ci: Skip test suite when no code files changed #5889

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft

stephanie-anderson wants to merge 5 commits into master from chore/skip-tests-with-code-unchanged

Draft

ci: Skip test suite when no code files changed #5889

ci: Skip test suite when no code files changed

@sentry/warden / warden: find-bugs completed Mar 26, 2026 in 8m 54s

2 issues

find-bugs: Found 2 issues (2 medium)

Medium

Path filter excludes requirements*.txt files, allowing test bypass - `.github/workflows/ci.yml:29-40`

The changes job filters for code changes but does not include requirements*.txt files in its patterns. The root-level files like requirements-testing.txt, requirements-linting.txt, requirements-docs.txt, and requirements-aws-lambda-layer.txt are used by tox.ini and Makefile. A PR that only modifies these dependency files would skip all CI tests, potentially allowing vulnerable dependencies to be merged without validation.

Also found at:

.github/workflows/test-integrations-mcp.yml:38-48
.github/workflows/test-integrations-web-1.yml:38-48
.github/workflows/test-integrations-agents.yml:38-48

Gate check ignores changes job failures, allowing untested code to pass CI - `.github/workflows/test-integrations-ai-workflow.yml:118`

The check_required_tests job depends on both changes and test-ai_workflow but only validates the test job result. If the changes job fails (e.g., checkout error, paths-filter action error, network issues), the test-ai_workflow job will be skipped due to its dependency failure. Since the gate check now accepts skipped as valid, the CI will pass without running any tests. This could allow untested code to be merged when the change detection mechanism itself fails.

Also found at:

.github/workflows/test-integrations-ai.yml:134
.github/workflows/test-integrations-common.yml:110
.github/workflows/test-integrations-dbs.yml:150
.github/workflows/test-integrations-graphql.yml:122-123
.github/workflows/test-integrations-misc.yml:142
.github/workflows/test-integrations-network.yml:49-51
.github/workflows/test-integrations-network.yml:118
.github/workflows/test-integrations-web-2.yml:146
scripts/split_tox_gh_actions/templates/check_required.jinja:9
.github/workflows/test-integrations-tasks.yml:145
.github/workflows/test-integrations-gevent.yml:110

Duration: 8m 48s · Tokens: 4.4M in / 71.0k out · Cost: $6.99 (+extraction: $0.02, +merge: $0.01, +fix_gate: $0.00)

Annotations

Check warning on line 40 in .github/workflows/ci.yml

sentry-warden / warden: find-bugs

Path filter excludes requirements*.txt files, allowing test bypass

The `changes` job filters for code changes but does not include `requirements*.txt` files in its patterns. The root-level files like `requirements-testing.txt`, `requirements-linting.txt`, `requirements-docs.txt`, and `requirements-aws-lambda-layer.txt` are used by tox.ini and Makefile. A PR that only modifies these dependency files would skip all CI tests, potentially allowing vulnerable dependencies to be merged without validation.

Check warning on line 48 in .github/workflows/test-integrations-mcp.yml

sentry-warden / warden: find-bugs

[8PR-B4R] Path filter excludes requirements*.txt files, allowing test bypass (additional location)

The `changes` job filters for code changes but does not include `requirements*.txt` files in its patterns. The root-level files like `requirements-testing.txt`, `requirements-linting.txt`, `requirements-docs.txt`, and `requirements-aws-lambda-layer.txt` are used by tox.ini and Makefile. A PR that only modifies these dependency files would skip all CI tests, potentially allowing vulnerable dependencies to be merged without validation.

Check warning on line 48 in .github/workflows/test-integrations-web-1.yml

sentry-warden / warden: find-bugs

[8PR-B4R] Path filter excludes requirements*.txt files, allowing test bypass (additional location)

The `changes` job filters for code changes but does not include `requirements*.txt` files in its patterns. The root-level files like `requirements-testing.txt`, `requirements-linting.txt`, `requirements-docs.txt`, and `requirements-aws-lambda-layer.txt` are used by tox.ini and Makefile. A PR that only modifies these dependency files would skip all CI tests, potentially allowing vulnerable dependencies to be merged without validation.

Check warning on line 48 in .github/workflows/test-integrations-agents.yml

sentry-warden / warden: find-bugs

[8PR-B4R] Path filter excludes requirements*.txt files, allowing test bypass (additional location)

The `changes` job filters for code changes but does not include `requirements*.txt` files in its patterns. The root-level files like `requirements-testing.txt`, `requirements-linting.txt`, `requirements-docs.txt`, and `requirements-aws-lambda-layer.txt` are used by tox.ini and Makefile. A PR that only modifies these dependency files would skip all CI tests, potentially allowing vulnerable dependencies to be merged without validation.

Check warning on line 118 in .github/workflows/test-integrations-ai-workflow.yml

sentry-warden / warden: find-bugs

Gate check ignores changes job failures, allowing untested code to pass CI

The `check_required_tests` job depends on both `changes` and `test-ai_workflow` but only validates the test job result. If the `changes` job fails (e.g., checkout error, paths-filter action error, network issues), the `test-ai_workflow` job will be skipped due to its dependency failure. Since the gate check now accepts `skipped` as valid, the CI will pass without running any tests. This could allow untested code to be merged when the change detection mechanism itself fails.

Check warning on line 134 in .github/workflows/test-integrations-ai.yml