chore: migrate CI to uv; drop gitleaks-action; test on PR only

larsrollik · larsrollik · commit b81c2993bef4 · 2026-05-27T14:59:01.000+01:00
Switch all three workflows from pip+setup-python to uv+setup-uv.
  Remove secrets-scan job (gitleaks runs via pre-commit in lint job;
  gitleaks-action@v2 requires a paid org license). Test job now runs on
  pull_request only with fail-fast: false. docs.yml adds workflow_dispatch
  and src/**/*.py path trigger.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -19,52 +19,44 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/setup-python@v5
+
+      - uses: astral-sh/setup-uv@v5
         with:
           python-version: "3.12"
+
       - name: Install dependencies
-        run: pip install .[dev]
-      - name: Run pre-commit
-        run: pre-commit run --all-files --show-diff-on-failure
+        run: uv sync --extra dev
+
+      - name: Run pre-commit (ruff + mypy + commitizen + gitleaks)
+        run: uv run pre-commit run --all-files --show-diff-on-failure
 
   test:
-    name: Test
+    name: Test (Python ${{ matrix.python-version }})
     runs-on: ubuntu-latest
-    if: "!startsWith(github.event.head_commit.message, 'bump:')"
+    if: github.event_name == 'pull_request'
     strategy:
+      fail-fast: false
       matrix:
-        python-version: ["3.10", "3.11", "3.12"]
+        python-version: ["3.10", "3.12", "3.13"]
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/setup-python@v5
+
+      - uses: astral-sh/setup-uv@v5
         with:
           python-version: ${{ matrix.python-version }}
-      - name: Install
-        run: pip install .[dev]
-      - name: Run tests
-        run: pytest --tb=short
 
-  secrets-scan:
-    name: Secrets scan
-    runs-on: ubuntu-latest
-    if: "!startsWith(github.event.head_commit.message, 'bump:')"
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - uses: actions/checkout@v4
-      - uses: gitleaks/gitleaks-action@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install dependencies
+        run: uv sync --extra dev
+
+      - name: Run tests
+        run: uv run pytest --tb=short
 
   ci:
     name: CI
     runs-on: ubuntu-latest
-    needs: [lint, test, secrets-scan]
+    needs: [lint, test]
     if: always()
     steps:
       - name: Check required jobs
@@ -75,7 +67,4 @@ jobs:
           if [[ "${{ needs.test.result }}" != "success" && "${{ needs.test.result }}" != "skipped" ]]; then
             echo "test failed" && exit 1
           fi
-          if [[ "${{ needs.secrets-scan.result }}" != "success" && "${{ needs.secrets-scan.result }}" != "skipped" ]]; then
-            echo "secrets-scan failed" && exit 1
-          fi
           echo "All required checks passed."
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -6,6 +6,7 @@ on:
     paths:
       - "docs/**"
       - "mkdocs.yml"
+      - "src/**/*.py"
       - ".github/workflows/docs.yml"
   workflow_dispatch:
 
@@ -14,17 +15,19 @@ permissions:
 
 jobs:
   deploy:
-    name: Deploy docs
+    name: Deploy docs to GitHub Pages
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/setup-python@v5
+
+      - uses: astral-sh/setup-uv@v5
         with:
           python-version: "3.12"
-      - name: Install docs dependencies
-        run: pip install mkdocs-material
+
+      - name: Install dependencies
+        run: uv sync --extra docs
+
       - name: Deploy
-        run: mkdocs gh-deploy --force
+        run: uv run mkdocs gh-deploy --force
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,24 +18,20 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Configure git identity
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
-      - uses: actions/setup-python@v5
+      - uses: astral-sh/setup-uv@v5
         with:
           python-version: "3.12"
 
-      - name: Install tools
-        run: pip install commitizen hatchling hatch-vcs
-
       - name: Bump version
         id: bump
         run: |
-          cz bump --yes || EXIT=$?
+          uvx --from commitizen cz bump --yes || EXIT=$?
           if [ "${EXIT:-0}" -eq 21 ]; then
             echo "No bumpable commits since last tag — skipping."
             echo "skipped=true" >> "$GITHUB_OUTPUT"
@@ -49,16 +45,16 @@ jobs:
 
       - name: Build
         if: steps.bump.outputs.skipped != 'true'
-        run: python -m hatchling build
+        run: uv build
 
       - name: Create GitHub release
         if: steps.bump.outputs.skipped != 'true'
         uses: softprops/action-gh-release@v2
         with:
           tag_name: "v${{ steps.bump.outputs.version }}"
           files: dist/*
-          generate_release_notes: true
+          generate_release_notes: false
 
       - name: Publish to PyPI
         if: steps.bump.outputs.skipped != 'true'
-        uses: pypa/gh-action-pypi-publish@release/v1
+        run: uv publish --trusted-publishing automatic
