ci: enable path filters for lint and pytest workflows#4411
Merged
Conversation
Uncomment path filters on push and pull_request triggers so the Lint and Tests workflows only run when relevant source, test, or workflow files change. Avoids spending CI on unrelated doc or chart updates. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Jonathan Springer <jps@s390x.com>
- sql-sanitizer.yml: add path filters so the E2E only runs when gateway, sql-sanitizer crate, or fast-test-server change. - pytest-rust.yml: drop `make rust-verify-stubs`; rust.yml already covers stub verification. - linting-full.yml: restrict to workflow_dispatch; ruff/pylint/ vulture/interrogate/radon are already run per-PR by lint.yml. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Jonathan Springer <jps@s390x.com>
jonpspri
requested review from
dawid-nowak,
dima-zakharov and
lucarlig
as code owners
linting-full runs actionlint, commitlint, helm lint, gosec, and govulncheck via LINTING_FULL_TARGETS in the Makefile. None of these are covered by lint.yml (which is Python-only). Restore the push trigger. Note: the existing path filter (mcpgateway/**, plugins/**, pyproject.toml) is too narrow for what the workflow actually checks (GitHub Actions, Helm charts, Go sources). Fixing that is a separate follow-up. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Jonathan Springer <jps@s390x.com>
LINTING_FULL_TARGETS checks GitHub Actions workflows, Helm charts, Go sources in mcp-servers/ and a2a-agents/, and commitlint. The previous filter (Python source) never matched those scopes. Commitlint has no natural path filter; it is skipped on pushes that touch only non-listed paths. Since this workflow is a post-merge audit on main, that is acceptable. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Jonathan Springer <jps@s390x.com>
lucarlig
requested changes
Apr 23, 2026
These workflows validate PR heads and have no main-branch side effects (no artifacts published, no release tagging). Dropping the push:[main] trigger avoids re-running the same jobs immediately after the PR has already gone green pre-merge. Affected: pytest, pytest-rust, lint, lint-web, vitest, sql-sanitizer, wrapper, playwright, python-package, alembic-upgrade-validation, license-check, docker-scan, dependency-review, rust. rust.yml keeps push:tags:v* because release-wheel/release-sdist/ release-publish use rust-build/rust-test/security-audit/ supply-chain-vet/license-check as `needs:` dependencies on tag push. The main/develop branch push trigger is removed. Also update scripts/pre-commit/check_ci_workflows.py to skip the push.paths check on rust.yml when push is tag-only; paths do not meaningfully filter tag pushes. REQUIRES: branch protection on main must list these workflows as required status checks so the PR gate is enforced at merge time. If required checks are not configured, revert this commit. Workflows still triggered on push:[main] (by design): - docker-multiplatform (arm64/s390x/ppc64le + manifest + sign) - helm-publish (release-gated publish) - linting-full (post-merge audit) - rust (tag pushes for release) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Jonathan Springer <jps@s390x.com>
jonpspri
force-pushed
the
jps-pylint-pytest-filter
branch
from
88b972a to
7b27401
Compare
The failing unit tests asserted `on.push.paths` contents, which no longer exist after dropping push:[main] from docker-scan, license-check, and wrapper workflows. Port the still-meaningful path-invariant checks to scripts/pre-commit/check_ci_workflows.py against pull_request.paths (the actual gating trigger) and drop the now-stale pytest cases: - test_docker_scan_tracks_rust_container_inputs - test_docker_scan_triggers_on_changed_container_files - test_license_check_runs_for_rust_repositories_and_inputs (file removed) - test_wrapper_workflow_only_triggers_for_wrapper_changes Remaining tests in these files (rust-enabled smoke build, matrix entries, E2E step content, action SHA pinning) stay as pytest cases since they validate job bodies, not triggers. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Jonathan Springer <jps@s390x.com>
The scan-style hooks added in PR #4257 mixed genuine cross-file integrity checks with stylistic rules and overfit assertions. This pass reduces them to the invariants a careful reviewer cannot reliably catch, and moves test-shaped assertions back to pytest. Trimmed (kept the invariant-style portion, dropped style/overfit): - check_ci_workflows: now only enforces SHA pinning of third-party GitHub Actions across all workflows. Per-workflow path/job-name assertions were overfit and are better expressed as reviewer norms plus actionlint. - check_migration_patterns: now only enforces revision-ID/filename consistency and cross-file duplicate detection. DateTime timezone, SA-vs-raw-SQL, index-count balance, and the one-specific-migration token-uniqueness guard were stylistic or test-shaped. - check_rust_workspace: now only verifies deny.toml's RUSTSEC advisory ignore list. The workspace-layout/Makefile/Containerfile assertions were drift-detection for a one-time migration and are no longer load-bearing. Removed entirely (review or tests handle these): - check_machine_paths: forbade one literal path; any reviewer would catch /home/$dev in a diff, and the hook was trivially overfit. - check_no_os_system: guarded one specific file. Replaced with an inline docstring note in run_mutmut.py. - check_rbac_decorators: ported to tests/security/ test_rbac_decorator_coverage.py (parametrized). Runtime auth tests in tests/security/ remain the authoritative deny-path coverage; this file guards against decorator deletion. - check_source_patterns: ported to tests/unit/test_source_patterns.py. Kept unchanged (genuine invariants review cannot catch): - check_sensitive_logging — AST scan for secret variable names interpolated into logger calls. - check_framework_imports — plugin framework layering boundary. - check_logo_assets — asset-reference integrity (invisible in text diffs). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Jonathan Springer <jps@s390x.com>
lucarlig
approved these changes
Apr 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pushandpull_requesttriggers in.github/workflows/lint.ymland.github/workflows/pytest.yml.Test plan
mcpgateway/,plugins/,tests/,pyproject.toml,uv.lock, or the workflow files themselvesdocs/,charts/)