-
Notifications
You must be signed in to change notification settings - Fork 0
110 lines (91 loc) · 3.93 KB
/
Copy pathci.yaml
File metadata and controls
110 lines (91 loc) · 3.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
name: CI
# Note: matrix.* and github.ref/github.workflow are trusted, non-attacker-controlled.
# No usage of github.event.{issue,pull_request,comment,review}.* in any run: step.
# Actions are pinned to full commit SHAs (repo policy: sha_pinning_required).
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
concurrency:
group: ci-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
test:
name: test (py${{ matrix.python-version }} / ${{ matrix.os }})
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest]
python-version: ["3.11", "3.12", "3.13", "3.14"]
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Install uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
# Pin uv so CI resolves uv.lock identically to local -- required for
# the `uv sync --locked` guard to be reliable (lock revision is
# uv-version-tied).
version: "0.11.17"
enable-cache: true
python-version: ${{ matrix.python-version }}
# Route PyPI installs through Takumi Guard (blocks known-malicious
# packages before they execute; sets UV_INDEX_URL/PIP_INDEX_URL to the
# screened registry for this job). Blocking-only mode, no account needed.
# Must precede any uv/pip install.
- name: Route installs through Takumi Guard
uses: flatt-security/setup-takumi-guard-pypi@733047c120b6377fa05fb77f714df8d8cd3a41a9 # v1.0.1
# --locked fails if uv.lock drifts from pyproject.toml (e.g. a version
# bump that forgot to sync the lock), catching it before a release tag.
- name: Install (locked; dev + cli + teds extras)
run: uv sync --locked --extra dev --extra cli --extra teds
- name: Lint (ruff check + format)
run: |
uv run ruff check src/ tests/
uv run ruff format --check src/ tests/
- name: Type check (pyright strict)
run: uv run pyright src/ tests/
- name: Unit tests (pytest)
run: uv run pytest tests/ -v
# Regenerate the codec-derived docs and fail if they drift from what is
# committed (the `just docs-check` gate, run once on a single matrix leg).
- name: Docs up to date (generated tables)
if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.13'
run: |
uv run python scripts/gen_format_support.py
uv run python scripts/gen_loss_matrix.py
git diff --quiet docs/format_support.md docs/loss_matrix.md \
|| { echo "docs/{format_support,loss_matrix}.md is stale; run 'just docs'"; exit 1; }
semgrep:
name: semgrep (rules + core scan)
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Install semgrep
run: pipx install semgrep
- name: Test semgrep rules (rule correctness, not real code)
run: semgrep test .semgrep/rules/
- name: Scan source with semgrep meta-rules
run: semgrep --config .semgrep/rules/ --error src/
pip-install-check:
name: pip install -e .
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Set up Python 3.11
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.11"
- name: Install (no extras) — verifies core stays stdlib-only at import time
run: |
python -m venv .venv-check
.venv-check/bin/python -m pip install --upgrade pip
.venv-check/bin/python -m pip install -e .
.venv-check/bin/python -c "import tablecodec; print(tablecodec.__version__)"