From 7c8b736102cbc048707fc59158b688e5c5f11629 Mon Sep 17 00:00:00 2001 From: genisis0x Date: Wed, 13 May 2026 14:14:18 +0530 Subject: [PATCH] ci: add black + flake8 lint check workflow Fixes #2060. Adds a `Lint check` GitHub Actions workflow that runs the existing `make black` and `make flake8` targets on every push to `main` and every pull request. PRs surface formatting and style regressions at review time instead of relying on contributors to remember to run the local Makefile targets first. Intentional choices: - Only `black` and `flake8` are enforced in this initial workflow. `make lint` also chains `pylint`, `mypy` and `nbqa`, which have a larger surface and historically carry warnings the team has left intentionally unaddressed (see the long disable-lists in the Makefile comment). Keeping the CI signal binary on the two strict tools means PRs land green or red without a noisy yellow channel; the heavier checks can be folded in via follow-up if maintainers want them. - Check-only, not auto-fix. The issue's sample workflow pushed generated fixup commits back to the PR branch, which requires `pull_request_target` and `contents: write`. That combination runs with repo-write secrets in the context of an external fork's code and is the standard fork-PR escalation vector. A read-only check gives the same enforcement benefit with no fork-PR security tradeoff; contributors run `make black` / `make flake8` locally to fix issues. Pinned to a single Python (3.10, middle of the supported range from `test_qlib_from_source.yml`) so the lint job stays fast and doesn't re-run identical lint over the full test matrix. --- .github/workflows/lint.yml | 53 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/lint.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000000..1cbbfb61ec --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,53 @@ +name: Lint check + +# Read-only lint check on pull requests. Runs the existing Makefile lint +# targets (black, flake8) and fails the workflow if any issues are found, +# so PRs surface formatting and lint regressions at review time instead of +# the maintainer having to run them locally. Pylint, mypy and nbqa from the +# `lint` aggregate target are intentionally left out of this initial workflow +# so the CI signal stays green-or-red without flagging long-standing +# diagnostics; they can be added in follow-up changes if maintainers want +# the broader gate. +# +# Auto-fix and auto-commit are explicitly NOT performed here. Pushing +# generated commits back into a PR head requires `pull_request_target` and +# `contents: write`, which is unsafe when the PR comes from an external fork +# (the auto-fix step would run with repo-write secrets in the context of +# untrusted code). A check-only workflow gives the same lint enforcement +# benefit with no fork-PR security tradeoff. + +on: + push: + branches: [main] + pull_request: + branches: [main] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + lint: + name: black + flake8 + runs-on: ubuntu-latest + timeout-minutes: 15 + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.10" + + - name: Install lint dependencies + run: | + python -m pip install --upgrade pip + python -m pip install --no-cache-dir -e .[lint] + + - name: Check formatting with black + run: make black + + - name: Check style with flake8 + run: make flake8