harness-python-react/.github/workflows/ci.yml at 4252de922447dc3b8ea9fc7e2cf30f1a2b522217 · constk/harness-python-react · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: CI

# Action SHAs are pinned, not floating tags. To bump:
#   gh api repos/<owner>/<repo>/commits/<tag> --jq .sha
# (use /commits/<tag>, NOT /git/refs/tags/<tag> — annotated tags would
# return the tag-object SHA, which Actions can't resolve.)
# Update the comment on the right with the new tag for traceability.

on:
  push:
    branches: [develop, main]
  pull_request:
    branches: [develop, main]

jobs:
  lint:
    name: Lint & Format
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.14"
      - run: uv sync --frozen --extra dev
      - run: uv run ruff check .
      - run: uv run ruff format --check .

  typecheck:
    name: Type Check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.14"
      - run: uv sync --frozen --extra dev
      - run: uv run mypy --strict src/ tests/

  test-unit:
    name: Unit tests
    runs-on: ubuntu-latest
    # Pure in-process tests — completes fast so PR authors get quick feedback.
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.14"
      - run: uv sync --frozen --extra dev
      - run: uv run pytest tests/ -v -m "not integration" -o "addopts="

  coverage:
    name: Coverage
    runs-on: ubuntu-latest
    # Runs the suite with coverage. Until ticket #17 lands real source under
    # src/, the template has no measurable coverage; pyproject.toml's
    # [tool.coverage.report].fail_under stays at 75 (the eventual target),
    # while CI uses --cov-fail-under=0 so the empty scaffold doesn't fail.
    # When #17 + #18 ship real source + tests, drop the override here.
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.14"
      - run: uv sync --frozen --extra dev
      - run: uv run pytest tests/ --cov=src --cov-report=term-missing --cov-fail-under=0

  architecture:
    name: Architecture (import-linter)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.14"
      - run: uv sync --frozen --extra dev
      - run: uv run lint-imports

  pre-commit:
    name: Pre-commit
    runs-on: ubuntu-latest
    # Runs every hook against all files — ensures a developer who forgot
    # `uv run pre-commit install` can't leak unformatted code or a stray
    # secret past the first defence layer.
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.14"
      - run: uv sync --frozen --extra dev
      - run: uv run pre-commit run --all-files --show-diff-on-failure

  branch-protection-sync:
    name: Branch-protection contexts sync
    runs-on: ubuntu-latest
    # Guards against the "new CI job silently not required" drift. Fails when
    # .github/branch-protection/*.json contexts arrays disagree with the
    # actual workflow jobs on disk.
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.14"
      - run: uv sync --frozen --extra dev
      - run: uv run python .github/scripts/check_required_contexts.py

  commit-type-sync:
    name: Commit-type sync
    runs-on: ubuntu-latest
    # Guards against [tool.commitizen].customize.schema_pattern in pyproject
    # drifting from the `types` list in .github/workflows/pr-title.yml.
    # Adding a type in one but not the other would mean commits pass locally
    # while PR titles fail in CI (or vice versa).
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.14"
      - run: uv sync --frozen --extra dev
      - run: uv run python .github/scripts/check_commit_types.py

  # Frontend jobs (Frontend Build, Frontend Quality) are added by ticket #21
  # when frontend/package.json lands.