ci: Auto-accept API verifier changes in PRs#5228
Merged
Merged
Conversation
Adds a new `verify api` workflow that runs the ApiApprovalTests on macOS (covers .NET / netstandard / iOS / MacCatalyst / Android TFMs) and Windows (covers the net48 / .NET Framework TFM), then runs scripts/accept-verifier-changes.ps1 over the resulting *.received.* files and pushes the accepted snapshots back to the PR branch. When API changes are accepted, the PR is also labelled `public API`. For PRs from forks (where we can't push back), the workflow fails with a hint telling the contributor how to accept the changes locally. Closes #5157 Co-Authored-By: Claude <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #5228 +/- ##
==========================================
+ Coverage 74.13% 74.15% +0.01%
==========================================
Files 508 508
Lines 18282 18353 +71
Branches 3574 3586 +12
==========================================
+ Hits 13554 13610 +56
- Misses 3859 3870 +11
- Partials 869 873 +4 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
![sentry-warden[bot]](https://avatars.githubusercontent.com/in/2755838?s=60&v=4){kind=small}
The workflow-level `contents: write` token was inherited by `run-api-tests`, which builds and runs untrusted PR code. Scope tokens per-job instead: - run-api-tests: contents: read - accept-api-changes: contents: write, pull-requests: write - report-fork-api-changes: contents: read Co-Authored-By: Claude <noreply@anthropic.com>
The pattern branch of actions/download-artifact (no `name`/`artifact-ids`, only `pattern`) tolerates zero matches without erroring — see https://github.com/actions/download-artifact/blob/main/src/download-artifact.ts. So `continue-on-error: true` isn't needed for the clean-PR case and would otherwise mask genuine download failures. Co-Authored-By: Claude <noreply@anthropic.com>
jamescrosswell
added
the
skip-changelog
Flash0ver
reviewed
Jun 23, 2026
Flash0ver
reviewed
Jun 23, 2026
The 'public API' label already exists in the repo, so the create call just no-ops via '|| true'. Drop it and add the label directly.
Reviewer feedback: - Add 'commands' to the intro so the plural matches the two-line block. - Bare 'dotnet test' from repo root fails (two SLNX files, several SLNF files). Point users at SentryNoMobile.slnf + the ApiApprovalTests filter — works on every OS without mobile workloads.
matrix.slnf isn't in scope from the separate report-fork-api-changes job, so the guidance had to name a different solution filter than CI actually ran. Move the failure check into the matrix job so each OS prints the exact filter it used. Drop the now-redundant fork-PR reporting job.
Both workflows auto-commit and push to the PR branch. If both fire on the same PR and both find changes, the second git push is rejected as non-fast-forward. Share a concurrency group so only one runs at a time per PR.
Run scripts/generate-solution-filters.ps1 to add the perfview FastSerialization/TraceEvent projects that the generator now includes in the Windows/Windows-arm64/macOS CI filters.
upload-artifact@v4 strips the longest common parent from wildcard paths, so '**/*.received.txt' would restore as Sentry.Tests/... instead of test/Sentry.Tests/... in the accept job. accept-verifier-changes.ps1 renames each received file to a sibling .verified.txt — at the wrong path — leaving the real snapshots untouched. Tar the files first to preserve full paths through upload/download.
actions/checkout defaults to the pull_request merge ref (PR + target branch), so the matrix job was running ApiApprovalTests against a tree that differed from the PR head. The accept job then committed those .verified.txt files onto the PR head — which doesn't contain target's changes — guaranteeing the next run would fail again. Pin the matrix checkout to pull_request.head.sha so both jobs operate on the same tree.
Two related findings from review bots: 1. accept-api-changes was checking out head.ref (latest branch tip) while the matrix snapshotted head.sha (event-time tip). If the contributor pushed during the run, accept would commit old verified files on top of new code. 2. The blind 'git push' could fail non-fast-forward if the branch moved. Pin both jobs to head.sha. Push from detached HEAD to refs/heads/head.ref so the push fails fast (non-FF) if the branch advanced — re-running then regenerates a fresh snapshot against the new head.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 13a480e. Configure here.
Collaborator
Author
|
@Flash0ver after an epic game of ping pong between me and the bot reviewers, this is ready for review again... |
Flash0ver
approved these changes
Jun 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new
verify apiworkflow that auto-accepts API approval test snapshot changes on PRs, similar to the existingformat-codeworkflow.ApiApprovalTestson a matrix ofmacos-15(covers .NET / netstandard / iOS / MacCatalyst / Android TFMs) andwindows-latest(covers thenet48/ .NET Framework TFM, which is the common pain point when developing on non-Windows).*.received.*files as artifacts.scripts/accept-verifier-changes.ps1, and pushes the accepted snapshots back to the PR branch.public APIformat-code.yml.The Alternative suggested in the issue (switching to
Microsoft.CodeAnalysis.PublicApiAnalyzers) is intentionally out of scope for this PR and can be considered in a follow-up.Closes #5157