ci: per-commit fast-check gate (catch broken intermediate commits under rebase-merge)

[vringar]

Motivation

OpenWPM uses rebase-and-merge, so every commit in a PR lands on master
individually. But CI only tests the PR tip (and the merge-queue candidate
tip). That means a commit which is broken in isolation — e.g. it introduces a
syntax error, an undefined name, a bad import, or a type/lint regression that a
later commit in the same PR happens to fix — can still ship to master as an
individual broken commit. Anyone who later bisects, checks out, or builds from
that commit hits the breakage.

This adds a lightweight gate, per-commit-checks.yaml, that runs the fast
static checks on every commit in the PR / merge-queue range, so an
intermediate commit that's broken on its own can't slip through. It's the cheap
80/20: it reuses the existing ./.github/actions/setup composite action (conda
env + built extension) and finishes quickly because it skips the expensive part.

What it catches (per commit)

• Syntax errors / undefined names / bad imports — python -c "import openwpm"
  plus pytest --collect-only exercise import of the package and the whole test
  tree (this also covers cross-file breaks that mypy's changed-files-only view
  can miss, e.g. a symbol deleted in one module but still referenced by an
  untouched one).
• Type errors & lint — pre-commit run --from-ref <c~1> --to-ref <c> runs
  black / isort / mypy / actionlint on the files that commit changed. mypy is
  the load-bearing check here: it flags [name-defined] (undefined name) and
  type errors in changed files.
• Extension TypeScript build — npm run build runs only when the commit
  touched Extension/, catching broken extension sources.

What it intentionally does NOT do

• It does not run the browser/Selenium test suite. Runtime and
  browser-behavior regressions stay covered by the existing tests job on the
  PR tip + the merge queue, plus author discipline. Running the full suite on
  every commit would be far too expensive for the marginal value.

Notes

• This job only gates merges once it's added as a required status check
  in branch protection. Until then it runs informationally.
• Opened as a draft for design review — feedback welcome on scope (which
  checks belong in the per-commit tier) and on the merge-queue handling.
• The workflow self-tests by running on its own PR (pull_request trigger).
  The merge_group trigger only fires inside a real merge queue, so that path
  can't be exercised from the PR itself; the field names
  (merge_group.base_sha / merge_group.head_sha) were validated against the
  published webhook payload schema.

How the commit range is computed

• pull_request: base = pull_request.base.sha, head = pull_request.head.sha
  — the PR's own commits (not the synthetic merge commit). fetch-depth: 0 plus
  explicit-SHA git checkout in the loop makes this independent of which ref
  actions/checkout materialized.
• merge_group: base = merge_group.base_sha (the group's parent commit),
  head = merge_group.head_sha (the group tip) — exactly the candidate commits.

The loop uses set -uo pipefail (not set -e) and || { ...; fail=1; } so it
visits every commit and reports all failing ones, then fails the job.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.12%. Comparing base (315e667) to head (c4533be).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1190      +/-   ##
==========================================
- Coverage   62.14%   62.12%   -0.03%     
==========================================
  Files          40       40              
  Lines        3918     3918              
==========================================
- Hits         2435     2434       -1     
- Misses       1483     1484       +1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Adds a new GitHub Actions workflow to gate rebase-and-merge PRs by running a fast static-check suite on every individual commit in the PR (and in merge-queue merge_group candidates), preventing “broken intermediate commits” from landing on master.

Changes:

• Introduces per-commit-checks.yaml, triggered on pull_request and merge_group.
• Computes a commit range and iterates commit-by-commit, running pre-commit (changed-files), conditional Extension build, import openwpm, and pytest --collect-only.
• Aggregates failures across commits (doesn’t stop at first failure) and fails the job at the end if any commit failed.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.