Summary
When lint.yml was re-enabled as a PR gate (PR #31), it surfaced two pre-existing conditions that were never enforced while the workflow was disabled. Both were made non-blocking so #31 could land; this issue tracks tightening them back into hard gates.
1. Burn down mypy type debt, then make mypy blocking
uv run mypy tango/ reports 28 pre-existing errors across 6 files (none introduced by #31). Until they're cleared, the Type check with mypy (advisory) step in .github/workflows/lint.yml runs with continue-on-error: true.
Errors cluster in:
tango/shapes/schema.py — FieldSchema.type not valid as a typetango/shapes/parser.py — SchemaRegistry | None union-attr (lazy-init not narrowed)tango/shapes/generator.py — unreachable statements, field_type multi-type assignment, no-any-returntango/shapes/factory.py — unreachable statements, no-any-returntango/client.py:3062-3068 — WebhookAlert constructor arg types (str | None vs str, status literal)tango/webhooks/cli.py:200 — incompatible assignment on sample-payload union
Done when: mypy tango/ is clean and the continue-on-error: true is removed from the mypy step.
2. Configure TANGO_API_REPO_ACCESS_TOKEN, then make conformance blocking
The conformance job checks out the private makegov/tango repo for the canonical filter_shape_contract.json. Public CI has no token, so the job currently skips cleanly (gated on secrets.TANGO_API_REPO_ACCESS_TOKEN != '') instead of failing red.
Done when: a TANGO_API_REPO_ACCESS_TOKEN repo secret (read access to makegov/tango) is configured. The job then runs automatically and becomes a hard gate — no workflow change needed beyond verifying it passes. (The same pattern is in tango-node's ci.yml and would benefit from the same secret.)
Context
Both mitigations are documented inline in .github/workflows/lint.yml and in the CHANGELOG CI note for the 1.1.0 cycle. This is intentionally split from #31 to keep the API-sync PR scoped — neither item is caused by or blocks that work.
~ Mark
Summary
When
lint.ymlwas re-enabled as a PR gate (PR #31), it surfaced two pre-existing conditions that were never enforced while the workflow was disabled. Both were made non-blocking so #31 could land; this issue tracks tightening them back into hard gates.1. Burn down mypy type debt, then make mypy blocking
uv run mypy tango/reports 28 pre-existing errors across 6 files (none introduced by #31). Until they're cleared, theType check with mypy (advisory)step in.github/workflows/lint.ymlruns withcontinue-on-error: true.Errors cluster in:
tango/shapes/schema.py—FieldSchema.typenot valid as a typetango/shapes/parser.py—SchemaRegistry | Noneunion-attr (lazy-init not narrowed)tango/shapes/generator.py— unreachable statements,field_typemulti-type assignment,no-any-returntango/shapes/factory.py— unreachable statements,no-any-returntango/client.py:3062-3068—WebhookAlertconstructor arg types (str | Nonevsstr,statusliteral)tango/webhooks/cli.py:200— incompatible assignment on sample-payload unionDone when:
mypy tango/is clean and thecontinue-on-error: trueis removed from the mypy step.2. Configure
TANGO_API_REPO_ACCESS_TOKEN, then make conformance blockingThe
conformancejob checks out the privatemakegov/tangorepo for the canonicalfilter_shape_contract.json. Public CI has no token, so the job currently skips cleanly (gated onsecrets.TANGO_API_REPO_ACCESS_TOKEN != '') instead of failing red.Done when: a
TANGO_API_REPO_ACCESS_TOKENrepo secret (read access tomakegov/tango) is configured. The job then runs automatically and becomes a hard gate — no workflow change needed beyond verifying it passes. (The same pattern is intango-node'sci.ymland would benefit from the same secret.)Context
Both mitigations are documented inline in
.github/workflows/lint.ymland in the CHANGELOG CI note for the1.1.0cycle. This is intentionally split from #31 to keep the API-sync PR scoped — neither item is caused by or blocks that work.~ Mark