-
Notifications
You must be signed in to change notification settings - Fork 0
139 lines (119 loc) · 6.01 KB
/
ci-python-zensical.yml
File metadata and controls
139 lines (119 loc) · 6.01 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
# ============================================================
# .github/workflows/ci-python-zensical.yml (Continuous Integration)
# ============================================================
# Updated: 2026-04-27 REPO SPECIFIC Execution section
#
# WHY-FILE: Validate repository hygiene, Python correctness, and documentation builds.
# REQ: CI MUST NOT introduce arbitrary rules that are not reproducible locally.
# OBS: CI validates only; it does not edit files or deploy docs.
# OBS: yamllint config lives at .github/yamllint.yml (not repo root).
#
# === COVERAGE ===
#
# COVERED BY PRE-COMMIT - not repeated as explicit steps:
# - ruff-check (lint with autofix)
# - ruff-format (formatting)
# - trailing whitespace, line endings, JSON/TOML/YAML syntax, large files
#
# WHY SEPARATE: These tools are slower, require the full environment,
# or produce output worth seeing in CI logs independently.
name: CI (Python + Zensical)
on:
push:
branches: [main] # WHY: Validate every push to main.
pull_request:
branches: [main] # WHY: Validate PRs before merge.
workflow_dispatch: # WHY: Allow manual trigger from Actions tab.
permissions:
contents: read # WHY: Least privilege; CI only reads, never writes.
env:
PYTHONUNBUFFERED: "1" # WHY: Real-time log output in CI.
PYTHONIOENCODING: "utf-8" # WHY: Consistent encoding across platforms.
PYTHON_VERSION: "3.15"
UV_PYTHON: "3.15"
jobs:
ci:
name: Repository / Python checks and Zensical build
runs-on: ubuntu-latest # WHY: Linux matches most production deployments.
timeout-minutes: 30 # WHY: Fail fast if a step hangs unexpectedly.
steps:
# ============================================================
# A) ASSEMBLE: Checkout code and set up environment
# ============================================================
- name: A1) Checkout repository code
uses: actions/checkout@v6
# WHY: Required so all subsequent steps can access repo files.
- name: A2) Install uv (with caching)
uses: astral-sh/setup-uv@v7
with:
enable-cache: true
# WHY: Cache the uv tool itself for faster subsequent runs.
cache-dependency-glob: "uv.lock"
# WHY: Invalidate cache only when locked dependencies change.
- name: A3) Install Python ${{ env.PYTHON_VERSION }}
run: uv python install ${{ env.PYTHON_VERSION }}
# WHY: Ensures the pinned Python version is available in CI.
# OBS: Does not modify the repo; uv manages the interpreter locally.
- name: A4) Install all dependencies
run: uv sync --extra dev --extra docs --upgrade
# WHY: Install dev and docs extras so all check and build tools are available.
# OBS: --upgrade ensures CI catches dependency drift early.
- name: A5) Show tool versions
run: |
uv --version
uv run python --version
uv run python -m ruff --version
uv run python -m pyright --version
if [ -f "zensical.toml" ]; then
uv run python -m zensical --version
fi
# WHY: Version output makes CI logs easier to debug when tools change.
- name: A5b) Show ruff issues
run: uv run ruff check . --output-format=github
continue-on-error: true
- name: A6) Run pre-commit on all files
run: uv tool run pre-commit run --all-files
# WHY: Enforces formatting, linting, and file hygiene in one step.
# OBS: Covers ruff-check, ruff-format, whitespace, line endings,
# and JSON/TOML/YAML syntax checks defined in .pre-commit-config.yaml.
# OBS: Pre-commit hook order (lint then format) differs from manual
# command order (format then lint). See .pre-commit-config.yaml.
# ============================================================
# B) BASELINE CHECKS: Tools not covered by pre-commit
# ============================================================
- name: B1) Run Pyright type checker
run: uv run python -m pyright
# WHY: Catches type errors that ruff does not check.
# OBS: Pyright reads settings from pyproject.toml [tool.pyright].
# OBS: Not included in pre-commit because it requires the full venv.
# ============================================================
# C) COVERAGE & TESTING: Python tests (pytest)
# ============================================================
- name: C1) Run pytest
run: uv run python -m pytest
# WHY: Confirms all Python tests pass in a clean CI environment.
# OBS: pytest config lives in pyproject.toml [tool.pytest.ini_options].
# OBS: Not included in pre-commit because tests can be slow.
# ============================================================
# D) Docs build (no deployment)
# ============================================================
- name: D1) Build documentation with Zensical
run: |
if [ -f "zensical.toml" ]; then
uv run python -m zensical build
else
echo "No zensical.toml found; skipping docs build."
fi
# WHY: Confirms docs build cleanly without errors or broken references.
# OBS: Build only; deployment is handled by a separate workflow if needed.
# OBS: Conditional on zensical.toml so this workflow is reusable across
# repos that may not yet have docs configured.
# ============================================================
# E) EXECUTION: Module entrypoints and validation
# ============================================================
- name: E1) Validate SE Constitution
run: uv run python -m se_constitution validate
# WHY: Ensures all constitutional registries remain internally consistent.
# WHY: Catches missing class definitions, dependency rules, naming patterns,
# manifest schema entries, and repo requirement coverage.
# OBS: This is the authoritative integrity check for the SE ecosystem.