Skip to content

ci: add a strict license-binary checker that files a tracking issue on license drift#4734

Merged
bobbai00 merged 15 commits into
apache:mainfrom
bobbai00:ci/license-binary-nightly
May 3, 2026
Merged

ci: add a strict license-binary checker that files a tracking issue on license drift#4734
bobbai00 merged 15 commits into
apache:mainfrom
bobbai00:ci/license-binary-nightly

Conversation

@bobbai00

@bobbai00 bobbai00 commented May 3, 2026

Copy link
Copy Markdown
Contributor

What changes were proposed in this PR?

This PR:

  • add a new parameter to build.yml to tune the mode of the license checking
  • add a new CI: license-binary-nightly.yml that include one build job that does uses: ./.github/workflows/build.yml with mode to be release, and one report job that will raise an issue if there is a drift on the license binary.

Any related issues, documentation, discussions?

Resolves #4692.

How was this PR tested?

Verified using my personal fork:

bobbai00#6
https://github.com/bobbai00/texera/actions/runs/25273894144

Was this PR authored or co-authored using generative AI tooling?

Generated-by: Claude Code (claude-opus-4-7)

…n drift

Resolves apache#4692.

PR builds run check_binary_deps.py with --ignore-transitive-version (apache#4693)
so a benign upstream version bump on a transitive dep does not block merges.
This workflow runs the same checks **without** that flag every night on
`main` so transitive drift is still visible and actionable before each
release. On non-zero exit it files (or updates) one tracking issue
identified by the stable label `license-binary-drift`; on a clean run it
closes the issue if one is open.

Workflow shape:
  - frontend-npm | agent-npm | python | jar — one job per ecosystem,
    each rebuilds its dist exactly the way build.yml does and runs the
    strict check; failures don't fail the workflow (continue-on-error)
    so all four still run.
  - jar uses the unified check across every dist's lib/ rather than a
    per-service matrix; per-service placement errors are still caught
    by build.yml on every PR, and the nightly's job is exact-version
    drift which the unified check surfaces just as well.
  - report — aggregates per-ecosystem results from artifacts and
    creates / updates / closes the tracking issue via
    actions/github-script. Skips issue management when not on the
    default branch (so workflow_dispatch on feature branches still
    runs the checks but does not surface issues).

Trigger: schedule (07:00 UTC daily) + workflow_dispatch.
Permissions: issues:write for the report job.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added the ci changes related to CI label May 3, 2026
@codecov-commenter

codecov-commenter commented May 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.40%. Comparing base (f46335d) to head (97270af).

Additional details and impacted files
@@             Coverage Diff              @@
##               main    #4734      +/-   ##
============================================
+ Coverage     43.36%   43.40%   +0.03%     
- Complexity     2039     2103      +64     
============================================
  Files           957      957              
  Lines         34077    34946     +869     
  Branches       3753     3893     +140     
============================================
+ Hits          14778    15168     +390     
- Misses        18510    18976     +466     
- Partials        789      802      +13     
Flag Coverage Δ
access-control-service 28.12% <ø> (ø)
agent-service 33.49% <ø> (-0.24%) ⬇️
amber 41.96% <ø> (+0.37%) ⬆️
computing-unit-managing-service 0.00% <ø> (ø)
config-service 0.00% <ø> (ø)
file-service 32.40% <ø> (-0.85%) ⬇️
frontend 34.97% <ø> (-0.31%) ⬇️
python 85.21% <ø> (-0.11%) ⬇️
workflow-compiling-service 47.72% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@bobbai00 bobbai00 added the release/v1.1.0-incubating back porting to release/v1.1.0-incubating label May 3, 2026
@bobbai00 bobbai00 requested a review from Yicong-Huang May 3, 2026 06:47
Per review on apache#4734: instead of duplicating build.yml's dist-producing
steps in the nightly workflow, parametrize build.yml with a new
`ignore_transitive_version` input and have the nightly call it as a
reusable workflow with that input flipped to false. PR builds keep the
default (true). This guarantees PR and nightly runs go through identical
code paths — the only difference between them is the value of one input.

Changes:

- build.yml: add `ignore_transitive_version: boolean = true` input.
  Replace each of the 6 hard-coded `--ignore-transitive-version` flags
  (frontend/amber/platform/python/agent-service license checks) with
  `${{ inputs.ignore_transitive_version && '--ignore-transitive-version'
  || '' }}`. The platform job's check previously didn't pass the flag
  at all (strict on PRs); this commit unifies it with the rest so all
  five ecosystems behave the same: relaxed on PRs, strict on nightly.

- license-binary-nightly.yml: drop the per-ecosystem job copies. The
  workflow now has just two jobs:
    - build: `uses: ./.github/workflows/build.yml` with
      `ignore_transitive_version: false`, `secrets: inherit`.
    - report: walks the current run's jobs via listJobsForWorkflowRun,
      identifies license-check step failures (regex matches step names
      containing "license-binary" or "binary licenses"), and creates /
      updates / closes the tracking issue accordingly. Non-license
      step failures (flaky tests, network blips) are ignored so they
      don't spuriously surface as drift.

The report step's six branches (drift+new, drift+existing, clean+existing,
clean+nothing, non-license-failure-only, default-branch guard) were
exercised end-to-end with stubbed github/context/core under Node before
push.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Comment thread .github/workflows/build.yml Outdated
Comment thread .github/workflows/license-binary-nightly.yml Outdated

@Yicong-Huang Yicong-Huang left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks really nice! can't wait to try it. can you simplify PR description? it is a bit length for later read.

bobbai00 and others added 3 commits May 3, 2026 00:10
Per review on apache#4734: replace the boolean input with a string "mode" so
the call sites name *what* they are (PR-time relaxed vs. release-time
strict) instead of *what flag they pass*.

  build.yml:
    inputs.mode: string, default "PR"
      "PR"      -> --ignore-transitive-version (relaxed)
      "release" -> no flag                     (strict exact-match)
    The five license-check invocations now read
      ${{ inputs.mode == 'PR' && '--ignore-transitive-version' || '' }}
    so any value other than "PR" falls through to strict, which is the
    safer side. workflow_call inputs cannot enforce string enums; the
    valid values are documented inline.

  license-binary-nightly.yml:
    Pass `mode: release` instead of `ignore_transitive_version: false`.
    Updated the inline comment + tracking-issue body wording to match.

  required-checks.yml is unchanged: it doesn't pass this input, so PR
  builds keep the default ("PR") and behave exactly as before.

Re-ran the three representative report scenarios (drift+new,
clean+existing, non-license failure only) under Node with stubbed
github/context/core; all three still behave correctly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Per review on apache#4734: 07:00 UTC was midnight PDT, when many people are
still working. Move to 11:00 UTC so it lands outside US-Pacific working
hours. GitHub cron is fixed UTC; the local clock-time shifts by an hour
at DST transitions.

Daily cadence is fine for now; if it turns out to be too frequent we
can drop to every 48–72 h.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
bobbai00 added a commit to bobbai00/texera that referenced this pull request May 3, 2026
* ci: nightly strict license-binary check that files a tracking issue on drift

Resolves apache#4692.

PR builds run check_binary_deps.py with --ignore-transitive-version (apache#4693)
so a benign upstream version bump on a transitive dep does not block merges.
This workflow runs the same checks **without** that flag every night on
`main` so transitive drift is still visible and actionable before each
release. On non-zero exit it files (or updates) one tracking issue
identified by the stable label `license-binary-drift`; on a clean run it
closes the issue if one is open.

Workflow shape:
  - frontend-npm | agent-npm | python | jar — one job per ecosystem,
    each rebuilds its dist exactly the way build.yml does and runs the
    strict check; failures don't fail the workflow (continue-on-error)
    so all four still run.
  - jar uses the unified check across every dist's lib/ rather than a
    per-service matrix; per-service placement errors are still caught
    by build.yml on every PR, and the nightly's job is exact-version
    drift which the unified check surfaces just as well.
  - report — aggregates per-ecosystem results from artifacts and
    creates / updates / closes the tracking issue via
    actions/github-script. Skips issue management when not on the
    default branch (so workflow_dispatch on feature branches still
    runs the checks but does not surface issues).

Trigger: schedule (07:00 UTC daily) + workflow_dispatch.
Permissions: issues:write for the report job.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(ci): repair direct-backport-push YAML and post backport result comments (apache#4846)

### What changes were proposed in this PR?

Three changes to `.github/workflows/direct-backport-push.yml`.

**1. Repair YAML.** The inline `python3 -c '<source>'` from apache#4696 put
Python at column 0 inside a `run: |` block indented at column 10. YAML
treats `import re, sys` as a top-level key, so every push to `main`
failed in 0 seconds with 0 jobs (e.g. [run
25271247473](https://github.com/apache/texera/actions/runs/25271247473)).
Python can't be re-indented (top-level statements reject leading
whitespace), so the script moves to
`.github/scripts/compose-backport-message.py`. Behavior unchanged.

**2. Surface backport status on the original commit + PR.** Cherry-picks
produce a new SHA, so the release branch never appears in the
auto-derived branch badge on the main commit. Three channels instead —
commit status badge, commit comment, PR comment — on success; commit
status + PR comment on failure with an inline conflict diagnosis.

Success PR comment:
> Backport to [`release/0.4`](…/tree/release/0.4) succeeded as
[`a1b2c3d`](…/commit/a1b2c3d…). [Run](…)

Failure PR comment (when cherry-pick conflicts):
> Backport to `release/0.4` failed. See [job log](…/job/…).
>
> **Conflicts in:**
> - `f.txt`
>
> **Likely-missing prerequisites on main** (commits that touched these
files between merge-base `6343a1bc` and `c027f3b2^` — consider
backporting these first):
> - `958b8e8 main: prereq edit f`

Capped at 5 files / 10 commits; full detail stays in the job log.
Rebase-race conflicts get the same shape but list the racing commits on
`origin/<target>` instead.

**3. Retry + structured logging.** `git push` retries 5x with `[0, 5,
15, 30, 60]s` backoff and rebases on `origin/<target>` between attempts
to absorb push races. Annotation API calls retry with `[0, 2, 5, 15]s`
and degrade to warnings on final failure (a 5xx on a comment shouldn't
undo a successful cherry-pick). Every phase is wrapped in `::group::`
markers with a `[backport <target>] ...` prefix.

### Any related issues, documentation, discussions?

Fixes the regression introduced in apache#4696.

### How was this PR tested?

`yaml.safe_load` parses the workflow. `compose-backport-message.py`
round-trips through `git interpret-trailers --parse` with
`Co-authored-by` preserved. The conflict diagnosis output above came
verbatim from a throwaway repo where main introduces a prerequisite edit
+ feature commit and the release branch touches the same lines.

### Was this PR authored or co-authored using generative AI tooling?

Generated-by: Claude Code (Opus 4.7, 1M context)

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci: reuse build.yml for nightly via ignore_transitive_version input

Per review on apache#4734: instead of duplicating build.yml's dist-producing
steps in the nightly workflow, parametrize build.yml with a new
`ignore_transitive_version` input and have the nightly call it as a
reusable workflow with that input flipped to false. PR builds keep the
default (true). This guarantees PR and nightly runs go through identical
code paths — the only difference between them is the value of one input.

Changes:

- build.yml: add `ignore_transitive_version: boolean = true` input.
  Replace each of the 6 hard-coded `--ignore-transitive-version` flags
  (frontend/amber/platform/python/agent-service license checks) with
  `${{ inputs.ignore_transitive_version && '--ignore-transitive-version'
  || '' }}`. The platform job's check previously didn't pass the flag
  at all (strict on PRs); this commit unifies it with the rest so all
  five ecosystems behave the same: relaxed on PRs, strict on nightly.

- license-binary-nightly.yml: drop the per-ecosystem job copies. The
  workflow now has just two jobs:
    - build: `uses: ./.github/workflows/build.yml` with
      `ignore_transitive_version: false`, `secrets: inherit`.
    - report: walks the current run's jobs via listJobsForWorkflowRun,
      identifies license-check step failures (regex matches step names
      containing "license-binary" or "binary licenses"), and creates /
      updates / closes the tracking issue accordingly. Non-license
      step failures (flaky tests, network blips) are ignored so they
      don't spuriously surface as drift.

The report step's six branches (drift+new, drift+existing, clean+existing,
clean+nothing, non-license-failure-only, default-branch guard) were
exercised end-to-end with stubbed github/context/core under Node before
push.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(workflow-core): add unit test coverage for VFSURIFactory (apache#4757)

### What changes were proposed in this PR?

Add `VFSURIFactorySpec` covering URI construction and decoding in
`VFSURIFactory`:

- `createResultURI` includes wid/eid/globalportid and the result
resource type
- Result URIs round-trip through `decodeURI`
- `createRuntimeStatisticsURI` omits the `opid/` segment
- `createConsoleMessagesURI` embeds the operator id and the
`consoleMessages` resource type
- `decodeURI` rejects non-vfs schemes, URIs missing required segments,
and unknown resource-type tails

### Any related issues, documentation, discussions?

Closes apache#4756

### How was this PR tested?

`sbt "WorkflowCore/testOnly
org.apache.texera.amber.core.storage.VFSURIFactorySpec"` — 7/7 tests
pass.

### Was this PR authored or co-authored using generative AI tooling?

Generated-by: Claude Code (Claude Opus 4.7)

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci: rename ignore_transitive_version input to mode (PR | release)

Per review on apache#4734: replace the boolean input with a string "mode" so
the call sites name *what* they are (PR-time relaxed vs. release-time
strict) instead of *what flag they pass*.

  build.yml:
    inputs.mode: string, default "PR"
      "PR"      -> --ignore-transitive-version (relaxed)
      "release" -> no flag                     (strict exact-match)
    The five license-check invocations now read
      ${{ inputs.mode == 'PR' && '--ignore-transitive-version' || '' }}
    so any value other than "PR" falls through to strict, which is the
    safer side. workflow_call inputs cannot enforce string enums; the
    valid values are documented inline.

  license-binary-nightly.yml:
    Pass `mode: release` instead of `ignore_transitive_version: false`.
    Updated the inline comment + tracking-issue body wording to match.

  required-checks.yml is unchanged: it doesn't pass this input, so PR
  builds keep the default ("PR") and behave exactly as before.

Re-ran the three representative report scenarios (drift+new,
clean+existing, non-license failure only) under Node with stubbed
github/context/core; all three still behave correctly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci(nightly): move schedule to 11:00 UTC (04:00 PDT / 03:00 PST)

Per review on apache#4734: 07:00 UTC was midnight PDT, when many people are
still working. Move to 11:00 UTC so it lands outside US-Pacific working
hours. GitHub cron is fixed UTC; the local clock-time shifts by an hour
at DST transitions.

Daily cadence is fine for now; if it turns out to be too frequent we
can drop to every 48–72 h.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Yicong Huang <17627829+Yicong-Huang@users.noreply.github.com>
Co-authored-by: Xinyuan Lin <xinyual3@uci.edu>
bobbai00 and others added 2 commits May 3, 2026 00:46
Per review on apache#4734:
  - build.yml mode input now documents three values: PR (default,
    relaxed) | nightly (strict, scheduled checker) | release (strict,
    cutting an RC). Both `nightly` and `release` fall through to no
    flag — the existing conditional `inputs.mode == 'PR' && '...' || ''`
    already handles them correctly, only the doc needed updating.
  - Renamed license-binary-nightly.yml → license-binary-checker.yml
    (via git mv). Workflow `name:` now "License Binary Checker"; top-of-
    file comment + concurrency group updated to match.
  - Calls build.yml with `mode: nightly` (was `release`).
  - Stripped "(nightly)" from the issue title; reworded the body to say
    "scheduled job" instead of "nightly job"; the close-issue comment
    says "scheduled run".
  - Issue body now follows ISSUE_TEMPLATE/task-template.yaml's rendered
    shape: ### Task Summary, ### Task Type (with DevOps/CI box checked),
    Apache CoC footer. Added the `triage` label that the template
    applies by default, alongside the workflow's stable
    `license-binary-drift` and `ci`.
  - Made the github-token explicit on the github-script step
    (`secrets.GITHUB_TOKEN`) to match issue-triage.yml's convention; the
    issue creator will appear as `github-actions[bot]`. Workflow-level
    `permissions: { issues: write, actions: read }` is enough — no PAT
    needed.

Re-ran the three representative report scenarios under Node with stubbed
github/context/core; drift+new now files an issue with the templated
body shape and triage label, clean+existing closes with the reworded
comment, non-license failures stay no-ops.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@bobbai00 bobbai00 changed the title ci: nightly strict license-binary check that files a tracking issue on drift ci: add a strict license-binary checker that files a tracking issue on license drift May 3, 2026
bobbai00 added a commit to bobbai00/texera that referenced this pull request May 3, 2026
* ci: nightly strict license-binary check that files a tracking issue on drift

Resolves apache#4692.

PR builds run check_binary_deps.py with --ignore-transitive-version (apache#4693)
so a benign upstream version bump on a transitive dep does not block merges.
This workflow runs the same checks **without** that flag every night on
`main` so transitive drift is still visible and actionable before each
release. On non-zero exit it files (or updates) one tracking issue
identified by the stable label `license-binary-drift`; on a clean run it
closes the issue if one is open.

Workflow shape:
  - frontend-npm | agent-npm | python | jar — one job per ecosystem,
    each rebuilds its dist exactly the way build.yml does and runs the
    strict check; failures don't fail the workflow (continue-on-error)
    so all four still run.
  - jar uses the unified check across every dist's lib/ rather than a
    per-service matrix; per-service placement errors are still caught
    by build.yml on every PR, and the nightly's job is exact-version
    drift which the unified check surfaces just as well.
  - report — aggregates per-ecosystem results from artifacts and
    creates / updates / closes the tracking issue via
    actions/github-script. Skips issue management when not on the
    default branch (so workflow_dispatch on feature branches still
    runs the checks but does not surface issues).

Trigger: schedule (07:00 UTC daily) + workflow_dispatch.
Permissions: issues:write for the report job.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci: reuse build.yml for nightly via ignore_transitive_version input

Per review on apache#4734: instead of duplicating build.yml's dist-producing
steps in the nightly workflow, parametrize build.yml with a new
`ignore_transitive_version` input and have the nightly call it as a
reusable workflow with that input flipped to false. PR builds keep the
default (true). This guarantees PR and nightly runs go through identical
code paths — the only difference between them is the value of one input.

Changes:

- build.yml: add `ignore_transitive_version: boolean = true` input.
  Replace each of the 6 hard-coded `--ignore-transitive-version` flags
  (frontend/amber/platform/python/agent-service license checks) with
  `${{ inputs.ignore_transitive_version && '--ignore-transitive-version'
  || '' }}`. The platform job's check previously didn't pass the flag
  at all (strict on PRs); this commit unifies it with the rest so all
  five ecosystems behave the same: relaxed on PRs, strict on nightly.

- license-binary-nightly.yml: drop the per-ecosystem job copies. The
  workflow now has just two jobs:
    - build: `uses: ./.github/workflows/build.yml` with
      `ignore_transitive_version: false`, `secrets: inherit`.
    - report: walks the current run's jobs via listJobsForWorkflowRun,
      identifies license-check step failures (regex matches step names
      containing "license-binary" or "binary licenses"), and creates /
      updates / closes the tracking issue accordingly. Non-license
      step failures (flaky tests, network blips) are ignored so they
      don't spuriously surface as drift.

The report step's six branches (drift+new, drift+existing, clean+existing,
clean+nothing, non-license-failure-only, default-branch guard) were
exercised end-to-end with stubbed github/context/core under Node before
push.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci: rename ignore_transitive_version input to mode (PR | release)

Per review on apache#4734: replace the boolean input with a string "mode" so
the call sites name *what* they are (PR-time relaxed vs. release-time
strict) instead of *what flag they pass*.

  build.yml:
    inputs.mode: string, default "PR"
      "PR"      -> --ignore-transitive-version (relaxed)
      "release" -> no flag                     (strict exact-match)
    The five license-check invocations now read
      ${{ inputs.mode == 'PR' && '--ignore-transitive-version' || '' }}
    so any value other than "PR" falls through to strict, which is the
    safer side. workflow_call inputs cannot enforce string enums; the
    valid values are documented inline.

  license-binary-nightly.yml:
    Pass `mode: release` instead of `ignore_transitive_version: false`.
    Updated the inline comment + tracking-issue body wording to match.

  required-checks.yml is unchanged: it doesn't pass this input, so PR
  builds keep the default ("PR") and behave exactly as before.

Re-ran the three representative report scenarios (drift+new,
clean+existing, non-license failure only) under Node with stubbed
github/context/core; all three still behave correctly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci(nightly): move schedule to 11:00 UTC (04:00 PDT / 03:00 PST)

Per review on apache#4734: 07:00 UTC was midnight PDT, when many people are
still working. Move to 11:00 UTC so it lands outside US-Pacific working
hours. GitHub cron is fixed UTC; the local clock-time shifts by an hour
at DST transitions.

Daily cadence is fine for now; if it turns out to be too frequent we
can drop to every 48–72 h.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci: rename nightly workflow to License Binary Checker; add nightly mode

Per review on apache#4734:
  - build.yml mode input now documents three values: PR (default,
    relaxed) | nightly (strict, scheduled checker) | release (strict,
    cutting an RC). Both `nightly` and `release` fall through to no
    flag — the existing conditional `inputs.mode == 'PR' && '...' || ''`
    already handles them correctly, only the doc needed updating.
  - Renamed license-binary-nightly.yml → license-binary-checker.yml
    (via git mv). Workflow `name:` now "License Binary Checker"; top-of-
    file comment + concurrency group updated to match.
  - Calls build.yml with `mode: nightly` (was `release`).
  - Stripped "(nightly)" from the issue title; reworded the body to say
    "scheduled job" instead of "nightly job"; the close-issue comment
    says "scheduled run".
  - Issue body now follows ISSUE_TEMPLATE/task-template.yaml's rendered
    shape: ### Task Summary, ### Task Type (with DevOps/CI box checked),
    Apache CoC footer. Added the `triage` label that the template
    applies by default, alongside the workflow's stable
    `license-binary-drift` and `ci`.
  - Made the github-token explicit on the github-script step
    (`secrets.GITHUB_TOKEN`) to match issue-triage.yml's convention; the
    issue creator will appear as `github-actions[bot]`. Workflow-level
    `permissions: { issues: write, actions: read }` is enough — no PAT
    needed.

Re-ran the three representative report scenarios under Node with stubbed
github/context/core; drift+new now files an issue with the templated
body shape and triage label, clean+existing closes with the reworded
comment, non-license failures stay no-ops.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
bobbai00 and others added 3 commits May 3, 2026 01:14
Per review on apache#4734: drop the prose padding in the workflow files and
issue body — keep just the facts (where the drift is, how to resolve).

  build.yml:
    mode input comment shrunk from a 12-line block to 2 lines naming
    the three values and which one passes the flag.

  license-binary-checker.yml:
    - File header trimmed from 13 lines to 3.
    - Cron / permissions / job comments collapsed to inline notes.
    - Issue body now leads with `License-binary drift on <sha>`,
      followed by `**Where:**` (the failed jobs/steps) and
      `**How to resolve:**` (refresh the per-module LICENSE-binary
      file(s)). Removed the PR-vs-nightly explanation paragraph and
      the redundant "License checks that passed" section. Task Type
      checkboxes + Apache CoC footer kept to match the task template.

Re-ran the report scenarios; behavior unchanged, body is ~12 lines
of substance instead of ~25.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… issue

The label license-binary-drift isn't a pre-existing repo label. issues.create
would silently auto-create it on first run with a random color and no
description, and listForRepo({labels: ...}) returns empty until the label
exists — meaning the first run could file a duplicate issue.

Add an idempotent createLabel call at the top of the script (catches 422
"already exists"). Works in any fork without a manual prerequisite.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The label now exists in apache/texera, so the in-script createLabel guard
is unnecessary. Reverts the previous commit's idempotent block.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@bobbai00 bobbai00 added emergency Pull requests that need to be merged ASAP labels May 3, 2026
@bobbai00 bobbai00 enabled auto-merge (squash) May 3, 2026 08:42
@bobbai00 bobbai00 merged commit 7dc68ba into apache:main May 3, 2026
36 checks passed
Yicong-Huang pushed a commit that referenced this pull request May 3, 2026
…n license drift (#4734)

### What changes were proposed in this PR?

This PR:

- add a new parameter to `build.yml` to tune the mode of the license
checking
- add a new CI: `license-binary-nightly.yml` that include one `build`
job that does `uses: ./.github/workflows/build.yml` with `mode` to be
`release`, and one `report` job that will raise an issue if there is a
drift on the license binary.

### Any related issues, documentation, discussions?

Resolves #4692.

### How was this PR tested?

Verified using my personal fork:

bobbai00#6
https://github.com/bobbai00/texera/actions/runs/25273894144

### Was this PR authored or co-authored using generative AI tooling?

Generated-by: Claude Code (claude-opus-4-7)

---------

(backported from commit 7dc68ba)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented May 3, 2026

Copy link
Copy Markdown
Contributor

Backport to release/v1.1.0-incubating succeeded as f3c5352. Run

bobbai00 added a commit that referenced this pull request May 3, 2026
…it (#4857)

### What changes were proposed in this PR?

Add a \`build\` job at the top of \`create-release-candidate.yml\` that
calls the reusable \`build.yml\` with:

- \`checkout_ref: \${{ github.event.inputs.tag }}\` — build the tagged
commit (\`build.yml\` already accepts this input).
- \`mode: release\` — strict license-binary check, no
\`--ignore-transitive-version\` (the third mode added in #4734 alongside
\`PR\` and \`nightly\`).

\`create-rc\` now depends on \`build\` via \`needs: build\`. If the tag
doesn't compile or has license-binary drift, no RC tarball is produced
and nothing is signed/uploaded to ASF SVN.


### Any related issues, documentation, discussions?

Closes #4856.


### How was this PR tested?


### Was this PR authored or co-authored using generative AI tooling?

Generated-by: Claude Code (claude-opus-4-7)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Yicong-Huang pushed a commit that referenced this pull request May 3, 2026
…it (#4857)

### What changes were proposed in this PR?

Add a \`build\` job at the top of \`create-release-candidate.yml\` that
calls the reusable \`build.yml\` with:

- \`checkout_ref: \${{ github.event.inputs.tag }}\` — build the tagged
commit (\`build.yml\` already accepts this input).
- \`mode: release\` — strict license-binary check, no
\`--ignore-transitive-version\` (the third mode added in #4734 alongside
\`PR\` and \`nightly\`).

\`create-rc\` now depends on \`build\` via \`needs: build\`. If the tag
doesn't compile or has license-binary drift, no RC tarball is produced
and nothing is signed/uploaded to ASF SVN.

### Any related issues, documentation, discussions?

Closes #4856.

### How was this PR tested?

### Was this PR authored or co-authored using generative AI tooling?

Generated-by: Claude Code (claude-opus-4-7)

(backported from commit 31adc70)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
yangzhang75 pushed a commit to yangzhang75/texera that referenced this pull request Jun 22, 2026
…n license drift (apache#4734)

### What changes were proposed in this PR?

This PR:

- add a new parameter to `build.yml` to tune the mode of the license
checking
- add a new CI: `license-binary-nightly.yml` that include one `build`
job that does `uses: ./.github/workflows/build.yml` with `mode` to be
`release`, and one `report` job that will raise an issue if there is a
drift on the license binary.


### Any related issues, documentation, discussions?

Resolves apache#4692. 

### How was this PR tested?

Verified using my personal fork:

bobbai00#6
https://github.com/bobbai00/texera/actions/runs/25273894144

### Was this PR authored or co-authored using generative AI tooling?

Generated-by: Claude Code (claude-opus-4-7)

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
yangzhang75 pushed a commit to yangzhang75/texera that referenced this pull request Jun 22, 2026
…it (apache#4857)

### What changes were proposed in this PR?

Add a \`build\` job at the top of \`create-release-candidate.yml\` that
calls the reusable \`build.yml\` with:

- \`checkout_ref: \${{ github.event.inputs.tag }}\` — build the tagged
commit (\`build.yml\` already accepts this input).
- \`mode: release\` — strict license-binary check, no
\`--ignore-transitive-version\` (the third mode added in apache#4734 alongside
\`PR\` and \`nightly\`).

\`create-rc\` now depends on \`build\` via \`needs: build\`. If the tag
doesn't compile or has license-binary drift, no RC tarball is produced
and nothing is signed/uploaded to ASF SVN.


### Any related issues, documentation, discussions?

Closes apache#4856.


### How was this PR tested?


### Was this PR authored or co-authored using generative AI tooling?

Generated-by: Claude Code (claude-opus-4-7)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci changes related to CI emergency Pull requests that need to be merged ASAP release/v1.1.0-incubating back porting to release/v1.1.0-incubating

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Nightly exact-match license-binary check that files an issue on drift

3 participants