ci: bump github/codeql-action from 3 to 4#6
Merged
Conversation
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v3...v4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
aallan
approved these changes
Feb 23, 2026
aallan
added a commit
that referenced
this pull request
Feb 23, 2026
…deql-action-4 ci: bump github/codeql-action from 3 to 4
aallan
added a commit
that referenced
this pull request
Apr 23, 2026
Fourth bug surfaced during the Game of Life agent run: Vera's compiler doesn't emit WASM return_call in tail positions, so tail-recursive functions — the documented for/while replacement — blow the call stack at ~tens of thousands of frames. Added: - KNOWN_ISSUES.md: new row under Bugs describing the missing TCO and the SKILL.md idiom-vs-reality gap. - ROADMAP.md: #517 inserted at position 4 in the short-term implementation-order table; #475 pushed to #5, #507 to #6. No code changes. Co-Authored-By: Claude <noreply@anthropic.invalid>
3 tasks
aallan
added a commit
that referenced
this pull request
May 7, 2026
Two Conway's Life agent experiments on --target browser surfaced five concrete blockers (issues #602/#603/#604/#609/#610) and an explicit design memo (#608) mapping each obstacle to a concrete runtime-only fix. The current stabilisation framing covers codegen reliability and walker completeness but treats browser- target reliability as a separate concern. The agent's diagnosis makes that split harder to defend: "write once, run anywhere" is currently true for pure computation and approximate-to-false for anything with timing or screen output. Two of the fixes (#609 JSPI-driven IO.sleep, #610 ANSI subset interpreter) close the timing and rendering halves of the seam without language changes -- adding them to the stabilisation tier commits to "browser-target Vera is something you'd actually use" before the agent-integration push. Changes: - Expanded the campaign-pattern list from two patterns to three; third pattern documents the browser-target seam with links to the umbrella issue (#608) and the five concrete blockers. - Added #609 (JSPI-driven IO.sleep) as item 3 in the stabilisation tier, with rationale + the WebAssembly JSPI / Asyncify mechanism. - Added #610 (ANSI subset interpreter) as item 4 in the same tier, paired with #609 -- together they close the seam and let life.vera (terminal version) run unchanged on --target browser. - Renumbered #595 from item 3 to item 5 (now last in stabilisation, since it's contingent on an upstream wasmtime-py release). - Renumbered the agent-integration tier items 4/5/6 -> 6/7/8 to match. - Updated the "What moves when" gate from "#4 starts when #1-#3 are closed" to "#6 starts when #1-#5 are closed". Co-Authored-By: Claude <noreply@anthropic.invalid>
aallan
added a commit
that referenced
this pull request
May 11, 2026
Three further findings from CodeRabbit's review of `067817b` — one
🟠 Major correctness mirror, two 🟡 Minor quality fixes.
CR-6 (`TESTING.md:9`) — 🟡
The "lines of test code" prose count in the overview table read
~35,939; the actual `find tests -name "test_*.py" -type f -exec
wc -l {} +` aggregate is 50,638. My running deltas correctly
tracked incremental changes but preserved an already-incorrect
baseline. `scripts/check_doc_counts.py` only validates the
total-tests + file-count fields against live counts (regex over
prose at lines 121-130), not the per-file line-count tail of the
"Tests" row — so the drift wasn't caught locally. Updated to
~50,638.
CR-7 (`tests/test_codegen.py::TestGenericMonoSuffixFromSlotRef604`)
— 🟡
The existing `test_template_warning_suppressed_when_mono_clone_compiles`
covered only the positive path. An over-broad suppressor that
dropped *all* forall-decl warnings would pass that test silently.
Added a sibling negative-control test
`test_template_warning_NOT_suppressed_when_generic_never_called`:
defines `private forall<T> fn unused_generic(@t -> @t)` that's
never called; asserts an `[E604]` template warning DOES fire for
it (no mono clone exists for an uncalled generic, so the
suppression's `compiled_mono_bases & forall_decl_names`
intersection is empty for this fn). Pin protects the targeted-
not-blanket suppression semantics.
CR-8 (`vera/wasm/calls.py::_infer_fn_alias_type_args_wasm`) — 🟠
The monomorphiser's `_infer_fn_alias_type_args` (in
`vera/codegen/monomorphize.py`) has an `elif isinstance(
arg_return, ast.FnType): alias_mapping[ret.name] = "Fn"` branch
that handles higher-order aliases (callable arg returns another
function). The WASM-side mirror was missing that branch. In
that case the return-type var stayed unbound, fell back to
`"Bool"` at result-building time, and `_resolve_generic_call`
rewrote the call to a mangled name that did NOT match the mono
clone Pass 1.5 registered. Added the matching branch with a
comment cross-referencing the monomorphiser-side binding and
explaining the failure mode without it (e.g. a `type Lifter<F> =
fn(Int -> F) effects(pure)` called with a fn-returning AnonFn).
Validation
- mypy: clean (59 source files)
- pytest: 3,795 passed, 14 skipped (was 3,794 + 1 new test)
- e602 gate: 116 files clean, 6 allowlist matched, 0 stale
- doc-counts: consistent
Refs #604 #655 #659
Co-Authored-By: Claude <noreply@anthropic.invalid>
aallan
added a commit
that referenced
this pull request
May 13, 2026
Following user direction to pull all 7 deferred pr-review findings into this PR rather than file a follow-up. The 4 small code fixes (items 2/3/5/8) plus 2 new test files (items 6/7) land here. Code fixes: - **#2 ModuleCall path-drop** (`vera/wasm/inference.py:289-292` and `:~973`) — both `_infer_expr_wasm_type::ModuleCall` and `_infer_vera_type::ModuleCall` previously synthesised a fake `ast.FnCall(name=expr.name, args=expr.args)` for dispatch, silently dropping `expr.path: tuple[str, ...]`. If a regression ever flowed a ModuleCall to either helper, the fake-FnCall lookup could match a same-name local fn from a different module — silent wrong-answer rather than safe failure. Now both return `None` so the unknown-type surfaces cleanly. - **#3 AnonFn placeholder** (`vera/wasm/inference.py:~967`) — `_infer_vera_type::AnonFn` previously returned the literal string `"Fn"` as a placeholder. No callsite recognised `"Fn"` as a real Vera type; downstream type-arg mangling paths (`vera/wasm/calls.py:1525,1533`) would feed it into mangled names like `option_map$Int_Fn`. Now returns `None` for the same reason. - **#5 Factually wrong "closure pipeline" comments** (`vera/codegen/compilability.py:~236, ~393`, both WALKER_ COVERAGE checklists + inline pre-branch comments) — the `AnonFn` defensive branches were described as "masked today by closure pipeline running its own scan", but pr-review surfaced that `vera/codegen/closures.py::_compile_lifted_ closure` does NOT call `_scan_io_ops` or `_scan_body_for_state_handlers` on lifted bodies. The AnonFn branch is the PRIMARY defence, not redundant. Comments now state this directly. - **#8 Dead `is not None` guards** (`vera/wasm/inference.py:~954, ~961`) — `Block.expr` and `HandleExpr.body.expr` are non- Optional in the AST schema (`vera/ast.py:470, 481`). The guards in the `_infer_vera_type` defensive branches were unreachable defensive code. Removed; direct calls now. Test additions: - **#6 Synthetic-AST tests for defensive branches** (`tests/test_walker_defensive_branches_597.py`, 21 tests, 296 lines) — direct AST invocation pinning each of the 11 defensive branches plus the 5 pr-review fixes. Without these the defensive branches have 0% coverage (`coverage run` confirmed) — a future refactor breaking one would land silently. - **#7 Unit tests for the enforcement script** (`tests/test_check_walker_coverage_597.py`, 12 tests, 255 lines) — pins the script's parsing logic: Expr subclass extraction, isinstance flattening (incl. tuple form), checklist-block anchoring (incl. CR-3 regression test: `# Foo → bar` outside the WALKER_COVERAGE block must not be counted), section-header tolerance, auto-discovery invariants, end-to-end exit code. CHANGELOG/HISTORY: - Extended the v0.0.151 entry with two new sub-sections under "Fixed" (pr-review follow-ups) and a new "Tests" section documenting the two regression-test files. Doc counts (auto-validated by `check_doc_counts.py`): - TESTING.md total: 3,827 → 3,860 tests (+33), 29 → 31 files - TESTING.md table: two new rows for the test files - ROADMAP.md: 3,827 → 3,860 - README.md: 3,827 → 3,860 Validation: - `pytest tests/ -q` → 3,846 passed, 14 skipped (+33 net new) - `mypy vera/` → clean - `python scripts/check_walker_coverage.py` → 9 walkers cover all 29 Expr subclasses (clean) - `python scripts/check_doc_counts.py` → consistent across all surfaces Refs #597 #668 Co-Authored-By: Claude <noreply@anthropic.invalid>
10 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps github/codeql-action from 3 to 4.
Release notes
Sourced from github/codeql-action's releases.
... (truncated)
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
5c96b6eAdd JSDoc comments toupload-libtypes44a4beaFixup: add missing.env11c6c18Only run when debugging or test mode is enabled99fcc7bCheck whethervalueis a URL incheckEnvVarand clear credentialsc1d6ee5Fix typosef9cfd9Clear GHAJAVA_HOME_*env vars fordiscoverActionsJdkstestDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)