Skip to content

ci: adopt release-please for versioning and PyPI publishing (#684) #559

ci: adopt release-please for versioning and PyPI publishing (#684)

ci: adopt release-please for versioning and PyPI publishing (#684) #559

Workflow file for this run

name: CI
on:
push:
branches: [main]
tags: ["v*"]
pull_request:
branches: [main, dev]
workflow_dispatch:
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
permissions:
contents: read
pull-requests: write
jobs:
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
- name: Install uv
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8
- name: Resolve policy base revision
id: base
run: |
if [ "${{ github.event_name }}" = "pull_request" ]; then
echo "base_rev=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT"
else
echo "base_rev=${{ github.event.before }}" >> "$GITHUB_OUTPUT"
fi
- name: Resolve requirement UID from branch
id: requirement
env:
BRANCH: ${{ github.head_ref || github.ref_name }}
run: |
REQ_UID="$(printf '%s\n' "$BRANCH" | grep -oE '[A-Z]{3}-[0-9]{3}' | head -n1 || true)"
echo "Resolved branch='$BRANCH' uid='$REQ_UID'"
echo "uid=$REQ_UID" >> "$GITHUB_OUTPUT"
- name: Run canonical verification graph
env:
ACES_REQUIREMENT_UID: ${{ steps.requirement.outputs.uid }}
GC_BASE_URL: ${{ vars.GC_BASE_URL }}
run: |
verify_args=(--base-rev "${{ steps.base.outputs.base_rev }}")
if [ -n "${{ steps.requirement.outputs.uid }}" ]; then
verify_args+=(--requirement-uid "${{ steps.requirement.outputs.uid }}")
else
verify_args+=(--skip-requirement)
fi
uv tool run --from 'nox[uv]==2026.4.10' nox -f noxfile.py -s verify -- "${verify_args[@]}"
- name: Upload coverage report
if: always()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: coverage-report
path: implementations/python/coverage.xml
fuzz:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
- name: Install uv
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8
- name: Run fuzz session
run: uv tool run --from 'nox[uv]==2026.4.10' nox -f noxfile.py -s fuzz
# Opt-in, non-blocking, runtime-gated container integration tests (RUN-314).
# Kept out of the hermetic `verify` graph; the `docker` marker tests self-skip
# when no runtime is present, and this whole job never fails the build.
integration-docker:
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
- name: Install uv
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8
- name: Probe for a container runtime
id: runtime
run: |
if command -v docker >/dev/null 2>&1 && docker info >/dev/null 2>&1; then
echo "available=true" >> "$GITHUB_OUTPUT"
else
echo "available=false" >> "$GITHUB_OUTPUT"
echo "No container runtime available; skipping docker integration session."
fi
- name: Run docker integration session
if: steps.runtime.outputs.available == 'true'
run: uv tool run --from 'nox[uv]==2026.4.10' nox -f noxfile.py -s integration_docker
# Advisory OSV-scanner sweep over the Python dependency lockfile (issue #34).
# Non-gating: CVE findings surface as an uploaded JSON artifact and never fail
# the build. The `osv_scan` nox session is kept out of the hermetic `verify`
# graph; genuine scanner/setup failures still fail this job's step (visible as
# a soft failure) so the advisory posture never hides a broken scan.
supply-chain:
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
- name: Install uv
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8
- name: Run OSV-scanner (advisory)
run: uv tool run --from 'nox[uv]==2026.4.10' nox -f noxfile.py -s osv_scan
- name: Upload OSV-scanner report
if: always()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: osv-scanner-report
path: implementations/python/osv-scanner-report.json
if-no-files-found: warn
sonar:
runs-on: ubuntu-latest
needs: [verify]
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: coverage-report
path: implementations/python/
- name: SonarCloud Scan
uses: SonarSource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}