ci: doccano-django sample coverage gate (build vs release)

Adds .github/workflows/doccano-django.yml — runs ONLY on changes
under doccano-django/ (or this workflow file) so unrelated
samples in this repo don't pay the doccano runtime cost.

Three jobs:

* `build-coverage` — checks out the PR's HEAD ref, brings up
  the sample's compose, drives flow.sh bootstrap +
  record-traffic with a per-call audit log enabled, runs
  flow.sh coverage. Captures the percentage as a job output.
* `release-coverage` — same end-to-end against
  github.event.pull_request.base.ref (typically main) so we
  have a baseline to compare against. Skipped on direct push
  events to main (no baseline to diff against — main IS the
  baseline).
* `coverage-gate` — fails the PR if build's coverage drops
  more than COVERAGE_THRESHOLD pp below release.
  COVERAGE_THRESHOLD defaults to 1.0pp; override with the
  `DOCCANO_COVERAGE_THRESHOLD` actions variable per-repo.
  Sticky-comments the PR with the diff via
  marocchino/sticky-pull-request-comment so reviewers see the
  delta inline.

The two measurement jobs share their body via
.github/workflows/scripts/run-and-measure.sh — same script,
different ref. Lifting it out of the YAML keeps the YAML focused
on orchestration (matrix / outputs / artifacts) and the bash on
the actual workflow logic.

Coverage source uses flow.sh's per-call audit log
(DOCCANO_FIRED_ROUTES_FILE). That makes the measurement genuinely
keploy-independent: the workflow doesn't run keploy at all,
doesn't compare against recorded test sets, just measures what
the sample's flow.sh ACTUALLY exercises against doccano's URL
resolver. Lane scripts in keploy/integrations and keploy/enterprise
consume the same flow.sh but use the keploy/test-set-*/tests/*.yaml
tree as their numerator (authoritative — only calls keploy actually
captured count). Both modes are wired into
flow.sh::doccano_list_recorded_routes via the
DOCCANO_FIRED_ROUTES_FILE fallback.

Sample-side changes:

* flow.sh::doccano_wait_for_fixed_token extracted as its own
  function (was inlined into doccano_bootstrap_token, broke
  doccano_record_traffic's forward reference and silently
  fail-fasted under set -e).
* flow.sh::doccano_record_traffic gates on
  doccano_wait_for_fixed_token before any curl fires —
  port-open isn't a sufficient readiness signal under
  SIGINT-driven shutdown, the very first curl -fsS POST would
  5xx on a still-booting gunicorn and silently kill the script.
* flow.sh::log_fired writes (METHOD, URL) to
  DOCCANO_FIRED_ROUTES_FILE before each curl in
  doccano_record_traffic. Cheap, optional (no-op when env var
  unset), and keeps the audit log adjacent to the curl that
  produces it so future contributors can't add a curl without
  also adding the log entry.
* flow.sh::doccano_list_recorded_routes falls back to the audit
  log when no keploy/test-set-*/tests/*.yaml exists — the
  standalone-mode numerator the workflow needs.

Verified locally: workflow body (`run-and-measure.sh`) runs
end-to-end against bare doccano in ~3 minutes, captures 16
unique (method, path) pairs, emits coverage=11.1% to
GITHUB_OUTPUT. The gate logic itself is plain bash + python3
arithmetic; no codecov/coveralls dependency, no hosted service
needed.

Signed-off-by: Akash Kumar <meakash7902@gmail.com>

Author: AkashKumar7902

.github/workflows/doccano-django.yml

@@ -0,0 +1,172 @@
+# doccano-django sample CI — keploy-independent end-to-end smoke +
+# coverage gate.
+#
+# Triggers ONLY on changes under doccano-django/ (or this workflow
+# file). Other samples in this repo have their own orthogonal CI;
+# gating the whole repo on every doccano change would slow them
+# all down for no benefit.
+#
+# What it gates:
+#   * `release-coverage` — checks out the PR's base branch (main)
+#     and runs the sample end-to-end: docker compose up, bootstrap
+#     admin token, drive flow.sh record-traffic with the per-call
+#     audit log enabled, capture the route-coverage percentage from
+#     `flow.sh coverage`. This is the baseline.
+#   * `build-coverage` — same end-to-end against the PR's HEAD ref.
+#   * `coverage-gate` — fails the PR if `build`'s coverage drops
+#     more than COVERAGE_THRESHOLD percentage points below
+#     `release`. Default threshold is 1.0pp; override via repo
+#     variable `DOCCANO_COVERAGE_THRESHOLD` for a tighter or
+#     looser bar.
+#
+# On push to main, only `build-coverage` runs (no baseline to
+# compare against — main IS the baseline).
+#
+# Standards-aligned choices:
+#   * `paths:` filter on both push and pull_request triggers — the
+#     canonical GH Actions way to scope a workflow to one
+#     subdirectory.
+#   * Job outputs (steps.<id>.outputs.coverage → needs.<job>.outputs)
+#     to thread the captured percentage between jobs.
+#   * `concurrency:` cancel-in-progress on the same ref so a stale
+#     run doesn't waste runner minutes.
+#   * actions/upload-artifact for the human-readable
+#     coverage_report.txt — reviewers can inspect missing routes
+#     directly from the PR's "checks" tab.
+#   * marocchino/sticky-pull-request-comment for the PR-side diff
+#     comment. Pinned-by-header so successive runs update the same
+#     comment instead of fanning out.
+#   * The compare step is plain bash + python3 (no external
+#     coverage service). For full Python coverage.py XMLs you'd
+#     want diff-cover or codecov, but the sample's coverage is
+#     API-route-based (single percentage), so the gate is a 3-line
+#     subtraction.
+#
+# Sample is genuinely keploy-independent here: the workflow uses
+# flow.sh's $DOCCANO_FIRED_ROUTES_FILE per-call audit log as its
+# numerator source, not a keploy recording. The lane scripts in
+# keploy/integrations and keploy/enterprise consume the same
+# flow.sh, but use the keploy/test-set-*/tests/*.yaml tree as
+# their numerator (authoritative — only calls keploy actually
+# CAPTURED count). Both modes are wired into
+# `flow.sh::doccano_list_recorded_routes`.
+name: doccano-django sample
+
+on:
+  pull_request:
+    paths:
+      - 'doccano-django/**'
+      - '.github/workflows/doccano-django.yml'
+  push:
+    branches: [main]
+    paths:
+      - 'doccano-django/**'
+      - '.github/workflows/doccano-django.yml'
+  workflow_dispatch: {}
+
+concurrency:
+  group: doccano-django-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  COVERAGE_THRESHOLD: ${{ vars.DOCCANO_COVERAGE_THRESHOLD || '1.0' }}
+
+jobs:
+  build-coverage:
+    name: build (current ref) coverage
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    outputs:
+      coverage: ${{ steps.measure.outputs.coverage }}
+    steps:
+      - uses: actions/checkout@v4
+      - id: measure
+        name: Run sample end-to-end + measure coverage
+        working-directory: doccano-django
+        env:
+          DOCCANO_FIRED_ROUTES_FILE: ${{ runner.temp }}/fired-routes-build.log
+          DOCCANO_PHASE: ci-build
+        run: ../.github/workflows/scripts/run-and-measure.sh
+
+      - name: Upload coverage report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-build
+          path: doccano-django/coverage_report.txt
+          if-no-files-found: warn
+
+  release-coverage:
+    if: github.event_name == 'pull_request'
+    name: release (base ref) coverage
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    outputs:
+      coverage: ${{ steps.measure.outputs.coverage }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.base.ref }}
+      - id: measure
+        name: Run sample end-to-end + measure coverage
+        working-directory: doccano-django
+        env:
+          DOCCANO_FIRED_ROUTES_FILE: ${{ runner.temp }}/fired-routes-release.log
+          DOCCANO_PHASE: ci-release
+        run: ../.github/workflows/scripts/run-and-measure.sh
+
+      - name: Upload coverage report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-release
+          path: doccano-django/coverage_report.txt
+          if-no-files-found: warn
+
+  coverage-gate:
+    if: github.event_name == 'pull_request'
+    name: coverage gate
+    needs: [build-coverage, release-coverage]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Compare build vs release
+        env:
+          BUILD: ${{ needs.build-coverage.outputs.coverage }}
+          RELEASE: ${{ needs.release-coverage.outputs.coverage }}
+          THRESHOLD: ${{ env.COVERAGE_THRESHOLD }}
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+        run: |
+          set -Eeuo pipefail
+          if [ -z "${BUILD:-}" ] || [ -z "${RELEASE:-}" ]; then
+            echo "::error::missing coverage outputs — build='${BUILD:-}' release='${RELEASE:-}'"
+            exit 1
+          fi
+          drop=$(python3 -c "print(round(${RELEASE} - ${BUILD}, 2))")
+          echo "Release (${BASE_REF}): ${RELEASE}%"
+          echo "Build   (this PR):     ${BUILD}%"
+          echo "Drop:                  ${drop}pp (threshold ${THRESHOLD}pp)"
+          if python3 -c "import sys; sys.exit(0 if (${RELEASE} - ${BUILD}) > ${THRESHOLD} else 1)"; then
+            echo "::error::doccano-django coverage dropped from ${RELEASE}% → ${BUILD}% (-${drop}pp), exceeding the ${THRESHOLD}pp threshold."
+            echo "Suggested actions:"
+            echo "  * Add curl(s) to flow.sh::doccano_record_traffic that exercise the routes you changed/touched."
+            echo "  * If the route(s) was intentionally retired, drop it from doccano-django/flow.sh::doccano_list_routes' SCOPE_PREFIXES too so it's removed from the denominator."
+            exit 1
+          fi
+          echo "OK — coverage delta within ${THRESHOLD}pp threshold."
+
+      - name: Sticky PR comment
+        if: ${{ !cancelled() }}
+        uses: marocchino/sticky-pull-request-comment@v2
+        with:
+          header: doccano-django-coverage
+          message: |
+            ### doccano-django sample coverage
+
+            | ref | coverage |
+            |---|---|
+            | base (`${{ github.event.pull_request.base.ref }}`) | **${{ needs.release-coverage.outputs.coverage }}%** |
+            | this PR | **${{ needs.build-coverage.outputs.coverage }}%** |
+
+            Threshold: PR may not drop coverage by more than **${{ env.COVERAGE_THRESHOLD }}pp**. Override per-repo via the `DOCCANO_COVERAGE_THRESHOLD` actions variable.
+
+            Coverage measures the API surface (`/v1/projects/*` + `/v1/me` + `/v1/users` + `/v1/health` + `/v1/auth`) that `flow.sh::doccano_record_traffic` actually exercises against the running backend's URL resolver. Reports are attached as artifacts on each job ("coverage-build" / "coverage-release").

.github/workflows/scripts/run-and-measure.sh

@@ -0,0 +1,87 @@
+#!/usr/bin/env bash
+#
+# run-and-measure.sh — bring doccano up via the sample's compose,
+# run flow.sh bootstrap + record-traffic with the per-call audit
+# log enabled, run flow.sh coverage, and emit `coverage=PCT`
+# onto $GITHUB_OUTPUT for the downstream coverage-gate job.
+#
+# Called from .github/workflows/doccano-django.yml's
+# build-coverage and release-coverage jobs (one per ref under
+# comparison). Both jobs source the same script so the
+# measurement is identical across refs — any drift in the
+# numerator definition would otherwise produce a misleading
+# delta.
+#
+# Inputs (all from the workflow env):
+#   DOCCANO_FIRED_ROUTES_FILE   — per-call audit log path; passed
+#                                 through to flow.sh so its
+#                                 record-traffic loop logs each
+#                                 (METHOD, URL) pair, and so its
+#                                 coverage subcommand uses that
+#                                 file as the standalone
+#                                 numerator.
+#   DOCCANO_PHASE               — label spliced into the project
+#                                 name so build vs. release runs
+#                                 don't collide on volume names
+#                                 (compose project naming inside
+#                                 the GH runner is per-job
+#                                 anyway, but DOCCANO_PHASE shows
+#                                 up in the test fixtures and
+#                                 is useful for diffing logs).
+#   GITHUB_OUTPUT               — standard GH Actions sink for
+#                                 step outputs.
+set -Eeuo pipefail
+
+export DOCCANO_BACKEND_CONTAINER="${DOCCANO_BACKEND_CONTAINER:-doccano_backend}"
+export DOCCANO_DB_CONTAINER="${DOCCANO_DB_CONTAINER:-doccano_db}"
+export DOCCANO_APP_PORT="${DOCCANO_APP_PORT:-18080}"
+export DOCCANO_FIXED_TOKEN="${DOCCANO_FIXED_TOKEN:-ac38262065f0ae1476b6a707d9d697a101764a6b}"
+: "${DOCCANO_FIRED_ROUTES_FILE:?DOCCANO_FIRED_ROUTES_FILE must be set by the workflow}"
+
+# Reset audit log for this run; otherwise a prior run's entries
+# would inflate the numerator on a re-trigger.
+: >"$DOCCANO_FIRED_ROUTES_FILE"
+
+# Stage 1: bring up doccano with bootstrap so the admin user +
+# fixed token persist into the named volume.
+DOCCANO_SKIP_BOOTSTRAP=0 docker compose up -d
+
+# Wait for the backend to start serving (not just port-open).
+# Cold doccano boot runs Django migrations + admin user create,
+# which on a GH runner can hit 90-120s.
+for i in $(seq 1 120); do
+    code=$(curl -sS -o /dev/null -w '%{http_code}' \
+        "http://127.0.0.1:${DOCCANO_APP_PORT}/v1/health/" 2>/dev/null || echo "")
+    if [ -n "$code" ] && [ "$code" != "000" ]; then break; fi
+    sleep 2
+done
+
+bash flow.sh bootstrap 240
+docker compose down --remove-orphans
+
+# Stage 2: re-launch in skip-bootstrap mode against the populated
+# volume — same shape the keploy lanes use.
+DOCCANO_SKIP_BOOTSTRAP=1 docker compose up -d
+
+# Drive traffic. flow.sh::doccano_record_traffic gates on
+# doccano_wait_for_fixed_token internally, so this won't fire
+# curls at a half-booted backend.
+bash flow.sh record-traffic
+
+# Coverage report — uses DOCCANO_FIRED_ROUTES_FILE as numerator
+# since no keploy/test-set-* tree exists in the standalone case.
+COVERAGE_REPORT_FILE="$PWD/coverage_report.txt" bash flow.sh coverage
+
+# Pull the percentage out of the report's `Covered N/M (XX.X%)`
+# line. Anchored on the parenthesised form so a future change to
+# the report's prose doesn't break the parse.
+pct=$(grep -oE '\([0-9]+\.[0-9]+%\)' coverage_report.txt | head -1 | tr -d '()%')
+if [ -z "$pct" ]; then
+    echo "::error::Could not parse coverage percentage from coverage_report.txt"
+    cat coverage_report.txt || true
+    exit 1
+fi
+echo "coverage=${pct}" >>"$GITHUB_OUTPUT"
+echo "coverage: ${pct}% (audit log: $DOCCANO_FIRED_ROUTES_FILE)"
+
+docker compose down -v --remove-orphans