses: codecov/codecov-action@v5
    with:
      use_oidc: true
      # files: ./coverage.xml   # optional

Note: Codecov Action v4 does not support tokenless uploading (it’s a breaking change in v4). [1]

Sources: [1] [2]

---

Guard Codecov upload for private repos or when secrets are unavailable.

Forked PRs don't receive repository secrets, so ${{ secrets.CODECOV_TOKEN }} is empty for external contributors. This matters only if your repo is private (token always required) or if Codecov requires tokens for protected branches in your org settings. Public repos with fork branches don't require a token. To avoid failures across all scenarios, add a conditional guard:

🔧 Suggested guard

-      - uses: codecov/codecov-action@v5
+      - name: Upload coverage to Codecov
+        if: ${{ secrets.CODECOV_TOKEN != '' }}
+        uses: codecov/codecov-action@v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           verbose: true # optional (default = false)

Alternatively, use OIDC (use_oidc: true) if your Codecov account supports it.

🤖 Prompt for AI Agents

In @.github/workflows/pull-test.yml around lines 53 - 56, The Codecov action
invocation (codecov/codecov-action@v5) uses the secrets.CODECOV_TOKEN unguarded
which causes CI failures for forked PRs or when the secret is missing; update
the workflow step to conditionally run or provide the token only when the secret
is present (e.g., guard on github.repository_owner ==
github.event.pull_request.head.repo.owner or check if secrets.CODECOV_TOKEN) or
enable OIDC by setting use_oidc: true so uploads succeed without the secret;
modify the step that references token: ${{ secrets.CODECOV_TOKEN }} (and add
use_oidc: true as an alternative) so the action is skipped or uses OIDC when the
token is unavailable.

[alandtse]

Not sure why this is so complex of a refactor. I did a bump, not sure if it works but update your other pr.