bcli/.github/workflows/tests.yml at main · igor-ctrl/bcli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
name: Tests

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

# Default to read-only — every job must opt in to anything writeable.
# Without this, GITHUB_TOKEN inherits the repo-wide default (often
# write-all on older repos), which gives anyone who can land a PR an
# overly permissive token if they trick a workflow step.
permissions:
  contents: read

jobs:
  test:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    strategy:
      fail-fast: false
      matrix:
        python-version: ["3.11", "3.12", "3.13"]

    steps:
      # Third-party actions are pinned by full commit SHA, not a moving
      # tag like @v4. The trailing comment names the human-readable tag
      # so a maintainer can audit the version without resolving SHAs.
      # Bumping requires checking the new SHA against the upstream
      # release notes and updating both fields together.
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

      - name: Install uv
        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86  # v5
        with:
          enable-cache: true
          python-version: ${{ matrix.python-version }}

      - name: Install dependencies (locked)
        # `--locked` requires uv.lock to be committed and exactly match the
        # current pyproject.toml, so CI is reproducible from the lockfile
        # under code review rather than re-resolving versions on every run.
        run: uv sync --locked --extra dev --extra etl

      - name: Lint with ruff
        run: uv run ruff check src/ tests/

      - name: Run tests
        run: uv run pytest tests/ -v