ci: require to test python package and docker build before publishing

Author: sdn4z

.github/actions/docker-build/action.yml

@@ -71,7 +71,7 @@ runs:
           type=semver,enable=true,pattern={{major}},prefix=v
           type=ref,event=pr,prefix=pr-,enable=true
           type=ref,event=branch,branch=main,pattern={{raw}}
-          type=ref,event=branch,branch=main,pattern={{major}},prefix=v
+          type=ref,event=branch,branch=main,pattern={{major}}
 
     - name: Build Docker image
       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0

.github/workflows/build-test-docker.yml

@@ -1,44 +1,16 @@
 name: Build and Test Docker Image
 
 on:
-  pull_request:
-    branches: ["main"]
-  push:
-    branches: ["main"]
+  workflow_call:
+    inputs:
+      image-tag:
+        type: string
+        required: true
 
 jobs:
-  should-test-docker-build:
-    permissions:
-      contents: read
-      pull-requests: read
-    name: Check if should `test_docker_build` run
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out the repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Check if Dockerfile changed
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
-        id: docker-changes
-        with:
-          filters: |
-            docker:
-              - 'Dockerfile'
-              - '.dockerignore'
-            workflow:
-              - ./.github/actions/docker-build/action.yml
-              - ./.github/workflows/build-test-docker.yml
-    outputs:
-      docker: ${{ steps.docker-changes.outputs.docker }}
-      workflow: ${{ steps.docker-changes.outputs.workflow }}
-
   test-docker-build:
-    needs: [should-test-docker-build]
     name: Test Docker build ${{ matrix.arch }}
     runs-on: ubuntu-latest
-    if: (needs.should-test-docker-build.outputs.workflow == 'true' || needs.should-test-docker-build.outputs.docker == 'true') || (github.ref_name == github.event.repository.default_branch)
     permissions:
       contents: read
       packages: read
@@ -78,4 +50,4 @@ jobs:
 
       - name: Test
         run: |
-          docker run --platform ${{ matrix.platform }} --rm ${{ matrix.image-name }}:pr-${{ github.event.pull_request.number }} --version
+          docker run --platform ${{ matrix.platform }} --rm ${{ matrix.image-name }}:${{ inputs.image-tag }} --version

.github/workflows/build-test-python.yml

@@ -5,16 +5,37 @@ name: Build and Test Python Package
 on:
   pull_request:
     branches: ["main"]
-  push:
-    branches: ["main"]
+  workflow_call:
 
 env:
   PYTHON_VERSION: "3.10"
 
 jobs:
+  build-package:
+    name: Build Package
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Build package
+        uses: ./.github/actions/python-package-build
+        id: build
+        with:
+          uv-version: "0.8.22"
+          python-version: "$PYTHON_VERSION"
+
+      - name: Upload package artifact
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: python-package-${{ github.sha }}
+          path: dist/
+          retention-days: 1
+
   test-build-package-extras:
     name: Test package build ${{ matrix.name}}
     runs-on: ubuntu-latest
+    needs: build-package
     permissions:
       contents: read
     strategy:
@@ -32,35 +53,46 @@ jobs:
       - name: Check out the repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Build package
-        uses: ./.github/actions/python-package-build
-        id: build
+      - name: Download package artifact
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
-          uv-version: "0.8.22"
-          python-version: "$PYTHON_VERSION"
+          name: python-package-${{ github.sha }}
+          path: dist/
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        with:
+          version: "0.8.22"
       - name: Test package
         run: |
           uv venv --python $PYTHON_VERSION
-          uv pip install "${{ steps.build.outputs.wheel-file }}[${{ matrix.name }}]"
+          WHEEL_FILE=$(ls dist/*.whl)
+          uv pip install "$WHEEL_FILE[${{ matrix.name }}]"
           uv run ${{ matrix.test-args }}
 
-  test-build-package:
+  test-build-package-no-extras:
     name: Test package build no extras
     runs-on: ubuntu-latest
+    needs: build-package
     permissions:
       contents: read
     steps:
       - name: Check out the repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Build package
-        uses: ./.github/actions/python-package-build
-        id: build
+      - name: Download package artifact
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
-          uv-version: "0.8.22"
-          python-version: "$PYTHON_VERSION"
+          name: python-package-${{ github.sha }}
+          path: dist/
+      - name: Install uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        with:
+          version: "0.8.22"
+
       - name: Test package
         run: |
           uv venv --python $PYTHON_VERSION
-          uv pip install "${{ steps.build.outputs.wheel-file }}"
+          WHEEL_FILE=$(ls dist/*.whl)
+          uv pip install "$WHEEL_FILE"
           uv run python -c 'import twyn; twyn.check_dependencies()'

.github/workflows/lint.yml

@@ -17,7 +17,8 @@ jobs:
 
       - name: Install uv
         uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
-
+        with:
+          version: "0.8.22"
       - name: Install the project
         run: uv sync --locked --group dev --python 3.10
 

.github/workflows/publish.yml

@@ -5,24 +5,37 @@ on:
     tags:
       - "v*.*.*"
 
+env:
+  PYTHON_VERSION: "3.10"
+
 jobs:
+  build_and_test_package:
+    uses: ./.github/workflows/build-test-python.yml
+
+  build_and_test_docker:
+    uses: ./.github/workflows/build-test-docker.yml
+    with:
+      image-tag: latest
+
   publish_to_pypi:
     name: Publish to PyPI
     runs-on: ubuntu-latest
-
+    needs: [build_and_test_package, build_and_test_docker]
     permissions:
       id-token: write
-      contents: read
-
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Build package
-        uses: ./.github/actions/python-package-build
-        id: build
+      - name: Download package artifacts
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: python-package-${{ github.sha }}
+          path: dist
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
         with:
-          uv-version: "0.8.22"
-          python-version: "3.10"
+          version: "0.8.22"
 
       - name: Publish package
         run: |
@@ -31,6 +44,7 @@ jobs:
   publish_to_dockerhub:
     name: Push Docker images to registries
     runs-on: ubuntu-latest
+    needs: [build_and_test_docker, build_and_test_package]
     permissions:
       contents: read
       packages: write

.github/workflows/security.yml

@@ -39,6 +39,8 @@ jobs:
 
       - name: Install uv
         uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        with:
+          version: "0.8.22"
 
       - name: Install the project
         run: uv sync --locked --extra cli

.github/workflows/test.yml

@@ -21,6 +21,8 @@ jobs:
 
       - name: Install uv
         uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        with:
+          version: "0.8.22"
 
       - name: Install the dependencies
         run: uv sync --locked --group dev --all-extras --python ${{ matrix.python-version }}
@@ -36,6 +38,8 @@ jobs:
 
       - name: Install uv
         uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        with:
+          version: "0.8.22"
 
       - name: Install the dependencies
         run: uv sync --locked --group download --group dev --python 3.14

.github/workflows/trigger-test-docker-build.yml

@@ -0,0 +1,41 @@
+name: Build and Test Docker Image
+
+on:
+  pull_request:
+    branches: ["main"]
+
+jobs:
+  should-test-docker-build:
+    permissions:
+      contents: read
+      pull-requests: read
+    name: Check if `test_docker_build` should run
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Check if Dockerfile or docker-build action have changed
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: docker-changes
+        with:
+          filters: |
+            docker:
+              - 'Dockerfile'
+              - '.dockerignore'
+            workflow:
+              - ./.github/actions/docker-build/action.yml
+              - ./.github/workflows/build-test-docker.yml
+    outputs:
+      docker: ${{ steps.docker-changes.outputs.docker }}
+      workflow: ${{ steps.docker-changes.outputs.workflow }}
+
+  trigger-test-docker-build:
+    needs: [should-test-docker-build]
+    name: Trigger test Docker build
+    if: (needs.should-test-docker-build.outputs.workflow == 'true' || needs.should-test-docker-build.outputs.docker == 'true')
+    uses: ./.github/workflows/build-test-docker.yml
+    with:
+      image-tag: "pr-${{ github.event.pull_request.number }}"

.github/workflows/weekly_download.yml

@@ -27,6 +27,8 @@ jobs:
           ref: ${{ github.head_ref }}
       - name: Install uv
         uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        with:
+          version: "0.8.22"
 
       - name: Install the project
         run: uv sync --locked --only-group download --python 3.14