Skip to content

chore: engineering hygiene — version sync, lint/type/coverage/matrix CI, supply-chain, OSS scaffolding#62

Closed
abrichr wants to merge 3 commits into
mainfrom
chore/engineering-hygiene
Closed

chore: engineering hygiene — version sync, lint/type/coverage/matrix CI, supply-chain, OSS scaffolding#62
abrichr wants to merge 3 commits into
mainfrom
chore/engineering-hygiene

Conversation

@abrichr

@abrichr abrichr commented Jul 13, 2026

Copy link
Copy Markdown
Member

Summary

Raises the engineering system to match the code/test quality (per an external review that flagged it as narrow). No runtime logic changes — everything here is config, CI, docs, formatting, and one real one-line version-drift fix. Two commits:

  1. style: — mechanical ruff format + import sort across the package (isolated so the rest stays reviewable; drop it if you'd rather not adopt the formatter).
  2. chore: — the actual hygiene work below.

What's in it

1. Version-drift bug (real)

openadapt_flow.__version__ was 0.1.0 while pyproject/PyPI are 0.4.0. Synced to 0.4.0 and added version_variables = ["openadapt_flow/__init__.py:__version__"] to [tool.semantic_release] so releases keep them in lockstep. The clean-wheel CI job asserts __version__ == importlib.metadata.version(...) so this can't silently drift again.

2. Lint / format / type gates (green, not aspirational)

  • ruff lint + format config ([tool.ruff]). Selects pyflakes/pycodestyle-safe/warnings/isort; opinionated rewrite families deferred so it's green today and tightenable.
  • mypy config ([tool.mypy]) scoped to the core package, not tests, ignore_missing_imports for optional extras. Lenient to start; ~53 modules are gated, and 18 modules with pre-existing type debt are listed under [[tool.mypy.overrides]] ignore_errors with a "tighten incrementally" note.
  • Added py.typed (PEP 561) + a wheel force-include so downstream type-checkers honor our annotations.
  • All three gates are green locally: ruff check ✔, ruff format --check ✔ (71 files), mypy ✔ (Success, 71 source files).

3. CI matrix (.github/workflows/ci.yml)

  • Python 3.10 / 3.11 / 3.12 / 3.13 on Linux (was 3.12-only) + a macOS leg (3.12). fail-fast: false for visibility.
  • New lint + type-check job (ruff check, ruff format --check, mypy).
  • New clean-wheel install job: python -m build, install the wheel in a fresh venv, import from outside the source tree, assert version parity + py.typed presence.
  • New Windows job running the mock WindowsBackend + RDP suites (no live VM, no browser).
  • Coverage via pytest-cov reported for visibility (no hard floor yet).

4. README staleness

  • Corrected the stale "Desktop and RDP backends are adapters to come" — both exist now: WindowsBackend (desktop, experimental) and FreeRDPBackend (pixel-only RDP, frame decode proven against a real captured frame). Browser is the production path; desktop/RDP are real but earlier on the curve.
  • Added a "When to use something else" section (vs Playwright codegen / Selenium IDE / UiPath) answering why vision anchors instead of selectors when a DOM is available — determinism + cross-substrate + the identity/safety layer — with the honest caveat that where a DOM/UIA tree exists selectors are often the better signal (and we ship a DOM-selector benchmark arm precisely to test that).

5. Supply chain

  • Pinned every GitHub Action by commit SHA (both ci.yml and release.yml), version recorded in a trailing comment.
  • Added Dependabot (.github/dependabot.yml) for github-actions + pip; it understands the # vX comment and proposes SHA bumps, so pinning doesn't freeze us on stale releases.
  • ⚠️ Action item (settings, not code): release.yml uses secrets.ADMIN_TOKEN, an org-level secret with visibility "all" — every repo in the org can read it. It should be replaced with a repo-scoped fine-grained PAT (or a GitHub App installation token) limited to this repo's contents: write. Flagged inline in release.yml; changing the secret is a repo/org settings action that can't be done in this PR.

6. OSS scaffolding

CONTRIBUTING.md, SECURITY.md (PHI-aware private reporting via GitHub Security Advisories — important for a PHI-adjacent tool), CODE_OF_CONDUCT.md (Contributor Covenant 2.1), .github/ISSUE_TEMPLATE/ (bug/feature/config), PULL_REQUEST_TEMPLATE.md, and CODEOWNERS.

Verification (local)

  • ruff check / ruff format --check / mypy — all green.
  • Clean wheel build + install in a fresh venv + import + version/py.typed assertions — pass.
  • All 70 importable modules import with zero syntax/format breakage.
  • Core test subset: 342 passed, 6 skipped, 0 failures (compiler, vision, resolver, identity, windows/rdp backends, volatility, privacy, report, emit, interop, heal, dom-arm, desktop-benchmark). The full browser/OCR/benchmark E2E suite is left to CI (slow locally under concurrent load); the changes are formatting-only + one version string, so behavior is unchanged.

🤖 Generated with Claude Code

https://claude.ai/code/session_01CKrVJJy5jWVCkXAqgUqtqZ

abrichr and others added 3 commits July 13, 2026 09:57
Mechanical only — no logic changes. Normalizes formatting and import
order across the package so the new ruff lint+format gate (added in the
follow-up commit) is green. Verified: all 70 modules import, the core
test subset (342 passed) and every quality gate stay green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01CKrVJJy5jWVCkXAqgUqtqZ
…CI, supply-chain, OSS scaffolding

Raises the engineering system to match the code/test quality (per an
external review). No runtime logic changes.

Version drift (real bug):
- openadapt_flow.__version__ was 0.1.0 while pyproject/PyPI are 0.4.0.
  Synced to 0.4.0 and added version_variables to [tool.semantic_release]
  so releases keep __init__.py in lockstep with pyproject going forward.

Quality gates (added and green, not aspirational):
- ruff lint+format config ([tool.ruff]); mypy config ([tool.mypy]) scoped
  to the core package, lenient to start, with a documented ignore_errors
  list of modules carrying known type debt (tighten incrementally).
- Added py.typed (PEP 561) + wheel force-include so downstream type-checkers
  honor our annotations.
- Added ruff/mypy/pytest-cov to the dev extra.

CI (.github/workflows/ci.yml):
- Matrix Python 3.10–3.13 on Linux + a macOS leg (was 3.12-only).
- New lint+type job (ruff check, ruff format --check, mypy).
- New clean-wheel job: build, install in a fresh venv, import, assert
  __version__ == distribution metadata (guards the drift bug) + py.typed.
- New Windows job running the mock WindowsBackend/RDP suites (no live VM).
- Coverage (pytest-cov) reported for visibility (no hard floor yet).

Supply chain:
- Pinned all GitHub Actions by commit SHA (ci.yml + release.yml) with the
  version in a trailing comment; added Dependabot for actions + pip.
- Flagged in release.yml that the org-wide ADMIN_TOKEN (visibility "all")
  should become a repo-scoped fine-grained token/App (settings change).

Docs:
- README: corrected the stale "desktop and RDP are adapters to come" — both
  backends exist (RDP frame decode proven on a real frame; desktop
  experimental; browser is the production path).
- README: added a "When to use something else" section (vs Playwright
  codegen / Selenium IDE / UiPath) explaining vision-anchors-vs-selectors
  with the honest DOM/UIA caveat.
- Added CONTRIBUTING, SECURITY (PHI-aware reporting), CODE_OF_CONDUCT,
  issue/PR templates, and CODEOWNERS.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01CKrVJJy5jWVCkXAqgUqtqZ
Restore a single, non-matrix `test` job so its reported status context is
exactly `test` -- the context branch protection requires. The previous
matrix `test` job reported `test (3.12)` etc., so the required `test`
check never reported and PRs could never merge.

- Triggers: pull_request + push(main) + nightly schedule; drop bare `push:`
  (killed the duplicate PR-branch run).
- Add concurrency group with cancel-in-progress to drop superseded runs.
- Fast required gate: `test` runs ubuntu/py3.12 unit suite, --ignore=tests/e2e
  (excludes the slow browser/OCR e2e suite).
- Move full matrix (3.10-3.13 + macOS, full suite incl. e2e), windows-mock,
  and wheel off PRs -> push(main) + nightly only (not the required context).
- Cache pip (setup-python) and the Playwright browser download.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01CKrVJJy5jWVCkXAqgUqtqZ
abrichr added a commit that referenced this pull request Jul 13, 2026
abrichr added a commit that referenced this pull request Jul 13, 2026
abrichr added a commit that referenced this pull request Jul 13, 2026
abrichr added a commit that referenced this pull request Jul 13, 2026
* ci: fast required gate (e2e-excluded unit test), PR-only trigger, concurrency-cancel, caching

Extracted from the engineering-hygiene branch so the merge queue benefits now.
Required 'test' context stays a single ubuntu/py3.12 job (fast unit suite, e2e
excluded); full matrix + e2e run post-merge/nightly. Halves runner load (drops
the push+pull_request double-trigger) and cancels superseded runs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01CKrVJJy5jWVCkXAqgUqtqZ

* ci: decouple test gate from lint (main not yet ruff-formatted; #62 restores lint)

* ci: drop --cov (pytest-cov not on main until #62); keep fast e2e-excluded gate

* ci: drop lint job (ruff/mypy + reformat land with #62); keep fast test gate only

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
@abrichr

abrichr commented Jul 13, 2026

Copy link
Copy Markdown
Member Author

Superseded by #77, which regenerates this content cleanly on current main (this branch's 42-file reformat was generated on old main and conflicts with everything merged since #72/#74/#75/#76 + auto-releases). Closing in favor of #77.

@abrichr abrichr closed this Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant