Add UV workflows (#20)

* Change workflows to use uv

* Move concurrency and conditionals to calling workflows

* Create dependabot.yml

* Move workflow files to correct locations

* Remove unused input

* Checkout the repo with the right token

* Add smoke-test-paths as input to ci workflow

* Add publish-to-pypi flag to publish.yml

* Make sure publish only runs on tags

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* feat: make pypi-token optional

In response to copilot code review

* Restore names to steps

* Make example package name more explicit

* Fix potential security problem

* Don't assume lockfile is up to date

* Don't assume lockfile is up to date in CI

* Actually, CI should respect lockfile as is

An out-of-date lockfile should error

* chore: prepare for PR against upstream

* Restore original workflows

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: galenlynch

.github/dependabot.yml

@@ -0,0 +1,9 @@
+version: 2
+updates:
+  # Enable version updates for GitHub Actions
+  - package-ecosystem: "github-actions"
+    # Workflow files stored in the default location of `.github/workflows`
+    # You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/bump-version.yml

@@ -0,0 +1,37 @@
+name: Version Bump
+
+on:
+  workflow_call:
+    inputs:
+      default-branch:
+        description: "Branch to bump (usually 'main')"
+        required: false
+        type: string
+        default: "main"
+    secrets:
+      repo-token:
+        description: "Token with write permission to push"
+        required: true
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  bump:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.default-branch }}
+          fetch-depth: 0
+          token: ${{ secrets.repo-token }}
+      - name: Commitizen bump
+        id: cz
+        uses: commitizen-tools/commitizen-action@master
+        with:
+          github_token: ${{ secrets.repo-token }}
+      - name: Show new version
+        run: echo "Bumped to ${{ steps.cz.outputs.version }}"

.github/workflows/ci-uv.yml

@@ -0,0 +1,78 @@
+name: CI
+
+on:
+  workflow_call:
+    inputs:
+      os:
+        description: Runner OS
+        required: true
+        type: string
+      python-version:
+        description: Python version
+        required: true
+        type: string
+      package-name:
+        description: "The Python package name to test/cover"
+        required: true
+        type: string
+      smoke-test-paths:
+        description: |
+          space-separated list of files or directories
+          to copy into the wheel smoke test.
+        required: false
+        type: string
+        default: "tests"
+    secrets:
+      repo-token:
+        description: GitHub token for checkout/PR operations
+        required: true
+
+permissions:
+  contents: read
+  pull-requests: read
+
+
+jobs:
+  tests:
+    name: Python ${{ inputs.python-version }} on ${{ inputs.os }}
+    runs-on: ${{ inputs.os }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ inputs.python-version }}
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          python-version: ${{ inputs.python-version }}
+          enable-cache: true
+      - name: Install project
+        run: uv sync --frozen
+      - name: Ruff (lint + format-check)
+        run: |
+          uv run --frozen ruff format --check --diff .
+          uv run --frozen ruff check --output-format=github .
+      - name: Interrogate (docstring coverage)
+        run: uv run --frozen interrogate -v
+      - name: Codespell (typo checker)
+        run: uv run --frozen codespell --check-filenames
+      - name: Pytest (unit test)
+        run: uv run --frozen pytest --cov ${{ inputs.package-name }}
+      - name: Build
+        run: uv build
+      - name: Smoke-test built wheel
+        run: |
+          TEMP_DIR=${{ runner.temp }}/wheeltest
+          mkdir -p "$TEMP_DIR"
+          for path in ${{ inputs.smoke-test-paths }}; do
+            cp -r "$path" "$TEMP_DIR/" || echo "Warning: '$path' not found"
+          done
+          cp dist/*.whl "$TEMP_DIR"
+          cd "$TEMP_DIR"
+          uv venv
+          source .venv/bin/activate
+          uv pip install pytest *.whl
+          pytest -q

.github/workflows/publish.yml

@@ -0,0 +1,80 @@
+name: Publish
+
+on:
+  workflow_call:
+    inputs:
+      python-version:
+        description: "Python version for build"
+        required: false
+        type: string
+        default: "3.13"
+      tag-name:
+        description: "Git tag to release"
+        required: true
+        type: string
+      publish-to-pypi:
+        description: "Whether to publish to PyPI (true/false)"
+        required: false
+        type: boolean
+        default: false
+    secrets:
+      repo-token:
+        description: "GitHub token for release creation"
+        required: true
+      pypi-token:
+        description: "PyPI API token"
+        required: false
+
+permissions:
+  contents: write
+
+jobs:
+  build-release-publish:
+    runs-on: ubuntu-latest
+    # only run on a tag push, or on a manual dispatch *where* the user has
+    # selected a tag ref (i.e. github.ref starts with refs/tags/)
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # on push this is already the tag ref; on dispatch you must choose
+          # the tag in the UI so github.ref is the tag
+          ref: ${{ github.ref }}
+          fetch-depth: 0
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ inputs.python-version }}
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          python-version: ${{ inputs.python-version }}
+          enable-cache: true
+      - name: Install project
+        run: uv sync
+      - name: Build
+        run: uv build
+      - name: Verify artifacts
+        run: ls -la dist/
+      - name: Create GitHub release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ inputs.tag-name }}
+          name: Release ${{ inputs.tag-name }}
+          generate_release_notes: true
+          files: |
+            dist/*.tar.gz
+            dist/*.whl
+        env:
+          GITHUB_TOKEN: ${{ secrets.repo-token }}
+      - name: Publish to PyPI
+        if: ${{ inputs.publish-to-pypi }}
+        env:
+          pypi_token: ${{ secrets.pypi-token }}
+        run: |
+          if [ -z "$pypi_token" ]; then
+            echo "No PyPI token provided, skipping publish."
+          else
+            uv publish --token "$pypi_token"
+          fi

README.md

@@ -7,14 +7,31 @@ aind-github-actions
 
 GitHub actions workflows are found in .github/workflows.
 
+Example calling workflows are in `examples/`
+
+The UV CI workflow depends on your project having a `dev` group of optional
+dependencies with `ruff`, `interrogate`, `codespell`, `pytest`, and
+`pytest-cov`.
+
+The bump workflow requires `commitizen` configuration in the calling project's
+`pyproject.toml`, and that projects follow
+[conventional commits](https://www.conventionalcommits.org/en/v1.0.0/).
+
+The publish workflow can be configured to publish to pypi, as well as make a
+github release. See the example `examples/publish-call.yml` for more
+information.
+
 ### Pull requests
 
-For internal members, please create a branch. For external members, please fork the repository and open a pull request from the fork. We'll primarily use [Angular](https://github.com/angular/angular/blob/main/CONTRIBUTING.md#commit) style for commit messages. Roughly, they should follow the pattern:
+For internal members, please create a branch. For external members, please fork
+the repository and open a pull request from the fork. We'll primarily use
+[conventional commits](https://www.conventionalcommits.org/en/v1.0.0/).
 ```text
 <type>(<scope>): <short summary>
 ```
 
-where scope (optional) describes the packages affected by the code changes and type (mandatory) is one of:
+where scope (optional) describes the packages affected by the code changes and
+type (mandatory) is one of:
 
 - **build**: Changes that affect build tools or external dependencies (example scopes: pyproject.toml, setup.py)
 - **ci**: Changes to our CI configuration files and scripts (examples: .github/workflows/ci.yml)

examples/bump-call.yml

@@ -0,0 +1,45 @@
+# Example workflow to use the reusable bump-version workflow
+# This workflow is triggered by the completion of a CI workflow and bumps the
+# version if the last commit message does not start with 'bump:'.  It can also
+# be manually triggered via workflow_dispatch.
+#
+# * The bumped version is pushed to the repository.
+# * The workflow uses a service token for authentication.
+# * The concurrency group ensures that only one bump job runs at a time for the
+# same branch.
+# * The workflow runs on the main branch.
+# * This calling workflow should be placed in `.github/workflows/bump-call.yml`
+# of your repository.
+name: Bump Version
+
+on:
+  workflow_run:
+    workflows: ["CI"]
+    branches: [ main ]
+    types: [ completed ]
+  workflow_dispatch:
+
+permissions:
+  contents: write    # needed to push commits/tags
+  id-token: write    # needed if your reusable workflow exchanges OIDC tokens
+
+concurrency:
+  group: bump-${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  bump:
+    # Only run when:
+    #  • a CI run just succeeded (and the head commit message doesn't start with 'bump:')
+    #  • OR this is a manual dispatch
+    if: >
+      (github.event_name == 'workflow_run' &&
+       github.event.workflow_run.conclusion == 'success' &&
+       !startsWith(github.event.workflow_run.head_commit.message, 'bump:')) ||
+      (github.event_name == 'workflow_dispatch' &&
+      github.ref == 'refs/heads/main')
+    uses: AllenNeuralDynamics/aind-github-actions/.github/workflows/bump-version.yml@main
+    with:
+      default-branch: main
+    secrets:
+      repo-token: ${{ secrets.SERVICE_TOKEN }}

examples/ci-call.yml

@@ -0,0 +1,50 @@
+# Example workflow to use the reusable ci workflow
+# This workflow is triggered by a push to the main branch, a pull request
+# targeting the main branch, or manually via workflow_dispatch. It runs the CI
+# tests for the specified Python versions and OS.
+#
+# * The concurrency group ensures that only one CI job runs at a time for the
+# same branch or pull request.
+# * This calling workflow should be placed in `.github/workflows/ci-call.yml`
+# of your repository.
+name: CI
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+    types: [opened, synchronize, reopened, ready_for_review]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  run-ci:
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
+        python-version: [3.9, 3.13]
+
+    # Only run when:
+    #  • this is not a draft pull request
+    #  • the actor is not the GitHub Actions bot
+    #  • the commit message does not start with 'bump:'
+    if: >
+      (github.event_name != 'pull_request' || github.event.pull_request.draft == false) &&
+      github.actor != 'github-actions[bot]' &&
+      !(github.event_name == 'push' && startsWith(github.event.head_commit.message, 'bump:'))
+
+    uses: AllenNeuralDynamics/aind-github-actions/.github/workflows/ci-uv.yml@main
+    with:
+      os: ${{ matrix.os }}
+      python-version: ${{ matrix.python-version }}
+      package-name: <your_package_name> # Replace with the importable package name of your Python package
+    secrets:
+      repo-token: ${{ secrets.GITHUB_TOKEN }}

examples/publish-call.yml

@@ -0,0 +1,33 @@
+# Example workflow to use the reusable publish workflow
+# This workflow is triggered by a push to a tag that matches the pattern 'v[0-9]*'
+# (indicating a semantic versioning tag) or manually via workflow_dispatch.
+# It creates a release and uploads the package to PyPI.
+# * The concurrency group ensures that only one release job runs at a time.
+# * This calling workflow should be placed in `.github/workflows/publish-call.yml`
+# of your repository.
+# * The workflow uses a service token for authentication to PyPI.
+name: "Release"
+
+on:
+  push:
+    tags:
+      - 'v[0-9]*'          # semver tags
+  workflow_dispatch:
+
+permissions:
+  contents: write    # create release + upload assets
+
+concurrency:
+  group: release
+  cancel-in-progress: false   # let releases finish
+
+jobs:
+  run-release:
+    uses: AllenNeuralDynamics/aind-github-actions.github/workflows/publish.yml@main
+    with:
+      tag-name: ${{ github.ref_name }}
+      python-version: "3.13"
+      publish-to-pypi: true # Set to true to publish to PyPI, remove or false to skip
+    secrets:
+      repo-token: ${{ secrets.GITHUB_TOKEN }}
+      pypi-token: ${{ secrets.AIND_PYPI_TOKEN }}