harness-python-react/.github/workflows/ci.yml at 8116629fdfdcf1d36fb78b9394512de06fa26d1c · constk/harness-python-react · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
name: CI

# Action SHAs are pinned, not floating tags. To bump:
#   gh api repos/<owner>/<repo>/commits/<tag> --jq .sha
# (use /commits/<tag>, NOT /git/refs/tags/<tag> — annotated tags would
# return the tag-object SHA, which Actions can't resolve.)
# Update the comment on the right with the new tag for traceability.

on:
  push:
    branches: [develop, main]
  pull_request:
    branches: [develop, main]

jobs:
  lint:
    name: Lint & Format
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.14"
      - run: uv sync --frozen --extra dev
      - run: uv run ruff check .
      - run: uv run ruff format --check .

  typecheck:
    name: Type Check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.14"
      - run: uv sync --frozen --extra dev
      - run: uv run mypy --strict src/ tests/

  test-unit:
    name: Unit tests
    runs-on: ubuntu-latest
    # Pure in-process tests — completes fast so PR authors get quick feedback.
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.14"
      - run: uv sync --frozen --extra dev
      - run: uv run pytest tests/ -v -m "not integration" -o "addopts="

  coverage:
    name: Coverage
    runs-on: ubuntu-latest
    # Enforces [tool.coverage.report].fail_under from pyproject.toml (75%).
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.14"
      - run: uv sync --frozen --extra dev
      - run: uv run pytest tests/ --cov=src --cov-report=term-missing

  architecture:
    name: Architecture (import-linter)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.14"
      - run: uv sync --frozen --extra dev
      - run: uv run lint-imports

  pre-commit:
    name: Pre-commit
    runs-on: ubuntu-latest
    # Runs every hook against all files — ensures a developer who forgot
    # `uv run pre-commit install` can't leak unformatted code or a stray
    # secret past the first defence layer.
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.14"
      - run: uv sync --frozen --extra dev
      - run: uv run pre-commit run --all-files --show-diff-on-failure

  branch-protection-sync:
    name: Branch-protection contexts sync
    runs-on: ubuntu-latest
    # Guards against the "new CI job silently not required" drift. Fails when
    # .github/branch-protection/*.json contexts arrays disagree with the
    # actual workflow jobs on disk.
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.14"
      - run: uv sync --frozen --extra dev
      - run: uv run python .github/scripts/check_required_contexts.py

  commit-type-sync:
    name: Commit-type sync
    runs-on: ubuntu-latest
    # Guards against [tool.commitizen].customize.schema_pattern in pyproject
    # drifting from the `types` list in .github/workflows/pr-title.yml.
    # Adding a type in one but not the other would mean commits pass locally
    # while PR titles fail in CI (or vice versa).
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.14"
      - run: uv sync --frozen --extra dev
      - run: uv run python .github/scripts/check_commit_types.py

  # Frontend jobs (Frontend Build, Frontend Quality) are added by ticket #21
  # when frontend/package.json lands.