ci: adopt release-please for versioning and PyPI publishing (#684) #559
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| tags: ["v*"] | |
| pull_request: | |
| branches: [main, dev] | |
| workflow_dispatch: | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| verify: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 | |
| with: | |
| python-version: "3.12" | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8 | |
| - name: Resolve policy base revision | |
| id: base | |
| run: | | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| echo "base_rev=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "base_rev=${{ github.event.before }}" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Resolve requirement UID from branch | |
| id: requirement | |
| env: | |
| BRANCH: ${{ github.head_ref || github.ref_name }} | |
| run: | | |
| REQ_UID="$(printf '%s\n' "$BRANCH" | grep -oE '[A-Z]{3}-[0-9]{3}' | head -n1 || true)" | |
| echo "Resolved branch='$BRANCH' uid='$REQ_UID'" | |
| echo "uid=$REQ_UID" >> "$GITHUB_OUTPUT" | |
| - name: Run canonical verification graph | |
| env: | |
| ACES_REQUIREMENT_UID: ${{ steps.requirement.outputs.uid }} | |
| GC_BASE_URL: ${{ vars.GC_BASE_URL }} | |
| run: | | |
| verify_args=(--base-rev "${{ steps.base.outputs.base_rev }}") | |
| if [ -n "${{ steps.requirement.outputs.uid }}" ]; then | |
| verify_args+=(--requirement-uid "${{ steps.requirement.outputs.uid }}") | |
| else | |
| verify_args+=(--skip-requirement) | |
| fi | |
| uv tool run --from 'nox[uv]==2026.4.10' nox -f noxfile.py -s verify -- "${verify_args[@]}" | |
| - name: Upload coverage report | |
| if: always() | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: coverage-report | |
| path: implementations/python/coverage.xml | |
| fuzz: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 | |
| with: | |
| python-version: "3.12" | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8 | |
| - name: Run fuzz session | |
| run: uv tool run --from 'nox[uv]==2026.4.10' nox -f noxfile.py -s fuzz | |
| # Opt-in, non-blocking, runtime-gated container integration tests (RUN-314). | |
| # Kept out of the hermetic `verify` graph; the `docker` marker tests self-skip | |
| # when no runtime is present, and this whole job never fails the build. | |
| integration-docker: | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 | |
| with: | |
| python-version: "3.12" | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8 | |
| - name: Probe for a container runtime | |
| id: runtime | |
| run: | | |
| if command -v docker >/dev/null 2>&1 && docker info >/dev/null 2>&1; then | |
| echo "available=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "available=false" >> "$GITHUB_OUTPUT" | |
| echo "No container runtime available; skipping docker integration session." | |
| fi | |
| - name: Run docker integration session | |
| if: steps.runtime.outputs.available == 'true' | |
| run: uv tool run --from 'nox[uv]==2026.4.10' nox -f noxfile.py -s integration_docker | |
| # Advisory OSV-scanner sweep over the Python dependency lockfile (issue #34). | |
| # Non-gating: CVE findings surface as an uploaded JSON artifact and never fail | |
| # the build. The `osv_scan` nox session is kept out of the hermetic `verify` | |
| # graph; genuine scanner/setup failures still fail this job's step (visible as | |
| # a soft failure) so the advisory posture never hides a broken scan. | |
| supply-chain: | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 | |
| with: | |
| python-version: "3.12" | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8 | |
| - name: Run OSV-scanner (advisory) | |
| run: uv tool run --from 'nox[uv]==2026.4.10' nox -f noxfile.py -s osv_scan | |
| - name: Upload OSV-scanner report | |
| if: always() | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: osv-scanner-report | |
| path: implementations/python/osv-scanner-report.json | |
| if-no-files-found: warn | |
| sonar: | |
| runs-on: ubuntu-latest | |
| needs: [verify] | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 | |
| with: | |
| name: coverage-report | |
| path: implementations/python/ | |
| - name: SonarCloud Scan | |
| uses: SonarSource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7 | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} |