Skip to content

fix(pipeline): stop CI/tooling config URLs from minting infra Route nodes#1048

Open
DeusData wants to merge 1 commit into
mainfrom
fix/999-ci-config-infra-routes
Open

fix(pipeline): stop CI/tooling config URLs from minting infra Route nodes#1048
DeusData wants to merge 1 commit into
mainfrom
fix/999-ci-config-infra-routes

Conversation

@DeusData

Copy link
Copy Markdown
Owner

Closes #999

Bug

On a plain pallets/flask checkout, repo: URLs from .pre-commit-config.yaml matched is_infra_file (.yaml) and slipped past the #521 value-level guards (they're clean single-token URLs under a non-denied key), so each minted a __route__infra__https://github.com/... Route node. The route matcher's root-service heuristic (handler_path == "/") then bridged every handler of the ambiguous __route__ANY__/ route onto each junk URL — 6–7 junk HANDLES targets per handler, with tie-break-dependent winners contributing to the HANDLES churn measured between identical builds.

Fix

CI/tooling configs describe the development toolchain — their URLs are repository/action/registry references, never endpoints the service exposes. cbm_pipeline_extract_infra_routes now denies by file identity (new is_ci_tooling_config): well-known basenames (.pre-commit-config.yaml, .gitlab-ci.yml, .travis.yml, azure-pipelines.yml, appveyor.yml, bitbucket-pipelines.yml, .readthedocs.*, codecov.yml, .goreleaser.*, .golangci.*) plus anything under .github/, .gitlab/, .circleci/. Both pipeline paths route through this single choke point.

Deliberately not URL-shape-based: deployment configs (Cloud Scheduler push endpoints, compose) keep minting their genuine endpoints.

The issue's second ask (deterministic tie-break when several handlers tie for one route) is the wider HANDLES-nondeterminism item tracked in #998 and stays open there — this PR removes the junk-target class.

Reproduce-first

  • contract_edge_no_infra_routes_from_ci_configs_issue999 — flask-style app + the reporter's pre-commit config + a workflow file: RED on main (github.com=2 junk routes), GREEN with the fix.
  • contract_edge_infra_routes_from_deploy_configs_still_minted — inverse guard: a Cloud-Scheduler-style push_endpoint still mints its infra Route (proves the deny is file-scoped, not a blanket kill).

Verification

Full local suite 6000 passed, 1 skipped, zero regressions; lint-ci clean.

@DeusData DeusData added this to the 0.9.1-rc milestone Jul 12, 2026
@DeusData DeusData enabled auto-merge July 12, 2026 12:12
…odes

URLs in .pre-commit-config.yaml, .github/workflows and similar CI
configs are repository/action/registry references for the development
toolchain, never endpoints the indexed service exposes. They matched
is_infra_file (.yaml) and passed the #521 value guards, so each minted
a __route__infra__<url> Route node; the route matcher's root-service
heuristic then attached every handler of an ambiguous '/' route to each
junk URL - 6-7 junk HANDLES targets per handler on plain pallets/flask,
with tie-break-dependent winners feeding HANDLES churn between builds.

Deny by file identity (well-known CI/tooling basenames plus .github/,
.gitlab/, .circleci/ trees) in cbm_pipeline_extract_infra_routes, not
by URL shape: deployment configs (Cloud Scheduler push endpoints,
compose) keep minting their genuine endpoints, guarded by an inverse
test.

Closes #999

Signed-off-by: Martin Vogel <martin.vogel.tech@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Route extraction: pre-commit/CI config URLs become __route__infra__ Route nodes and collect junk HANDLES edges

1 participant