From 2339709e25a5892afa988fe6a5bd2e5b215ca541 Mon Sep 17 00:00:00 2001 From: Chris Graf Date: Wed, 1 Jul 2026 12:35:55 -0500 Subject: [PATCH] Make `verify._merge_rc` severity-aware MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Summary mirror autolint's `_autolint_merge_rc` policy in the Python `_merge_rc` so structural exit codes (2, or the unknown-adapter sentinel 125) survive later ordinary findings. Previously the first non-zero code won, so in a multi-tool run a later 125/2 was masked by an earlier 1 — a failing run pointed at an ordinary diagnostic instead of the broken Checkrun contract. Now 125 outranks 2 outranks any other non-zero, matching the shell side. Testing - checkrun test suite: all suites pass (verify-test 108) - new verify-test case asserts the precedence table (1|2->2, 1|125->125, 2|125->125, 1|1->1, and clean-code passthrough) - checkrun lint clean --- lib/checkrun/verify.py | 10 ++++++++++ test/suites/verify-test | 26 ++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/lib/checkrun/verify.py b/lib/checkrun/verify.py index 8d3c58f..f4ad710 100755 --- a/lib/checkrun/verify.py +++ b/lib/checkrun/verify.py @@ -780,10 +780,20 @@ def _parse_cargo_audit_json(project: Path, stdout: str) -> list[dict[str, Any]]: def _merge_rc(current: int, incoming: int) -> int: + # Mirror autolint's _autolint_merge_rc severity policy: ordinary findings + # exit 1, but structural failures use stronger codes (2, or the private + # unknown-adapter sentinel 125) that must survive later plain findings so a + # failing multi-tool run points at the broken Checkrun contract rather than + # an ordinary diagnostic. Without this the first non-zero code wins and a + # later 125/2 would be masked by an earlier 1. if incoming == 0: return current if current == 0: return incoming + if 125 in (current, incoming): + return 125 + if 2 in (current, incoming): + return 2 return current diff --git a/test/suites/verify-test b/test/suites/verify-test index 9ce21ef..81e0237 100755 --- a/test/suites/verify-test +++ b/test/suites/verify-test @@ -1028,4 +1028,30 @@ set -e _assert_exit "autolint: rust lint still exits independently" 0 "$rc" _assert_eq "autolint: does not invoke cargo-audit" "" "$(cat "$_rust_autolint_log")" +echo "=== checkrun: verify _merge_rc severity precedence ===" + +# _merge_rc must mirror autolint's severity policy so a later structural code +# (125 unknown-adapter sentinel, or 2 plumbing) isn't masked by an earlier 1. +_merge_rc_out=$(python3 -c ' +import sys +sys.path.insert(0, sys.argv[1]) +import verify + +cases = [ + ((1, 2), 2), # later plumbing failure wins over earlier finding + ((2, 1), 2), # earlier plumbing failure survives later finding + ((1, 125), 125), # later unknown-adapter sentinel wins + ((125, 1), 125), # earlier sentinel survives + ((2, 125), 125), # 125 outranks 2 + ((1, 1), 1), # two ordinary findings + ((1, 0), 1), # clean incoming keeps current + ((0, 1), 1), # clean current takes incoming +] +for (a, b), expected in cases: + got = verify._merge_rc(a, b) + assert got == expected, f"_merge_rc({a}, {b}) = {got}, expected {expected}" +print("ok") +' "$CHECKRUN_REPO_ROOT/lib/checkrun" 2>&1) +_assert_eq "verify _merge_rc: severity-aware precedence" "ok" "$_merge_rc_out" + _test_summary