Fix CI

[radon-at-beeper]

• Old version of pydantic does not support python 3.14, upgrade
• Remove redundant import that was introduced in 5ef5d4d and broke the build (cc @Fizzadar)

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3ed7aa8b-9be0-4e58-8fff-046e9684d5c1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Removed an unused Callable import from tests/rest/client/test_relations.py. Updated .github/workflows/tests.yml to set GITHUB_HEAD_REF to a fixed commit SHA in the complement job's "Prepare Complement's Prerequisites" step.

Changes

Cohort / File(s)	Summary
Import Cleanup tests/rest/client/test_relations.py	Removed unused Callable from typing imports (from typing import Any, Dict, List, Optional, Tuple).
CI Workflow .github/workflows/tests.yml	In complement job, added env: GITHUB_HEAD_REF set to a fixed commit SHA in the "Prepare Complement's Prerequisites" step.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Fix CI' is vague and generic, using a non-descriptive term that doesn't convey what specific CI issues are being addressed.	Use a more specific title that describes the main changes, such as 'Upgrade pydantic and remove redundant import' or 'Fix CI: upgrade pydantic for Python 3.14 support'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description is related to the changeset, explaining the two main issues being fixed: pydantic upgrade and redundant import removal.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch rr-fix-ci

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/tests.yml:
- Around line 729-732: The workflow pins Complement via GITHUB_HEAD_REF but
checkout_complement.sh currently falls back silently (iterating GITHUB_HEAD_REF
→ GITHUB_BASE_REF → GITHUB_REF → HEAD); update checkout_complement.sh to
implement a strict-pin mode: when GITHUB_HEAD_REF (or an explicit PIN_SHA env
var) is set, attempt to fetch/checkout that SHA only and exit non-zero with an
error if that exact SHA cannot be resolved, or alternatively add a verification
step after checkout that compares the resolved commit against GITHUB_HEAD_REF
and fails if they differ; modify the script's logic around the current
branch-resolution loop (the code that reads
GITHUB_HEAD_REF/GITHUB_BASE_REF/GITHUB_REF/HEAD) to enforce this behavior and
return a non-zero exit code on mismatch.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 29253bd1-33c9-4e03-a01e-e6d13a09edb6

📥 Commits

Reviewing files that changed from the base of the PR and between b64e9e8 and b65c6a4.

📒 Files selected for processing (1)

• .github/workflows/tests.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: test-complement
• GitHub Check: test-trial
• GitHub Check: build-python
• GitHub Check: lint-types
• GitHub Check: test-sytest

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Pin set in workflow:"
nl -ba .github/workflows/tests.yml | sed -n '724,736p'

echo
echo "Fallback order in Complement checkout script:"
nl -ba .ci/scripts/checkout_complement.sh | sed -n '14,30p'

Repository: beeper/synapse

Length of output: 138

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Checking workflow file (lines 724-736) ==="
if [ -f .github/workflows/tests.yml ]; then
  sed -n '724,736p' .github/workflows/tests.yml | cat -n
else
  echo "File not found: .github/workflows/tests.yml"
fi

echo
echo "=== Checking checkout_complement.sh (lines 1-50) ==="
if [ -f .ci/scripts/checkout_complement.sh ]; then
  sed -n '1,50p' .ci/scripts/checkout_complement.sh | cat -n
else
  echo "File not found: .ci/scripts/checkout_complement.sh"
fi

Repository: beeper/synapse

Length of output: 1959

---

Make the Complement pin fail-closed instead of silently falling back.

Line 732 pins GITHUB_HEAD_REF to 1de64122c351539624c943d0ad7433e7b75e1ae0, but synapse/.ci/scripts/checkout_complement.sh (line 18) iterates through multiple fallback branches (GITHUB_HEAD_REF → GITHUB_BASE_REF → GITHUB_REF → HEAD). If the SHA fetch fails—due to typo, availability issues, or network problems—the script silently continues to the next fallback without error, potentially pinning to an unintended Complement version.

Add a strict pin mode in checkout_complement.sh that rejects fallbacks when a pin is explicitly provided, or add a verification step that exits if the requested SHA was not successfully fetched.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/tests.yml around lines 729 - 732, The workflow pins
Complement via GITHUB_HEAD_REF but checkout_complement.sh currently falls back
silently (iterating GITHUB_HEAD_REF → GITHUB_BASE_REF → GITHUB_REF → HEAD);
update checkout_complement.sh to implement a strict-pin mode: when
GITHUB_HEAD_REF (or an explicit PIN_SHA env var) is set, attempt to
fetch/checkout that SHA only and exit non-zero with an error if that exact SHA
cannot be resolved, or alternatively add a verification step after checkout that
compares the resolved commit against GITHUB_HEAD_REF and fails if they differ;
modify the script's logic around the current branch-resolution loop (the code
that reads GITHUB_HEAD_REF/GITHUB_BASE_REF/GITHUB_REF/HEAD) to enforce this
behavior and return a non-zero exit code on mismatch.

[radon-at-beeper]

Oh, I misread the Github workflows, we have separate ones for the beeper branch that are configured differently.