You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Follow-ups identified during code review of #745. Not blocking, but worth doing.
Files / scripts
Rename examples/deep-researcher/utils.py — currently shares its basename with 4 other ASF-owned utils.py files. The new .rat-excludes uses basename matching, so all 5 are skipped. A future regression in any of the 4 ASF files would silently pass RAT.
Thread --skip-signing through cmd_verify in scripts/apache_release.py. Today running the verify subcommand against a --skip-signing build crashes on missing .asc files.
Run RAT on the wheel too, not just the tarballs. Wheel is also redistributed.
Pin the RAT JAR by SHA256 in .github/workflows/release-validation.yml. Currently the workflow downloads from Maven Central without integrity verification.
Smoke test (scripts/ci_smoke_server.py)
Replace time.sleep(2) after running the tracked app with a poll-then-assert loop on /api/v0/projects (currently flake-prone).
Forward SIGTERM to the uvicorn child via process group (currently only kills the burr CLI wrapper; child can be orphaned on dev boxes).
Add --cleanup flag and default to cleaning the workspace locally (CI keeps it via GITHUB_ACTIONS env, currently always retained).
CI coverage gaps
Add a matrix cell that does bare pip install <wheel> (no [learn] extras) and at least imports burr and burr.tracking.server.run. Catches optional-extra dep leakage into base.
Add a step that builds the wheel from the sdist tarball (what voters do) and asserts the result matches the CI-built wheel. Catches sdist-vs-wheel drift.
Hit GET / in the smoke test to confirm the UI build is actually served (not just present in the wheel).
Hygiene
Add a pre-commit hook that grep-checks new files for ASF headers (RAT in CI is the safety net but slow).
Add a weekly cron job running this workflow against main to catch dep-drift between RCs.
Follow-ups identified during code review of #745. Not blocking, but worth doing.
Files / scripts
examples/deep-researcher/utils.py— currently shares its basename with 4 other ASF-ownedutils.pyfiles. The new.rat-excludesuses basename matching, so all 5 are skipped. A future regression in any of the 4 ASF files would silently pass RAT.--skip-signingthroughcmd_verifyinscripts/apache_release.py. Today running theverifysubcommand against a--skip-signingbuild crashes on missing.ascfiles..github/workflows/release-validation.yml. Currently the workflow downloads from Maven Central without integrity verification.Smoke test (
scripts/ci_smoke_server.py)time.sleep(2)after running the tracked app with a poll-then-assert loop on/api/v0/projects(currently flake-prone).SIGTERMto the uvicorn child via process group (currently only kills the burr CLI wrapper; child can be orphaned on dev boxes).--cleanupflag and default to cleaning the workspace locally (CI keeps it viaGITHUB_ACTIONSenv, currently always retained).CI coverage gaps
pip install <wheel>(no[learn]extras) and at least importsburrandburr.tracking.server.run. Catches optional-extra dep leakage into base.GET /in the smoke test to confirm the UI build is actually served (not just present in the wheel).Hygiene
mainto catch dep-drift between RCs.