ci: run live keyed test suite on push to main (non-blocking)#132
Merged
Conversation
Separate workflow (on: push: branches: [main]) so fork/branch pushes never trigger it and DATAMAXI_API_KEY secret is never exposed to untrusted refs. Runs full suite (integration+smoke) vs prod; continue-on-error keeps it non-blocking. Bumps DATAMAXI_TIMEOUT=60 for slow cold pods. Offline required lane untouched. Closes #131
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #131
Summary
Adds a dedicated
live-tests.ymlworkflow that runs the FULL suite (integration + smoke lanes) against prod using theDATAMAXI_API_KEYsecret, on push tomainonly. Non-blocking so transient prod-data flakiness never fails a required build.Separate workflow vs gated job
Chose a separate workflow keyed on
on: push: branches: [main]rather than anif: github.ref == ...gated job inpython-package.yml. A branch-scoped trigger is the cleanest guarantee the keyed lane never runs on fork/branch pushes, so the secret is never exposed to untrusted refs. It also keeps the required offline matrix build fully untouched.Behavior
uv pip install --system -r requirements/requirements-test.txt); single Python 3.12 (no matrix needed for the live lane).continue-on-error: true-> non-blocking. Cold-pod 500s and empty-page premiumValueError(per test: drop flaky-prod xfails; harden premium limit + live-lane timeout #130) won't fail the run.DATAMAXI_TIMEOUT=60env to tolerate slow cold prod pods (conftest default is 30s).paths-ignoremirrors the offline lane (skip docs/md/license/gitignore-only pushes).Required manual step
The
DATAMAXI_API_KEYrepo secret must be added in repo settings (Secrets and variables -> Actions) for this lane to authenticate. Until then the lane runs keyless: conftest resolves no key, both live lanesskipif-skip cleanly, and the non-blocking job stays green. Behavior with the secret absent is acceptable.Test plan
yaml.safe_load(parse OK).python-package.yml) unchanged — no edits.continue-on-error, so PRs (this one included) do not trigger it.