a7-py/.github/workflows/ci.yml at master · code5717/a7-py · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
name: CI

on:
  pull_request:
  push:
    branches: [master, main]
  workflow_dispatch:

permissions:
  contents: read

concurrency:
  group: ci-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
  ZIG_VERSION: "0.16.0"
  ZIG_URL: https://ziglang.org/download/0.16.0/zig-x86_64-linux-0.16.0.tar.xz
  ZIG_SHA256: 70e49664a74374b48b51e6f3fdfbf437f6395d42509050588bd49abe52ba3d00

jobs:
  python:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd

      - name: Setup Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
        with:
          python-version: "3.13"

      - name: Install uv
        run: python -m pip install uv

      - name: Install Zig
        run: |
          curl -fsSL "$ZIG_URL" -o "$RUNNER_TEMP/zig.tar.xz"
          echo "$ZIG_SHA256  $RUNNER_TEMP/zig.tar.xz" | sha256sum -c -
          mkdir -p "$RUNNER_TEMP/zig"
          tar -xJf "$RUNNER_TEMP/zig.tar.xz" -C "$RUNNER_TEMP/zig" --strip-components=1
          echo "$RUNNER_TEMP/zig" >> "$GITHUB_PATH"
          "$RUNNER_TEMP/zig/zig" version

      - name: Install dependencies
        run: uv sync --locked --all-groups

      - name: Run pytest
        run: PYTHONPATH=. uv run pytest --tb=no -q

      - name: Audit Python dependencies
        run: uvx --from pip-audit==2.10.0 pip-audit --strict

      - name: Static security scan
        # B404/B603 are expected for trusted verifier scripts that run generated artifacts.
        run: uvx --from bandit==1.9.4 bandit -r a7 scripts main.py -q --skip B404,B603

      - name: Verify error stages
        run: PYTHONPATH=. uv run python scripts/verify_error_stages.py --mode-set all --format both

      - name: Verify examples through Zig
        run: uv run python scripts/verify_examples_e2e.py

      - name: Build debug artifacts
        run: uv run python scripts/build_examples.py --profile debug --backend zig --clean

      - name: Build release artifacts
        run: uv run python scripts/build_examples.py --profile release --backend zig --clean

      - name: Build package
        run: uv build

      - name: Verify wheel install
        run: uv run python scripts/verify_wheel_install.py --skip-build

  docs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd

      - name: Setup Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
        with:
          python-version: "3.13"

      - name: Install uv
        run: python -m pip install uv

      - name: Check docs writing style
        run: uv run python scripts/check_docs_style.py

      - name: Check for committed secrets
        run: uv run python scripts/check_no_secrets.py

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: "1.3.11"

      - name: Install docs dependencies
        working-directory: site
        run: bun install --frozen-lockfile

      - name: Audit docs runtime dependencies
        working-directory: site
        run: bun audit --audit-level=moderate

      - name: Lint docs
        working-directory: site
        run: bun run lint -- --max-warnings=0

      - name: Build docs
        working-directory: site
        run: bun run build