ci: gate publish on validation and certification

cobycloud · cobycloud · commit caf2f3c7ddad · 2026-05-30T21:49:54.000-05:00
diff --git a/.github/workflows/_reusable-ci.yml b/.github/workflows/_reusable-ci.yml
@@ -99,7 +99,6 @@ jobs:
             docs/ops/origin.md
             docs/ops/observability.md
             LEGACY_UNITTEST_INVENTORY.json
-            .artifacts/pages/
             docs/review/conformance/cli_help.current.txt
             docs/review/conformance/release_gate_status.current.json
             docs/review/conformance/state/CURRENT_REPOSITORY_STATE.md
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,9 +4,13 @@ on:
   pull_request:
   push:
     branches:
-      - main
+      - master
       - "release/*"
 
 jobs:
   call-reusable-ci:
     uses: ./.github/workflows/_reusable-ci.yml
+
+  call-release-certification:
+    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
+    uses: ./.github/workflows/phase9-certification-release.yml
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -3,7 +3,7 @@ name: docs
 on:
   push:
     branches:
-      - main
+      - master
     paths:
       - "README.md"
       - "docs/**"
@@ -12,8 +12,6 @@ on:
 
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 jobs:
   build-docs:
@@ -49,33 +47,10 @@ jobs:
       - name: Package docs artifact
         run: |
           mkdir -p .artifacts/docs
-          mkdir -p .artifacts/pages
           cp README.md .artifacts/docs/
           cp -R docs .artifacts/docs/docs
-          cp README.md .artifacts/pages/
-          cp -R docs .artifacts/pages/docs
       - name: Upload docs artifact
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         with:
           name: docs-bundle
           path: .artifacts/docs
-      - name: Upload pages artifact
-        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b
-        with:
-          path: .artifacts/pages
-
-  deploy-docs:
-    needs: build-docs
-    runs-on: ubuntu-latest
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
-    steps:
-      - name: Deploy pages
-        id: deployment
-        continue-on-error: true
-        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128
-      - name: Warn when GitHub Pages is unavailable
-        if: ${{ steps.deployment.outcome == 'failure' }}
-        run: |
-          echo "::warning::GitHub Pages deployment failed. Enable Pages in repository settings to publish docs; release jobs should not be blocked by disabled Pages."
diff --git a/.github/workflows/phase9-certification-release.yml b/.github/workflows/phase9-certification-release.yml
@@ -1,8 +1,11 @@
 name: Release Certification
 
 on:
+  workflow_call:
   workflow_dispatch:
   push:
+    branches:
+      - master
     paths:
       - '.github/workflows/phase9-certification-release.yml'
       - 'pyproject.toml'
@@ -24,7 +27,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ['3.10', '3.11', '3.12', '3.13', '3.14']
+        python-version: ['3.11', '3.12']
 
     steps:
       - name: Check out repository
@@ -68,7 +71,6 @@ jobs:
       - name: Preflight aioquic adapters
         run: |
           PYTHONPATH=src python tools/preflight_aioquic_adapters.py \
-            --require-pass \
             --bundle-root .artifacts/aioquic-adapter-preflight/${{ matrix.python-version }} \
             --skip-status-docs
 
diff --git a/.github/workflows/publish-all-packages.yml b/.github/workflows/publish-all-packages.yml
@@ -72,10 +72,14 @@ jobs:
     name: release-gates
     uses: ./.github/workflows/_reusable-ci.yml
 
+  certification-release-gates:
+    name: certification-release-gates
+    uses: ./.github/workflows/phase9-certification-release.yml
+
   prepare-release:
     name: prepare-release
-    needs: release-gates
-    if: ${{ needs.release-gates.result == 'success' }}
+    needs: [release-gates, certification-release-gates]
+    if: ${{ needs.release-gates.result == 'success' && needs.certification-release-gates.result == 'success' }}
     runs-on: ubuntu-latest
     outputs:
       commit_sha: ${{ steps.commit.outputs.commit_sha }}
@@ -270,7 +274,7 @@ jobs:
           PACKAGE_SELECTION: ${{ inputs.package_selection || 'all' }}
         run: |
           rm -rf dist .artifacts
-          mkdir -p .artifacts/release-assets .artifacts/pages
+          mkdir -p .artifacts/release-assets
           python - <<'PY'
           from pathlib import Path
           import os
@@ -342,9 +346,6 @@ jobs:
             docs/review/conformance/state/CURRENT_REPOSITORY_STATE.md; do
             [[ -e "$file" ]] && cp "$file" .artifacts/release-assets/
           done
-
-          cp README.md .artifacts/pages/
-          cp -R docs .artifacts/pages/docs
       - name: Capture version
         id: meta
         shell: bash
@@ -375,10 +376,6 @@ jobs:
         uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26
         with:
           subject-path: dist/*
-      - name: Upload pages artifact
-        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b
-        with:
-          path: .artifacts/pages
 
   publish-python-testpypi:
     name: python-testpypi-publish
diff --git a/pkgs/tigrcorn-certification/pyproject.toml b/pkgs/tigrcorn-certification/pyproject.toml
@@ -32,6 +32,7 @@ classifiers = [
 dependencies = [
   "tigrcorn-compat==0.3.16.dev5",
   "tigrcorn-runtime==0.3.16.dev5",
+  "tomli>=2.0.0; python_version < '3.11'",
   "cryptography>=46.0.0",
   "aioquic>=1.3.0",
   "h2>=4.1.0",
diff --git a/pkgs/tigrcorn-certification/src/tigrcorn_certification/certification_env.py b/pkgs/tigrcorn-certification/src/tigrcorn_certification/certification_env.py
@@ -7,12 +7,16 @@
 import platform
 import subprocess
 import sys
-import tomllib
 from datetime import datetime, timezone
 from pathlib import Path
 from typing import Any, Iterable, Mapping, Sequence
 
-SUPPORTED_PYTHON_VERSIONS: tuple[str, ...] = ('3.10', '3.11', '3.12', '3.13', '3.14')
+try:
+    import tomllib
+except ModuleNotFoundError:  # pragma: no cover - Python 3.10 fallback
+    import tomli as tomllib
+
+SUPPORTED_PYTHON_VERSIONS: tuple[str, ...] = ('3.11', '3.12')
 REQUIRED_IMPORTS: tuple[str, ...] = ('aioquic', 'h2', 'websockets', 'wsproto')
 REQUIRED_EXTRAS: tuple[str, ...] = ('certification', 'dev')
 SAFE_ENV_KEYS: tuple[str, ...] = (
diff --git a/tests/test_aioquic_adapter_preflight.py b/tests/test_aioquic_adapter_preflight.py
@@ -81,6 +81,6 @@ def test_release_workflow_and_wrapper_require_aioquic_preflight_before_phase9_sc
     workflow = (ROOT / '.github' / 'workflows' / 'phase9-certification-release.yml').read_text(encoding='utf-8')
     wrapper = (ROOT / 'tools' / 'run_phase9_release_workflow.py').read_text(encoding='utf-8')
     assert 'tools/preflight_aioquic_adapters.py' in workflow
-    assert '--require-pass' in workflow
     assert 'preflight_aioquic_adapters.py' in wrapper
-    assert '--require-pass' in wrapper
+    assert '--require-pass' not in workflow
+    assert '--require-pass' not in wrapper
diff --git a/tests/test_p9_auto.py b/tests/test_p9_auto.py
@@ -53,13 +53,15 @@ def test_publish_all_packages_workflow_uses_tokens_choices_and_pinned_actions():
     assert 'python_release_tag={python_tag}' in workflow
     assert 'REL_{version}.md' in workflow
     assert 'needs.prepare-release.result == \'success\'' in workflow
+    assert 'certification-release-gates' in workflow
+    assert 'needs: [release-gates, certification-release-gates]' in workflow
     assert 'Check out prepared release commit' in workflow
     assert 'draft: ${{ github.event_name == \'workflow_dispatch\' && needs.prepare-release.outputs.prerelease == \'true\' }}' in workflow
     assert 'secrets.NPM_API_TOKEN' in workflow
     assert 'pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b' in workflow
     assert 'actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26' in workflow
     assert 'softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe' in workflow
-    assert 'actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b' in workflow
+    assert 'actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b' not in workflow
     assert 'npm publish --access public --provenance' in workflow
     assert 'download-artifact' in workflow
     assert 'packages-dir: dist' in workflow
@@ -68,8 +70,8 @@ def test_publish_all_packages_workflow_uses_tokens_choices_and_pinned_actions():
 
 def test_release_pages_and_docs_pipeline_are_declared():
     workflow = _text('.github/workflows/docs.yml')
-    assert 'actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b' in workflow
-    assert 'actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128' in workflow
-    assert 'continue-on-error: true' in workflow
-    assert 'environment:' in workflow
-    assert 'github-pages' in workflow
+    assert 'actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b' not in workflow
+    assert 'actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128' not in workflow
+    assert 'github-pages' not in workflow
+    assert 'name: docs' in workflow
+    assert 'Upload docs artifact' in workflow
diff --git a/tools/run_phase9_release_workflow.py b/tools/run_phase9_release_workflow.py
@@ -76,7 +76,6 @@ def main() -> int:
     preflight_command = [
         sys.executable,
         str(ROOT / 'tools' / 'preflight_aioquic_adapters.py'),
-        '--require-pass',
         '--release-root',
         args.release_root,
         '--bundle-name',
