From e4a659485b22c4e1bed43678662a77bac24a66cf Mon Sep 17 00:00:00 2001 From: Jen Hamon Date: Wed, 11 Feb 2026 11:13:28 -0500 Subject: [PATCH 1/2] Add disableIntegrationTests option to release workflow Adds a new boolean input to the production release workflow that allows skipping integration and dependency tests while keeping unit tests and install tests. This provides a way to bypass flaky integration test environments while still maintaining basic quality checks before releasing. When disableIntegrationTests is true: - Unit tests still run - Install tests still run - Integration tests are skipped - Dependency tests are skipped - Test project creation/cleanup is skipped This is useful for emergency releases when CI integration tests are experiencing environment-related issues (like the current test data pollution causing failures in test_query_future.py). Co-authored-by: Cursor --- .github/workflows/release-prod.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-prod.yaml b/.github/workflows/release-prod.yaml index 95114d45b..3b03f5d2d 100644 --- a/.github/workflows/release-prod.yaml +++ b/.github/workflows/release-prod.yaml @@ -17,6 +17,11 @@ on: - 'patch' # bug fixes - 'minor' # new features, backwards compatible - 'major' # breaking changes + disableIntegrationTests: + description: 'Skip integration and dependency tests (keeps unit tests and linting)' + required: false + type: boolean + default: false permissions: contents: write @@ -29,12 +34,14 @@ jobs: python_versions_json: '["3.10"]' create-project: + if: ${{ !inputs.disableIntegrationTests }} uses: './.github/workflows/project-setup.yaml' secrets: inherit needs: - unit-tests integration-tests: + if: ${{ !inputs.disableIntegrationTests }} uses: './.github/workflows/testing-integration.yaml' secrets: inherit needs: @@ -47,6 +54,7 @@ jobs: sparse_index_host: ${{ needs.create-project.outputs.index_host_sparse }} dependency-tests: + if: ${{ !inputs.disableIntegrationTests }} uses: './.github/workflows/testing-dependency.yaml' secrets: inherit needs: @@ -66,6 +74,7 @@ jobs: - integration-tests - dependency-tests - install-tests + if: ${{ always() && !cancelled() }} with: isPrerelease: false ref: ${{ inputs.ref }} @@ -83,7 +92,7 @@ jobs: - pypi cleanup-project: - if: ${{ always() }} + if: ${{ always() && !inputs.disableIntegrationTests }} needs: - create-project - integration-tests From 3e92cfe92ee61a5b858211a26eee63a437449f25 Mon Sep 17 00:00:00 2001 From: Jen Hamon Date: Wed, 11 Feb 2026 11:41:04 -0500 Subject: [PATCH 2/2] Fix critical security issue: prevent publishing on test failures MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change pypi job condition from 'always() && !cancelled()' to '!failure() && !cancelled()' to ensure PyPI publishing is blocked when required tests (unit-tests or install-tests) fail. The previous condition was too permissive and would allow publishing even when critical tests failed. The new condition correctly: - ✅ Allows publishing when integration tests are skipped - ✅ Allows publishing when integration tests succeed - ❌ Blocks publishing when any required test fails Co-authored-by: Cursor --- .github/workflows/release-prod.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-prod.yaml b/.github/workflows/release-prod.yaml index 3b03f5d2d..0c89c285f 100644 --- a/.github/workflows/release-prod.yaml +++ b/.github/workflows/release-prod.yaml @@ -74,7 +74,7 @@ jobs: - integration-tests - dependency-tests - install-tests - if: ${{ always() && !cancelled() }} + if: ${{ !failure() && !cancelled() }} with: isPrerelease: false ref: ${{ inputs.ref }}