ci: Introduce `<backend|sphinx>` jobs as "all green" required jobs #1514

thomass-dev · 2025-04-02T14:31:55Z

Some changes to prepare the setup of the GH merge queue, for which we need to specify the jobs required to succeed:

Set filenames as workflow/job names to avoid confusion,
Add backend job that can be used as required 🟢 job,
Add sphinx job that can be used as required 🟢 job,
Add explicit restricted permissions to the sphinx workflow (no worries, they were already restricted to read-only).

For a job to be required, its workflow has to be executed and not skipped.
Before this PR, we skipped entire workflow via path filtering, which is incompatible with "required jobs".

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/troubleshooting-required-status-checks#handling-skipped-but-required-checks

Now we always execute workflows, but skip jobs individually based on modified files.

github-actions · 2025-04-03T15:40:29Z

Coverage Report for backend

File	Stmts	Miss	Cover	Missing
venv/lib/python3.12/site-packages/skore
__init__.py	22	0	100%
_config.py	28	0	100%
exceptions.py	4	4	0%	4–23
venv/lib/python3.12/site-packages/skore/persistence
__init__.py	0	0	100%
venv/lib/python3.12/site-packages/skore/persistence/item
__init__.py	55	1	98%	97
altair_chart_item.py	19	1	91%	14
item.py	22	1	95%	86
matplotlib_figure_item.py	36	1	95%	19
media_item.py	22	0	100%
numpy_array_item.py	27	1	94%	16
pandas_dataframe_item.py	29	1	94%	14
pandas_series_item.py	29	1	94%	14
pickle_item.py	22	0	100%
pillow_image_item.py	25	1	93%	15
plotly_figure_item.py	20	1	92%	14
polars_dataframe_item.py	27	1	94%	14
polars_series_item.py	22	1	92%	14
primitive_item.py	23	2	91%	13–15
sklearn_base_estimator_item.py	29	1	94%	15
venv/lib/python3.12/site-packages/skore/persistence/repository
__init__.py	2	0	100%
item_repository.py	59	5	91%	15–16, 202–203, 226
venv/lib/python3.12/site-packages/skore/persistence/storage
__init__.py	4	0	100%
abstract_storage.py	22	0	100%
disk_cache_storage.py	33	1	95%	44
in_memory_storage.py	20	0	100%
venv/lib/python3.12/site-packages/skore/project
__init__.py	2	0	100%
project.py	83	2	98%	280, 392
venv/lib/python3.12/site-packages/skore/sklearn
__init__.py	6	0	100%
_base.py	171	14	92%	45, 58, 126, 129, 182–191, 203–>209, 224, 227–228
find_ml_task.py	61	0	99%	136–>145
types.py	13	0	100%
venv/lib/python3.12/site-packages/skore/sklearn/_comparison
__init__.py	5	0	100%
metrics_accessor.py	165	2	97%	163, 164–>166, 1278
report.py	67	1	97%	17, 249–>252
venv/lib/python3.12/site-packages/skore/sklearn/_cross_validation
__init__.py	5	0	100%
metrics_accessor.py	190	0	99%	153–>155, 155–>157
report.py	110	1	98%	23
venv/lib/python3.12/site-packages/skore/sklearn/_estimator
__init__.py	7	0	100%
feature_importance_accessor.py	133	0	99%	483–>489, 569–>578
metrics_accessor.py	344	10	96%	174–183, 211–>220, 219, 249, 260–>262, 290, 317–321, 336, 371, 372–>374
report.py	148	1	98%	24, 253–>255
venv/lib/python3.12/site-packages/skore/sklearn/_plot
__init__.py	2	0	100%
base.py	6	0	100%
style.py	28	0	100%
utils.py	122	5	95%	51, 75–77, 81
venv/lib/python3.12/site-packages/skore/sklearn/_plot/metrics
__init__.py	4	0	100%
precision_recall_curve.py	173	1	99%	660
prediction_error.py	164	0	100%
roc_curve.py	176	1	99%	649
venv/lib/python3.12/site-packages/skore/sklearn/train_test_split
__init__.py	0	0	100%
train_test_split.py	51	1	96%	16, 154–>158
venv/lib/python3.12/site-packages/skore/sklearn/train_test_split/warning
__init__.py	8	0	100%
high_class_imbalance_too_few_examples_warning.py	17	1	90%	79
high_class_imbalance_warning.py	18	0	100%
random_state_unset_warning.py	12	1	88%	15
shuffle_true_warning.py	10	1	83%	46
stratify_is_set_warning.py	12	1	88%	15
time_based_column_warning.py	23	2	86%	17, 73
train_test_split_warning.py	4	0	100%
venv/lib/python3.12/site-packages/skore/utils
__init__.py	6	0	100%
_accessor.py	46	1	97%	102
_environment.py	27	0	97%	30–>35
_fixes.py	8	0	100%
_index.py	5	0	100%
_logger.py	22	4	85%	15–19
_measure_time.py	10	0	100%
_parallel.py	38	3	88%	23–33, 124
_patch.py	13	5	53%	21–37
_progress_bar.py	36	0	100%
_show_versions.py	33	0	100%
TOTAL	3185	82	96%

Tests	Skipped	Failures	Errors	Time
814	8 💤	0 ❌	0 🔥	54.589s ⏱️

.github/workflows/sphinx.yml

github-actions · 2025-04-24T12:25:09Z

Documentation preview @ 35583c3

docs/design/0006-use-merge-queue-in-ci.md

rouk1

Cool !

rouk1 · 2025-04-24T15:23:43Z

.github/workflows/backend.yml

+      pull-requests: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2


Could you explain why you need to pin a specific version here ?

This is only a security issue and a good practice promoted by GH after the corruption of the famous tj-actions/changed-files.

tj-actions/changed-files#2463 (comment)
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

You can help mitigate this risk by following these good practices:

Pin actions to a full length commit SHA

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

This is also a tradeoff. If a pinned version contains a CVE then you wont get the fix for free.
To me this is too much paranoia.

I know, but there is actually no better solution to mitigate this issue, and it's promoted by GH.
By pinning an approved version, we avoid to pull future potential compromised versions.

rouk1 · 2025-04-24T15:27:22Z

docs/design/0006-use-merge-queue-in-ci.md

+
+## Context and Problem Statement
+
+With external contributions related to ESOC, the number of pull-request is growing fast.


Please disambiguate thie acronym.

European Summer of Code, sorry too late... 😶‍🌫️ .

https://duckduckgo.com/?q=ESOC

leads to European Space Operations Centre 🤷🏻‍♂️

I will update it in another PR, thanks!

…robabl-ai#1514) Some changes to prepare the setup of the GH merge queue, for which we need to specify the jobs required to succeed: - Set filenames as workflow/job names to avoid confusion, - Add `backend` job that can be used as required 🟢 job, - Add `sphinx` job that can be used as required 🟢 job, - Add explicit restricted permissions to the `sphinx` workflow (no worries, they were already restricted to read-only). --- For a job to be required, its **workflow** has to be executed and not skipped. Before this PR, we skipped entire workflow via path filtering, which is incompatible with "required jobs". https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/troubleshooting-required-status-checks#handling-skipped-but-required-checks ![image](https://github.com/user-attachments/assets/a48bab3f-c361-4a55-b933-9cf94057f26c) Now we always execute workflows, but skip jobs individually based on modified files.

github-actions bot assigned thomass-dev Apr 2, 2025

thomass-dev force-pushed the ci-required-status-checks branch 4 times, most recently from a1e1f22 to 67f1ed4 Compare April 3, 2025 15:35

thomass-dev force-pushed the ci-required-status-checks branch from 67f1ed4 to 77eb86a Compare April 3, 2025 15:49

thomass-dev changed the title ~~ci: Reintroduce ci.yml workflow as the "must-be-green" CI entry point~~ ci: Introduce <backend|sphinx>-all-green jobs as required jobs Apr 3, 2025

thomass-dev force-pushed the ci-required-status-checks branch from d462471 to 117b615 Compare April 9, 2025 15:59

thomass-dev changed the title ~~ci: Introduce <backend|sphinx>-all-green jobs as required jobs~~ ci: Introduce <backend|sphinx> jobs as all green required jobs Apr 9, 2025

thomass-dev force-pushed the ci-required-status-checks branch from 117b615 to 563c861 Compare April 9, 2025 18:12

thomass-dev added 5 commits April 24, 2025 11:37

ci: Reintroduce ci.yml workflow as the "must-be-green" CI entry point

1d35826

ci: Introduce backend-all-green as a "must-be-green" job

8c4ff3a

Change name fields of all workflows

7e94afe

ci: Introduce sphinx as a "must-be-green" job

9a4a093

Simplify if conditions and use hash of actions instead of version

0821df0

thomass-dev force-pushed the ci-required-status-checks branch from b8a1a97 to e7b42f7 Compare April 24, 2025 09:37

github-advanced-security bot found potential problems Apr 24, 2025

View reviewed changes

.github/workflows/sphinx.yml Fixed Show fixed Hide fixed

thomass-dev force-pushed the ci-required-status-checks branch 2 times, most recently from 6d7dc53 to bf52fc7 Compare April 24, 2025 12:14

thomass-dev force-pushed the ci-required-status-checks branch from 1d74549 to bf52fc7 Compare April 24, 2025 13:04

thomass-dev changed the title ~~ci: Introduce <backend|sphinx> jobs as all green required jobs~~ ci: Introduce <backend|sphinx> jobs as "all green" required jobs Apr 24, 2025

thomass-dev force-pushed the ci-required-status-checks branch from bf52fc7 to 7fb05f8 Compare April 24, 2025 14:11

thomass-dev marked this pull request as ready for review April 24, 2025 14:12

thomass-dev requested review from auguste-probabl and rouk1 as code owners April 24, 2025 14:12

thomass-dev added 2 commits April 24, 2025 16:15

ADR

1b5ab9d

Refine the permission jobs in sphinx workflow

f48e20f

thomass-dev force-pushed the ci-required-status-checks branch from 7fb05f8 to f48e20f Compare April 24, 2025 14:16