Skip to content

ci: flag pointer-only changes in recipe-evidence gate#1166

Merged
njhensley merged 3 commits into
NVIDIA:mainfrom
njhensley:ci/pointer-only-evidence-check
Jun 3, 2026
Merged

ci: flag pointer-only changes in recipe-evidence gate#1166
njhensley merged 3 commits into
NVIDIA:mainfrom
njhensley:ci/pointer-only-evidence-check

Conversation

@njhensley

Copy link
Copy Markdown
Member

Summary

Teach the recipe-evidence gate to flag a leaf recipe when the PR adds or modifies that recipe's own evidence pointer (recipes/evidence/<slug>.yaml), not just when an overlay/ancestor/values file changes.

Motivation / Context

The discovery loop in recipe-evidence-check.sh flagged a recipe as "affected" only via rules 1–3 (overlay changed, ancestor overlay changed, or referenced component values file changed). A PR that only refreshes an evidence pointer — exactly the workflow the script's own "How to refresh evidence" section prescribes (cp ./out/pointer.yaml recipes/evidence/<slug>.yaml) — touched none of those, so the gate reported "No leaf overlays affected" and the freshly-submitted pointer was never evidence verify'd or digest-compared. This closes that gap.

Fixes: N/A
Related: N/A

Type of Change

  • Build/CI/tooling

Component(s) Affected

  • Other: .github/scripts/recipe-evidence-check.sh (warning-only recipe-evidence gate)

Implementation Notes

  • Adds Rule 4 in the discovery loop: include the recipe when recipes/evidence/<slug>.yaml is in the diff. Mirrors Rule 1's grep -qxF whole-line exact match, so a sibling like …/<slug>.yaml.bak doesn't false-trigger.
  • Scoped to the existing per-overlay loop on purpose: current-digest computation requires -r <overlay>, so a pointer without a matching leaf overlay couldn't be verified anyway.
  • promote_all path is unaffected (every leaf is already included there), matching rules 1–3.
  • Reachability holds end-to-end: the workflow's paths: recipes/** filter already covers recipes/evidence/**, so a pointer-only PR triggers the job; and the discovery loop is unconditional, so it evaluates Rule 4 even when no overlay/values file changed.
  • Inherits the pre-existing basename-vs-criteria-slug naming limitation already tracked in the header (out of scope here).

Testing

bash -n .github/scripts/recipe-evidence-check.sh   # syntax OK

Rule 4's matching logic was exercised in isolation against five diff scenarios (it is pure grep, independent of yq):

  • pointer added as the only file → flagged
  • pointer among unrelated files → flagged
  • …/<slug>.yaml.bak sibling → not flagged
  • a different slug's pointer → not flagged
  • embedded substring (no whole-line match) → not flagged

The full script could not be run end-to-end locally because the sandbox's yq is the Python flavor while the script targets Go yq eval (as in CI); the new rule itself is yq-independent.

Risk Assessment

  • Low — Isolated change to a warning-only gate that never blocks merge; additive discovery rule; easy to revert.

Rollout notes: N/A — gate is warning-only.

Checklist

  • Tests pass locally (make test with -race) — N/A, no Go changes
  • Linter passes (make lint) — N/A, shell-only change; bash -n clean (shellcheck unavailable in sandbox)
  • I did not skip/disable tests to make CI green
  • I added/updated tests for new functionality — N/A, no test harness for this script
  • I updated docs if user-facing behavior changed — header comment updated to document the four affected-recipe triggers
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S)

@njhensley njhensley requested a review from a team as a code owner June 3, 2026 02:16
@njhensley njhensley self-assigned this Jun 3, 2026
@njhensley njhensley requested a review from yuanchen8911 June 3, 2026 02:18
@coderabbitai

coderabbitai Bot commented Jun 3, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: b57c1176-9b64-4a72-88c3-268dd2f88c63

📥 Commits

Reviewing files that changed from the base of the PR and between b0efb83 and f6c8f62.

📒 Files selected for processing (1)
  • .github/scripts/recipe-evidence-check.sh

📝 Walkthrough

Walkthrough

This PR updates the recipe evidence gate script to treat changes to recipes/evidence/.yaml as making a recipe "affected" (Rule 4), adds detection of orphan evidence pointers that exist at HEAD but lack a corresponding recipes/overlays/.yaml, adjusts the early-exit and affected-overlays table emission to account for orphans, emits a Markdown section listing orphan pointers (incrementing warnings), and exports orphan_pointers=<orphan_count> in the job outputs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: adding pointer-file detection to the recipe-evidence gate to flag recipes when their evidence pointer is modified.
Description check ✅ Passed The description is comprehensive and directly related to the changeset, explaining the motivation, implementation, and testing of the new Rule 4 for detecting pointer-only changes.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

yuanchen8911
yuanchen8911 previously approved these changes Jun 3, 2026

@yuanchen8911 yuanchen8911 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — correctly closes the evidence-only-PR gap (finding A): a pointer-only PR (like the recent test #1164) now gets verified instead of silently skipped. Reuses the existing grep -qxF whole-line match and integrates cleanly into the affected accumulation. Two minor, non-blocking edge-case notes inline.

# unverified. `grep -qxF` matches the whole line, so a sibling like
# `recipes/evidence/${name}.yaml.bak` doesn't trigger it.
if [[ "$include" == "false" ]]; then
if printf '%s\n' "$changed_files" | grep -qxF "recipes/evidence/${name}.yaml"; then

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor / non-blocking: this loop only iterates existing recipes/overlays/*.yaml, so a pointer added for a recipe with no matching overlay (typo'd slug, or a retired recipe) is silently skipped — it never hits an overlay iteration, so a misnamed evidence file wouldn't be flagged. Optional: diff added recipes/evidence/*.yaml against the overlay set to catch orphans.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch — addressed. Added an orphan-pointer check after the discovery loop that diffs the changed recipes/evidence/*.yaml against the overlay set, exactly as you suggested. It flags any added/modified pointer whose slug has no matching recipes/overlays/<slug>.yaml (typo'd slug or evidence for a retired recipe) in a dedicated "Orphan evidence pointers" section, counted as a warning.

Two details worth noting:

  • Only pointers present on disk at HEAD are considered, so a deleted pointer is correctly not an orphan.
  • The count==0 & orphans>0 path is handled: the early "no overlays affected" exit now requires both to be zero, and the affected-recipes table is guarded behind count>0 so it isn't rendered empty.

Verified the detection in isolation across has-overlay / typo'd-slug / retired-recipe / deleted / non-evidence-path cases.

done <<<"$values_files"
fi

# Rule 4: the recipe's own evidence pointer was added or modified.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor / non-blocking: git diff BASE...HEAD lists deletions too, so removing a pointer also marks the recipe affected → downstream reports it as missing-pointer (graceful, per existing handling). Probably intended; just flagging that a pointer delete and a pointer add both route through Rule 4.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes — intended, thanks for flagging it explicitly. Deleting a pointer while its overlay still exists should flag the recipe: it now lacks evidence, and downstream renders the graceful "missing-pointer" warning.

The one edge — retiring a recipe by deleting both the pointer and its overlay in the same PR — produces no false warning: the overlay loop no longer iterates it, and the new orphan check skips it because the deleted pointer isn't on disk at HEAD.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants