Skip to content

feat: add provider checks #723

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: add provider checks #723

wants to merge 4 commits into from

Conversation

Datron
Copy link
Collaborator

@Datron Datron commented Oct 10, 2025

Problem

Missing checks for provider made it hard to make changes to our FFI, sdk and provider layers to support multiple languages

Solution

Add provider checks that run in a PR to validate any FFI and provider changes

@Datron Datron requested a review from a team as a code owner October 10, 2025 09:47
@semanticdiff-com SemanticDiff.com
Copy link

semanticdiff-com bot commented Oct 10, 2025
edited
Loading

Review changes with  SemanticDiff

Changed Files
File Status
  clients/javascript/package.json  59% smaller
  clients/javascript/package-lock.json  7% smaller
  .github/workflows/ci_check_pr.yaml  1% smaller
  clients/java/provider-sdk-tests/build.gradle.kts Unsupported file format
  clients/java/provider-sdk-tests/src/main/kotlin/io/juspay/superposition/providertests/Main.kt Unsupported file format
  clients/java/provider-sdk-tests/src/test/kotlin/io/juspay/superposition/providertests/MainTest.kt Unsupported file format
  clients/java/settings.gradle.kts Unsupported file format
  clients/javascript/bindings/native-resolver.ts  0% smaller
  clients/javascript/open-feature-provider/configuration-client.ts  0% smaller
  clients/javascript/provider-sdk-tests/index.js  0% smaller
  clients/javascript/provider-sdk-tests/package.json  0% smaller
  clients/python/provider-sdk-tests/README.md Unsupported file format
  clients/python/provider-sdk-tests/main.py  0% smaller
  clients/python/provider-sdk-tests/pyproject.toml Unsupported file format
  clients/python/provider-sdk-tests/uv.lock Unsupported file format
  clients/python/sdk/README.md Unsupported file format
  flake.nix Unsupported file format
  makefile Unsupported file format
  scripts/setup_provider_binaries.sh Unsupported file format

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 10, 2025
View reviewed changes
.github/workflows/ci_check_pr.yaml
Comment on lines 232 to 327
name: Provider Tests
runs-on: codebuild-superposition-${{ github.run_id }}-${{ github.run_attempt }}
strategy:
matrix:
provider:
- kotlin
# - js
# - py
services:
postgres:
image: public.ecr.aws/docker/library/postgres:15-alpine3.21
ports:
- 5432:5432
env:
POSTGRES_PASSWORD: "docker"
POSTGRES_DB: "config"
restart: on-failure
volumes:
- ./docker-compose/postgres/data:/var/lib/postgresql/data

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Install postgres libs
run: |
sudo apt-get -y install postgresql libpq-dev
- name: Install Bun
uses: oven-sh/setup-bun@v2

- name: make binary executable
run: chmod +x scripts/setup_provider_binaries.sh

- name: Restore cache (if present)
uses: actions/cache/restore@v4
id: cache-restore
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-test-${{ hashFiles('**/Cargo.lock') }}
restore-keys: ${{ runner.os }}-cargo-test-

- name: Install Rust
uses: dtolnay/rust-toolchain@master
with:
toolchain: 1.86.0
targets: wasm32-unknown-unknown
components: rustfmt, clippy

- name: Set up JDK 17 (for Kotlin tests)
if: matrix.provider == 'kotlin'
uses: actions/setup-java@v4
with:
java-version: "17"
distribution: "temurin"

- name: Make gradlew executable
if: matrix.provider == 'kotlin'
run: chmod +x clients/java/gradlew

- name: Run Gradle assemble
if: matrix.provider == 'kotlin'
run: cd clients/java && ./gradlew assemble

- name: Install Node.js (for JS tests)
if: matrix.provider == 'js'
uses: actions/setup-node@v4
with:
node-version: 18.19.0

- name: Set up Python (for Python tests)
if: matrix.provider == 'py'
uses: actions/setup-python@v6
with:
python-version: "3.12"

- name: Install uv
if: matrix.provider == 'py'
uses: astral-sh/setup-uv@v3
with:
version: "latest"

- name: Run provider tests
if: matrix.provider != 'py'
shell: bash
run: |
cargo build --package superposition_core
make test-${{ matrix.provider }}-provider
env:
APP_ENV: "TEST"

- name: Run provider tests
if: matrix.provider == 'py'
shell: bash
run: |
cargo build --package superposition_core
export UV_PROJECT_ENVIRONMENT="${pythonLocation}"
make test-${{ matrix.provider }}-provider
env:
APP_ENV: "TEST"

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 12 hours ago

To fix this problem, add an explicit permissions block to the provider-tests job in .github/workflows/ci_check_pr.yaml. Based on the steps it runs (installing dependencies, running tests, using caches), it appears that only read permissions to contents are required—no steps modify repo contents, pull-requests, or issues. So add:

permissions:
  contents: read

directly under the provider-tests: job definition (after line 232). This ensures that the job's GITHUB_TOKEN is restricted and adheres to least privilege. No further changes or imports are needed.

Suggested changeset 1
.github/workflows/ci_check_pr.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci_check_pr.yaml b/.github/workflows/ci_check_pr.yaml
--- a/.github/workflows/ci_check_pr.yaml
+++ b/.github/workflows/ci_check_pr.yaml
@@ -230,6 +230,8 @@
 
     provider-tests:
         name: Provider Tests
+        permissions:
+            contents: read
         runs-on: codebuild-superposition-${{ github.run_id }}-${{ github.run_attempt }}
         strategy:
             matrix:
EOF
@@ -230,6 +230,8 @@

provider-tests:
name: Provider Tests
permissions:
contents: read
runs-on: codebuild-superposition-${{ github.run_id }}-${{ github.run_attempt }}
strategy:
matrix:
Copilot is powered by AI and may make mistakes. Always verify output.
@Datron Datron force-pushed the provider-checks branch 4 times, most recently from b16612b to 9fe647a Compare October 10, 2025 13:29
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 10, 2025
View reviewed changes
@Datron Datron force-pushed the provider-checks branch 10 times, most recently from cfcd327 to 209d211 Compare October 13, 2025 11:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Datron