Skip to content

chore: Adds version scanner CI/CD upgrades #17425

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
chalmerlowe wants to merge 20 commits into
base: main
Choose a base branch
from
+428 −127
Open

chore: Adds version scanner CI/CD upgrades #17425

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
0952729
feat: complete Phase 1 of version_scanner project
chalmerlowe Jun 11, 2026
163b773
test: fix ConfigManager signature and regex assertions
chalmerlowe Jun 11, 2026
3fd95aa
test: fix regex rule compilation in tests
chalmerlowe Jun 11, 2026
632e3da
fix: prevent truncation in sys.version_info.minor regexes
chalmerlowe Jun 11, 2026
6b844c6
fix: force string format in CSV output to prevent spreadsheet truncation
chalmerlowe Jun 11, 2026
f679fd7
build: update version_scanner.yml triggers to match repo standards
chalmerlowe Jun 11, 2026
2356936
chore: test workflow on push
chalmerlowe Jun 11, 2026
7b8f3c3
chore: update workflow trigger for new branch
chalmerlowe Jun 11, 2026
dc6b011
build: fix scanner output redirection and add artifact upload
chalmerlowe Jun 11, 2026
f357200
chore: updates github action versions and scanner config
chalmerlowe Jun 11, 2026
ae291ad
chore: update filename
chalmerlowe Jun 11, 2026
8b64db7
feat(scanner): add --soft-fail CLI flag and integrate in GHA workflow
chalmerlowe Jun 12, 2026
265ba67
chore(scanner): expand branch triggers to match any version-scanner b…
chalmerlowe Jun 12, 2026
e1c6391
chore(scanner): update cron trigger to run hourly
chalmerlowe Jun 12, 2026
4f67a1a
chore(scanner): simplify console output by removing rule listing and …
chalmerlowe Jun 12, 2026
fe5c56a
chore(scanner): update soft-fail help text and test docstring
chalmerlowe Jun 12, 2026
cc8cd2d
refactor(tests): use idiomatic pytest.raises instead of try-except fo…
chalmerlowe Jun 12, 2026
a002eb1
chore(scanner): address PR review comments on limit, safe-int, and st…
chalmerlowe Jun 12, 2026
e6fe5f6
docs(scanner): add descriptive docstrings to spreadsheet helpers
chalmerlowe Jun 12, 2026
ed30dab
Apply suggestion from @chalmerlowe
chalmerlowe Jun 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 78 additions & 0 deletions .github/workflows/version_scanner.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
name: Version Scan

on:
push:
branches:
- main
- '**version-scanner**'
schedule:
- cron: '0 * * * *' # Run hourly at the top of the hour

@chalmerlowe chalmerlowe Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently set to run hourly (which will take effect once it gets merged to main) to help facilitate the development cycle for some upcoming features. Once development is done, we can set this to an appropriate cadence.

@daniel-sanche daniel-sanche Jun 15, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you expect to use long term? Does it make sense to run both on a schedule, and on each commit?

workflow_dispatch:

permissions:
contents: read
issues: write

jobs:
scan:
name: Version Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6

- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: '3.14'

- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install pyyaml

- name: Run Version Scanner
run: |
# Uses -o to output a detailed, raw CSV to a file
# Uses --stdout to print a slim, easier to parse summary to the GitHub Actions UI
# Uses --soft-fail to temporarily limit causing CI/CD failures during the migration to full operation.

@daniel-sanche daniel-sanche Jun 15, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the plan to resolve/ignore the current alerts, and then remove --soft-fail?

@chalmerlowe chalmerlowe Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@daniel-sanche

Regarding long term plans:
Q1: I do not feel that this issue is critical enough that a presubmit is required. I feel a nightly OR a post-submit is adequate so as to not slow down the normal PR process. The intent is to try to get the kinks worked out, confirm what type of burden this has on performance, and discuss with the team to reach a firm decision on when/how often to run the check, but we are not ready for that conversation yet.

Q2: This is a prototype implementation. The OG version_scanner only accepts one dependency and one version at a time. The implementation plan is to update it so that you can provide a list of runtimes OR dependencies and pair them with a list of versions:

i.e.
python 3.7, 3.8, 3.9 etc
protobuf 4.28.5, 5.16.7

Whatever is needed/whatever the most recent deprecations may be.

Q3: Yes, the plan is to mitigate any existing issues during this migration phase and then disable the --soft-fail in the workflow. Right now we have a number of false positives. We have a few true positives that might have slipped through the cracks. I wanna minimize any kerfuffle when this goes live.

python scripts/version_scanner/version_scanner.py -d python -v 3.7 --stdout -o version_scanner_output.csv --soft-fail

@daniel-sanche daniel-sanche Jun 15, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I saw in the output, it is looking for 3.7. Is this where that is configured? Can that be an envvar/argument?

Why search for just 3.7 specifically? Should we be checking for all outdated versions?


- name: Upload CSV Results
if: always()
uses: actions/upload-artifact@v7
with:
name: version-scanner-results
path: version_scanner_output.csv

- name: Create or update issue on finding
if: failure()
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
TITLE="Version Scanner found deprecated dependencies"
RUN_URL="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"

# Read the first 50 lines to prevent blowing up the issue body if it's massive
CSV_PREVIEW=$(head -n 50 version_scanner_output.csv)

BODY="The [Version Scanner]($RUN_URL) found deprecated dependencies in the repository.

**Matches Found:**
\`\`\`csv
$CSV_PREVIEW
\`\`\`
*(If there are more than 50 matches, see the workflow logs for the full list)*"

@chalmerlowe chalmerlowe Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The following is a prototype of enabling the creation of an issue if/when future regressions are found, since the scans are intended to be run nightly OR as a post-submit (exact cadence is TBD during a later phase of the project).

# Mirroring regenerate-all.yml: check if an issue already exists to prevent spam
EXISTING_ISSUE=$(gh issue list --state open --search "in:title \"$TITLE\"" --json number --jq '.[0].number')

if [ -z "$EXISTING_ISSUE" ]; then
echo "WOULD HAVE CREATED ISSUE:"
echo "gh issue create --title \"$TITLE\" --body \"$BODY\""
# gh issue create --title "$TITLE" --body "$BODY"
else
echo "Issue #$EXISTING_ISSUE already exists."
echo "WOULD HAVE ADDED COMMENT:"
echo "gh issue comment \"$EXISTING_ISSUE\" --body \"Another scanner run found deprecated dependencies: $RUN_URL\""
# gh issue comment "$EXISTING_ISSUE" --body "Another scanner run found deprecated dependencies: $RUN_URL"
fi
14 changes: 7 additions & 7 deletions scripts/version_scanner/regex_config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,15 +58,15 @@ rules:
- |
sys\.version_info\s*<\s*\(3,\s*{minor_plus_one}\)
- |
sys\.version_info\.minor\s*==\s*{minor}
sys\.version_info\.minor\s*==\s*{minor}(?!\d)
- |
sys\.version_info\.minor\s*>=\s*{minor}
sys\.version_info\.minor\s*>=\s*{minor}(?!\d)
- |
sys\.version_info\.minor\s*<=\s*{minor}
sys\.version_info\.minor\s*<=\s*{minor}(?!\d)
- |
sys\.version_info\.minor\s*>\s*{minor_minus_one}
sys\.version_info\.minor\s*>\s*{minor_minus_one}(?!\d)
- |
sys\.version_info\.minor\s*<\s*{minor_plus_one}
sys\.version_info\.minor\s*<\s*{minor_plus_one}(?!\d)

- name: python_env_short
description: Finds short python environment names often used in tox or nox.
Expand All @@ -87,7 +87,7 @@ rules:
- "Python3.7"
rules:
- |
python3\.{minor}
python3\.{minor}(?!\d)

- name: combined_version_string
description: Finds combined version strings often used in class or variable names.
Expand All @@ -97,6 +97,6 @@ rules:
- "Python37DeprecationWarning"
rules:
- |
Python{major}{minor}
Python{major}{minor}(?!\d)


Loading
Loading