Add Contributor Covenant Code of Conduct #34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI (uv) | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| # Cancel redundant runs per-branch/PR | |
| concurrency: | |
| group: ci-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # Least-privilege for the jobs below | |
| permissions: | |
| contents: read | |
| jobs: | |
| test: | |
| name: Test / Lint / Typecheck (uv) | |
| runs-on: ubuntu-latest | |
| # Write perms only where needed | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - python-version: "3.11" | |
| experimental: false | |
| - python-version: "3.12" | |
| experimental: false | |
| - python-version: "3.13" | |
| experimental: false | |
| - python-version: "3.14" # treat 3.14 as experimental so CI doesn't block if it breaks | |
| experimental: true | |
| continue-on-error: ${{ matrix.experimental }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| enable-cache: true | |
| - name: Set up Python | |
| run: uv python install ${{ matrix.python-version }} | |
| # Ensure dev tools (ruff, mypy, pytest, bandit, safety, pytest-cov) are declared in pyproject dev deps. | |
| - name: Sync dependencies | |
| run: uv sync --all-extras --dev | |
| - name: Lint (ruff) | |
| run: uv run ruff check . | |
| - name: Typecheck (mypy) | |
| run: uv run mypy python_project_deployment | |
| - name: Tests (pytest) | |
| run: uv run pytest --cov --cov-report=xml --cov-report=html | |
| - name: Dangerous API scan (grep) | |
| continue-on-error: true | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| if grep -rn -E '\beval\(|\bexec\(|pickle\.loads|yaml\.load\(|subprocess\.(Popen|call)\(' python_project_deployment/ tests/ 2>/dev/null | grep -v 'yaml\.load_safe' || true; then | |
| echo "⚠️ Potentially dangerous API usage detected. Please review." >&2 | |
| exit 2 | |
| fi | |
| - name: Upload coverage.xml | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: coverage-${{ matrix.python-version }} | |
| path: coverage.xml | |
| - name: Upload coverage HTML | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: coverage-html-${{ matrix.python-version }} | |
| path: htmlcov | |
| security: | |
| name: Security Scan (Bandit) | |
| runs-on: ubuntu-latest | |
| needs: test | |
| permissions: | |
| contents: read | |
| env: | |
| SECURITY_FAIL_LEVEL: MEDIUM | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| enable-cache: true | |
| - name: Set up Python | |
| run: uv python install 3.11 | |
| - name: Sync dependencies | |
| run: uv sync --all-extras --dev | |
| - name: Run Bandit (JSON) | |
| run: | | |
| uv run bandit -r python_project_deployment/ -f json -o bandit-report.json || true | |
| uv run bandit -r python_project_deployment/ -f txt | |
| - name: Apply Bandit threshold | |
| run: uv run python scripts/security_bandit_check.py | |
| continue-on-error: true | |
| - name: Upload security reports | |
| if: always() | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: security-reports | |
| path: bandit-report.json | |
| docs: | |
| name: Build Documentation | |
| runs-on: ubuntu-latest | |
| needs: test | |
| permissions: | |
| contents: write # Needed for GitHub Pages deployment | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| enable-cache: true | |
| - name: Set up Python | |
| run: uv python install 3.11 | |
| - name: Sync dependencies (includes sphinx) | |
| run: uv sync --all-extras --dev | |
| - name: Build documentation | |
| run: uv run sphinx-build -b html docs docs/_build/html | |
| - name: Upload documentation artifacts | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: documentation | |
| path: docs/_build/html | |
| - name: Deploy to GitHub Pages | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| uses: peaceiris/actions-gh-pages@v4 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| publish_dir: ./docs/_build/html | |
| keep_files: false |