From 08f17fc396aef7b1e9ac574cf788e88100b2b5d2 Mon Sep 17 00:00:00 2001 From: amimas Date: Thu, 23 Apr 2026 22:21:41 -0400 Subject: [PATCH 01/10] ci: consolidate acceptance tests into a unified domain workflow - Create tests-acceptance.yml with matrix jobs for standard and licensed tiers - Implement job-level approvals to allow single-click gating for Premium and Ultimate - Update _main.yml and _releases.yml to call the new consolidated workflow - Remove acceptance jobs from tests-standard.yml and delete tier-specific files - Switch to repository secret for Codecov token management --- .github/workflows/_main.yml | 17 +----- .github/workflows/_releases.yml | 34 ++--------- .github/workflows/prs.yml | 34 +---------- .github/workflows/tests-acceptance.yml | 84 ++++++++++++++++++++++++++ .github/workflows/tests-premium.yml | 56 ----------------- .github/workflows/tests-standard.yml | 72 ---------------------- .github/workflows/tests-ultimate.yml | 59 ------------------ 7 files changed, 95 insertions(+), 261 deletions(-) create mode 100644 .github/workflows/tests-acceptance.yml delete mode 100644 .github/workflows/tests-premium.yml delete mode 100644 .github/workflows/tests-ultimate.yml diff --git a/.github/workflows/_main.yml b/.github/workflows/_main.yml index c021efbc3..74abedac8 100644 --- a/.github/workflows/_main.yml +++ b/.github/workflows/_main.yml @@ -28,21 +28,8 @@ jobs: with: BRANCH_REF: ${{ github.ref }} - tests-standard: - uses: ./.github/workflows/tests-standard.yml + tests-acceptance: + uses: ./.github/workflows/tests-acceptance.yml with: BRANCH_REF: ${{ github.ref }} - - tests-premium: - uses: ./.github/workflows/tests-premium.yml - with: - BRANCH_REF: ${{ github.ref }} - environment: Main Tests secrets: inherit - - tests-ultimate: - uses: ./.github/workflows/tests-ultimate.yml - with: - BRANCH_REF: ${{ github.ref }} - environment: Main Tests - secrets: inherit \ No newline at end of file diff --git a/.github/workflows/_releases.yml b/.github/workflows/_releases.yml index fff405b8b..fcbf2ee96 100644 --- a/.github/workflows/_releases.yml +++ b/.github/workflows/_releases.yml @@ -18,31 +18,16 @@ jobs: with: BRANCH_REF: ${{ github.ref }} - tests-standard: - uses: ./.github/workflows/tests-standard.yml + tests-acceptance: + uses: ./.github/workflows/tests-acceptance.yml with: BRANCH_REF: ${{ github.ref }} - - tests-premium: - uses: ./.github/workflows/tests-premium.yml - with: - BRANCH_REF: ${{ github.ref }} - environment: Main Tests - secrets: inherit - - tests-ultimate: - uses: ./.github/workflows/tests-ultimate.yml - with: - BRANCH_REF: ${{ github.ref }} - environment: Main Tests secrets: inherit publish-docs: needs: - linters - - tests-standard - - tests-premium - - tests-ultimate + - tests-acceptance runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 @@ -66,9 +51,7 @@ jobs: publish-to-github: needs: - linters - - tests-standard - - tests-premium - - tests-ultimate + - tests-acceptance runs-on: ubuntu-latest steps: - name: Create release in GitHub @@ -82,9 +65,7 @@ jobs: publish-to-pypi: needs: - linters - - tests-standard - - tests-premium - - tests-ultimate + - tests-acceptance runs-on: ubuntu-latest environment: name: pypi @@ -112,10 +93,7 @@ jobs: publish-to-ghcr: needs: - linters - - tests-standard - - tests-premium - - tests-ultimate - - publish-to-pypi + - tests-acceptance runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 diff --git a/.github/workflows/prs.yml b/.github/workflows/prs.yml index 6c4d006f1..6e11c4f9f 100644 --- a/.github/workflows/prs.yml +++ b/.github/workflows/prs.yml @@ -9,12 +9,6 @@ on: jobs: - approve: - runs-on: ubuntu-latest - steps: - - name: Approve - run: echo For security reasons, all pull requests need to be approved first before running the Premium Acceptance Tests. - build-docs: uses: ./.github/workflows/docs.yml permissions: @@ -31,32 +25,10 @@ jobs: with: branch_ref: ${{ inputs.BRANCH_REF }} - tests-standard: - uses: ./.github/workflows/tests-standard.yml - permissions: - contents: read - pull-requests: write + tests-acceptance: + uses: ./.github/workflows/tests-acceptance.yml with: - branch_ref: ${{ inputs.BRANCH_REF }} - - tests-premium: - uses: ./.github/workflows/tests-premium.yml - permissions: - contents: read - pull-requests: write - with: - branch_ref: ${{ inputs.BRANCH_REF }} - environment: Integrate Pull Request # Our dummy environment - secrets: inherit - - tests-ultimate: - uses: ./.github/workflows/tests-ultimate.yml - permissions: - contents: read - pull-requests: write - with: - branch_ref: ${{ inputs.BRANCH_REF }} - environment: Integrate Pull Request # Our dummy environment + BRANCH_REF: ${{ inputs.BRANCH_REF }} secrets: inherit analyze: diff --git a/.github/workflows/tests-acceptance.yml b/.github/workflows/tests-acceptance.yml new file mode 100644 index 000000000..762d7c788 --- /dev/null +++ b/.github/workflows/tests-acceptance.yml @@ -0,0 +1,84 @@ +name: Tests Acceptance + +on: + workflow_call: + inputs: + BRANCH_REF: + type: string + required: true + secrets: + GITLAB_EE_LICENSE: + required: false + GITLAB_EE_ULTIMATE_LICENSE: + required: false + CODECOV_TOKEN: + required: true + +permissions: + contents: read + actions: read # Required by codecov/codecov-action + +jobs: + acceptance-standard: + runs-on: ubuntu-latest + strategy: + matrix: + flavor: [ce, ee] + fail-fast: false + steps: + - uses: actions/checkout@v6 + with: + ref: ${{ inputs.BRANCH_REF }} + fetch-depth: 2 + - name: Configure uv environment + uses: ./.github/actions/setup-uv-local + - name: Setup python and install dependencies + run: uv sync --frozen --no-dev --group test + - name: Start GitLab (${{ matrix.flavor }}) in docker + run: uv run --no-sync gitlab-local up --gitlab-flavor ${{ matrix.flavor }} + - name: Run Standard acceptance tests for ${{ matrix.flavor }} flavor + run: uv run --no-sync qa test tests/acceptance/standard --cov=. --cov-report=xml --durations=0 --reruns 3 --reruns-delay 10 --log-cli-level=WARNING + - name: Upload coverage + uses: Wandalen/wretry.action@v3 + with: + action: codecov/codecov-action@v3 + with: | + name: codecov-acceptance-test-standard-${{ matrix.flavor }} + flags: integration + token: ${{ secrets.CODECOV_TOKEN }} + attempt_limit: 5 + attempt_delay: 10000 + + acceptance-licensed: + needs: [acceptance-standard] + environment: Main Tests + runs-on: ubuntu-latest + strategy: + matrix: + tier: [premium, ultimate] + fail-fast: false + steps: + - uses: actions/checkout@v6 + with: + ref: ${{ inputs.BRANCH_REF }} + fetch-depth: 2 + - name: Configure uv environment + uses: ./.github/actions/setup-uv-local + - name: Setup python and install dependencies + run: uv sync --frozen --no-dev --group test + - name: Start GitLab (${{ matrix.tier }}) in docker + env: + GITLAB_EE_LICENSE: ${{ matrix.tier == 'premium' && secrets.GITLAB_EE_LICENSE || secrets.GITLAB_EE_ULTIMATE_LICENSE }} + run: uv run --no-sync gitlab-local up + - name: Run acceptance Tests for ${{ matrix.tier }} features + run: uv run --no-sync qa test tests/acceptance/${{ matrix.tier }} --cov=. --cov-report=xml --durations=0 --reruns 3 --reruns-delay 10 --log-cli-level=WARNING + - name: Upload coverage + uses: Wandalen/wretry.action@v3 + with: + action: codecov/codecov-action@v3 + with: | + name: codecov-acceptance-test-${{ matrix.tier }} + flags: integration + token: ${{ secrets.CODECOV_TOKEN }} + attempt_limit: 5 + attempt_delay: 10000 diff --git a/.github/workflows/tests-premium.yml b/.github/workflows/tests-premium.yml deleted file mode 100644 index 66f60eb62..000000000 --- a/.github/workflows/tests-premium.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: Tests premium - -on: - workflow_call: - inputs: - BRANCH_REF: - type: string - required: true - environment: - description: "Environment to run tests in: 'Integrate Pull Request' for PRs (requires approval) or 'Main' for Main." - type: string - required: true - -permissions: - contents: read - -jobs: - acceptance-tests-premium: - environment: - name: ${{ inputs.environment }} - runs-on: ubuntu-latest - strategy: - max-parallel: 5 - matrix: - python-version: [3.14] - fail-fast : false - steps: - - uses: actions/checkout@v6 - with: - ref: ${{ inputs.BRANCH_REF }} - - name: Configure uv environment - uses: ./.github/actions/setup-uv-local - with: - python-version: ${{ matrix.python-version }} - - name: Setup Python ${{ matrix.python-version }} and install dependencies - run: | - uv sync --frozen --no-dev --group test - - name: Start GitLab in Docker - env: - GITLAB_EE_LICENSE: ${{ secrets.GITLAB_EE_LICENSE }} - run: | - uv run --no-sync gitlab-local up - - name: Run acceptance tests for premium features - run: | - uv run --no-sync qa test tests/acceptance/premium --cov=. --cov-report=xml --durations=0 --reruns 3 --reruns-delay 10 --log-cli-level=WARNING - - name: Upload coverage to Codecov - uses: Wandalen/wretry.action@v3 - with: - action: codecov/codecov-action@v3 - with: | - name: codecov-acceptance-test-premium - flags: integration - fail_ci_if_error: true - token: 3e6d6cb5-fcdb-41ea-b134-f6c5856363e9 - attempt_limit: 5 - attempt_delay: 10000 diff --git a/.github/workflows/tests-standard.yml b/.github/workflows/tests-standard.yml index 554e3dd43..e88fd2a36 100644 --- a/.github/workflows/tests-standard.yml +++ b/.github/workflows/tests-standard.yml @@ -23,78 +23,6 @@ jobs: run: | uv lock --check - acceptance-tests: - runs-on: ubuntu-latest - strategy: - max-parallel: 5 - matrix: - python-version: [3.14] - fail-fast : false - steps: - - uses: actions/checkout@v6 - with: - ref: ${{ inputs.BRANCH_REF }} - fetch-depth: 2 - - name: Configure uv environment - uses: ./.github/actions/setup-uv-local - with: - python-version: ${{ matrix.python-version }} - - name: Setup Python ${{ matrix.python-version }} and install dependencies - run: | - uv sync --frozen --no-dev --group test - - name: Start GitLab in Docker - run: | - uv run --no-sync gitlab-local up - - name: Run standard acceptance tests against Enterprise Edition - run: uv run --no-sync qa test tests/acceptance/standard --cov=. --cov-report=xml --durations=0 --reruns 3 --reruns-delay 10 --log-cli-level=WARNING - - name: Upload coverage to Codecov - uses: Wandalen/wretry.action@v3 - with: - action: codecov/codecov-action@v3 - with: | - name: codecov-acceptance-test-standard - flags: integration - fail_ci_if_error: true - token: 3e6d6cb5-fcdb-41ea-b134-f6c5856363e9 - attempt_limit: 5 - attempt_delay: 10000 - - acceptance-tests-CE: - runs-on: ubuntu-latest - strategy: - max-parallel: 5 - matrix: - python-version: [ 3.14 ] - fail-fast: false - steps: - - uses: actions/checkout@v6 - with: - ref: ${{ inputs.BRANCH_REF }} - fetch-depth: 2 - - name: Configure uv environment - uses: ./.github/actions/setup-uv-local - with: - python-version: ${{ matrix.python-version }} - - name: Setup Python ${{ matrix.python-version }} and install dependencies - run: | - uv sync --frozen --no-dev --group test - - name: Start GitLab in Docker - run: | - uv run --no-sync gitlab-local up --gitlab-flavor ce - - name: Run standard acceptance tests against Community Edition - run: uv run --no-sync qa test tests/acceptance/standard --cov=. --cov-report=xml --durations=0 --reruns 3 --reruns-delay 10 --log-cli-level=WARNING - - name: Upload coverage to Codecov - uses: Wandalen/wretry.action@v3 - with: - action: codecov/codecov-action@v3 - with: | - name: codecov-acceptance-test-standard-ce - flags: integration - fail_ci_if_error: true - token: 3e6d6cb5-fcdb-41ea-b134-f6c5856363e9 - attempt_limit: 5 - attempt_delay: 10000 - unit-tests: runs-on: ubuntu-latest strategy: diff --git a/.github/workflows/tests-ultimate.yml b/.github/workflows/tests-ultimate.yml deleted file mode 100644 index 35552fac1..000000000 --- a/.github/workflows/tests-ultimate.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: Tests Ultimate - -on: - workflow_call: - inputs: - BRANCH_REF: - type: string - required: true - environment: - description: "Environment to run tests in: 'Integrate Pull Request' for PRs (requires approval) or 'Main' for Main." - type: string - required: true - -permissions: - contents: read - -jobs: - acceptance-tests-ultimate: - environment: - name: ${{ inputs.environment }} - runs-on: ubuntu-latest - strategy: - max-parallel: 5 - matrix: - python-version: [3.14] - fail-fast : false - steps: - - uses: actions/checkout@v6 - with: - ref: ${{ inputs.BRANCH_REF }} - - name: Configure uv environment - uses: ./.github/actions/setup-uv-local - with: - python-version: ${{ matrix.python-version }} - - name: Setup Python ${{ matrix.python-version }} and install dependencies - # uv will automatically create and use a virtual environment for the specified Python version - # Only install dependencies needed for running tests, to save time and resources. - run: | - uv sync --frozen --no-dev --group test - - name: Start GitLab in Docker - env: - # requested via: https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributing-to-the-gitlab-enterprise-edition-ee - # https://gitlab.com/gitlab-org/developer-relations/contributor-success/team-task/-/issues - GITLAB_EE_LICENSE: ${{ secrets.GITLAB_EE_ULTIMATE_LICENSE }} - run: | - uv run --no-sync gitlab-local up - - name: Run acceptance tests for ultimate features - run: | - uv run --no-sync qa test tests/acceptance/ultimate --cov=. --cov-report=xml --durations=0 --reruns 3 --reruns-delay 10 --log-cli-level=WARNING - - name: Upload coverage to Codecov - uses: Wandalen/wretry.action@v3 - with: - action: codecov/codecov-action@v3 - with: | - name: codecov-acceptance-test-ultimate - flags: integration - token: 3e6d6cb5-fcdb-41ea-b134-f6c5856363e9 - attempt_limit: 5 - attempt_delay: 10000 \ No newline at end of file From f21544c502b40bc40c193a4de6256a546d528313 Mon Sep 17 00:00:00 2001 From: amimas Date: Thu, 23 Apr 2026 22:44:13 -0400 Subject: [PATCH 02/10] ci: consolidate linter/static checks into a single workflow Created a new workflow called static-analysis for linting or other static analysis type validations. --- .github/workflows/_main.yml | 4 +- .github/workflows/_releases.yml | 6 +-- .github/workflows/linters.yml | 67 --------------------------- .github/workflows/prs.yml | 9 ++-- .github/workflows/static-analysis.yml | 51 ++++++++++++++++++++ .github/workflows/tests-standard.yml | 35 -------------- 6 files changed, 59 insertions(+), 113 deletions(-) delete mode 100644 .github/workflows/linters.yml create mode 100644 .github/workflows/static-analysis.yml diff --git a/.github/workflows/_main.yml b/.github/workflows/_main.yml index 74abedac8..8c7fdefb9 100644 --- a/.github/workflows/_main.yml +++ b/.github/workflows/_main.yml @@ -23,8 +23,8 @@ jobs: with: BRANCH_REF: ${{ github.ref }} - linters: - uses: ./.github/workflows/linters.yml + static-analysis: + uses: ./.github/workflows/static-analysis.yml with: BRANCH_REF: ${{ github.ref }} diff --git a/.github/workflows/_releases.yml b/.github/workflows/_releases.yml index fcbf2ee96..ca159e525 100644 --- a/.github/workflows/_releases.yml +++ b/.github/workflows/_releases.yml @@ -13,8 +13,8 @@ permissions: jobs: - linters: - uses: ./.github/workflows/linters.yml + static-analysis: + uses: ./.github/workflows/static-analysis.yml with: BRANCH_REF: ${{ github.ref }} @@ -26,7 +26,7 @@ jobs: publish-docs: needs: - - linters + - static-analysis - tests-acceptance runs-on: ubuntu-latest steps: diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml deleted file mode 100644 index 3e0689b13..000000000 --- a/.github/workflows/linters.yml +++ /dev/null @@ -1,67 +0,0 @@ -name: Linters - -on: - workflow_call: - inputs: - BRANCH_REF: - type: string - required: true - -permissions: - contents: read - -jobs: - black-formatting: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - with: - ref: ${{ inputs.BRANCH_REF }} - fetch-depth: 2 - - name: Configure uv environment - uses: ./.github/actions/setup-uv-local - - name: Setup Python ${{ env.UV_PYTHON }} and install dependencies - run: | - uv sync --frozen --no-dev --group lint - - name: Run black formatting check - run: | - uv run --no-sync qa lint black --check . - - types: - runs-on: ubuntu-latest - strategy: - max-parallel: 1 - matrix: - python-version: [3.14] - fail-fast: false - steps: - - uses: actions/checkout@v6 - with: - ref: ${{ inputs.BRANCH_REF }} - fetch-depth: 2 - - name: Configure uv environment - uses: ./.github/actions/setup-uv-local - with: - python-version: ${{ matrix.python-version }} - - name: Setup Python ${{ matrix.python-version }} and install dependencies - run: | - uv sync --frozen --no-dev --group lint - - name: Run mypy - run: | - uv run --no-sync qa lint mypy . - - bandit: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - with: - ref: ${{ inputs.BRANCH_REF }} - fetch-depth: 2 - - name: Configure uv environment - uses: ./.github/actions/setup-uv-local - - name: Setup Python ${{ env.UV_PYTHON }} and install dependencies - run: | - uv sync --frozen --no-dev --group lint - - name: Run bandit - run: | - uv run --no-sync qa lint bandit . diff --git a/.github/workflows/prs.yml b/.github/workflows/prs.yml index 6e11c4f9f..9dc0a08d5 100644 --- a/.github/workflows/prs.yml +++ b/.github/workflows/prs.yml @@ -17,13 +17,10 @@ jobs: with: branch_ref: ${{ inputs.BRANCH_REF }} - linters: - uses: ./.github/workflows/linters.yml - permissions: - contents: read - pull-requests: write + static-analysis: + uses: ./.github/workflows/static-analysis.yml with: - branch_ref: ${{ inputs.BRANCH_REF }} + BRANCH_REF: ${{ inputs.BRANCH_REF }} tests-acceptance: uses: ./.github/workflows/tests-acceptance.yml diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml new file mode 100644 index 000000000..88f52fede --- /dev/null +++ b/.github/workflows/static-analysis.yml @@ -0,0 +1,51 @@ +name: Static Analysis + +on: + workflow_call: + inputs: + BRANCH_REF: + type: string + required: true + +permissions: + contents: read + +jobs: + lockfile-verify: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + with: + ref: ${{ inputs.BRANCH_REF }} + - name: Configure uv environment + uses: ./.github/actions/setup-uv-local + - name: Verify that uv.lock is in sync + run: uv lock --check + + linting: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + check: [black, mypy, bandit] + python-version: ["3.14", "3.12"] + steps: + - uses: actions/checkout@v6 + with: + ref: ${{ inputs.BRANCH_REF }} + fetch-depth: 2 + - name: Configure uv environment + uses: ./.github/actions/setup-uv-local + with: + python-version: ${{ matrix.python-version }} + - name: Install dependencies + run: uv sync --frozen --no-dev --group lint + - name: Run ${{ matrix.check }} + run: | + if [ "${{ matrix.check }}" == "black" ]; then + uv run --no-sync qa lint black --check . + elif [ "${{ matrix.check }}" == "mypy" ]; then + uv run --no-sync qa lint mypy . + elif [ "${{ matrix.check }}" == "bandit" ]; then + uv run --no-sync qa lint bandit . + fi diff --git a/.github/workflows/tests-standard.yml b/.github/workflows/tests-standard.yml index e88fd2a36..8e4832409 100644 --- a/.github/workflows/tests-standard.yml +++ b/.github/workflows/tests-standard.yml @@ -11,18 +11,6 @@ permissions: contents: read jobs: - lockfile-verify: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - with: - ref: ${{ inputs.BRANCH_REF }} - - name: Configure uv environment - uses: ./.github/actions/setup-uv-local - - name: Verify that uv.lock is in sync with pyproject.toml - run: | - uv lock --check - unit-tests: runs-on: ubuntu-latest strategy: @@ -56,29 +44,6 @@ jobs: attempt_limit: 5 attempt_delay: 10000 - security-tests: - runs-on: ubuntu-latest - strategy: - max-parallel: 5 - matrix: - python-version: [ 3.14, 3.12 ] - fail-fast: false - steps: - - uses: actions/checkout@v6 - with: - ref: ${{ inputs.BRANCH_REF }} - fetch-depth: 2 - - name: Configure uv environment - uses: ./.github/actions/setup-uv-local - with: - python-version: ${{ matrix.python-version }} - - name: Setup Python ${{ matrix.python-version }} and install dependencies - run: | - uv sync --frozen --no-dev --group test - - name: Run security tests - run: | - uv run --no-sync qa lint bandit gitlabform - smoke-tests: strategy: max-parallel: 2 From 6ee0c36dd3d1f19b5dcf85469e94aa8822f3743d Mon Sep 17 00:00:00 2001 From: amimas Date: Fri, 24 Apr 2026 06:18:31 -0400 Subject: [PATCH 03/10] ci: refactor unit tests into a dedicated domain workflow - Create tests-unit.yml for code logic verification - Remove unit-tests from tests-standard.yml - Update _main.yml and _releases.yml orchestrators to call tests-unit - Transition Codecov token from hardcoded value to repository secret - Standardize linters reference to static-analysis in all release jobs --- .github/workflows/_main.yml | 6 ++++ .github/workflows/_releases.yml | 16 ++++++++-- .github/workflows/prs.yml | 6 ++++ .github/workflows/tests-standard.yml | 33 -------------------- .github/workflows/tests-unit.yml | 46 ++++++++++++++++++++++++++++ 5 files changed, 71 insertions(+), 36 deletions(-) create mode 100644 .github/workflows/tests-unit.yml diff --git a/.github/workflows/_main.yml b/.github/workflows/_main.yml index 8c7fdefb9..107efe79e 100644 --- a/.github/workflows/_main.yml +++ b/.github/workflows/_main.yml @@ -28,6 +28,12 @@ jobs: with: BRANCH_REF: ${{ github.ref }} + tests-unit: + uses: ./.github/workflows/tests-unit.yml + with: + BRANCH_REF: ${{ github.ref }} + secrets: inherit + tests-acceptance: uses: ./.github/workflows/tests-acceptance.yml with: diff --git a/.github/workflows/_releases.yml b/.github/workflows/_releases.yml index ca159e525..5e360bb7b 100644 --- a/.github/workflows/_releases.yml +++ b/.github/workflows/_releases.yml @@ -18,6 +18,12 @@ jobs: with: BRANCH_REF: ${{ github.ref }} + tests-unit: + uses: ./.github/workflows/tests-unit.yml + with: + BRANCH_REF: ${{ github.ref }} + secrets: inherit + tests-acceptance: uses: ./.github/workflows/tests-acceptance.yml with: @@ -27,6 +33,7 @@ jobs: publish-docs: needs: - static-analysis + - tests-unit - tests-acceptance runs-on: ubuntu-latest steps: @@ -50,7 +57,8 @@ jobs: publish-to-github: needs: - - linters + - static-analysis + - tests-unit - tests-acceptance runs-on: ubuntu-latest steps: @@ -64,7 +72,8 @@ jobs: publish-to-pypi: needs: - - linters + - static-analysis + - tests-unit - tests-acceptance runs-on: ubuntu-latest environment: @@ -92,7 +101,8 @@ jobs: publish-to-ghcr: needs: - - linters + - static-analysis + - tests-unit - tests-acceptance runs-on: ubuntu-latest steps: diff --git a/.github/workflows/prs.yml b/.github/workflows/prs.yml index 9dc0a08d5..095457272 100644 --- a/.github/workflows/prs.yml +++ b/.github/workflows/prs.yml @@ -22,6 +22,12 @@ jobs: with: BRANCH_REF: ${{ inputs.BRANCH_REF }} + tests-unit: + uses: ./.github/workflows/tests-unit.yml + with: + BRANCH_REF: ${{ inputs.BRANCH_REF }} + secrets: inherit + tests-acceptance: uses: ./.github/workflows/tests-acceptance.yml with: diff --git a/.github/workflows/tests-standard.yml b/.github/workflows/tests-standard.yml index 8e4832409..e046240bb 100644 --- a/.github/workflows/tests-standard.yml +++ b/.github/workflows/tests-standard.yml @@ -11,39 +11,6 @@ permissions: contents: read jobs: - unit-tests: - runs-on: ubuntu-latest - strategy: - max-parallel: 1 - matrix: - python-version: [3.14, 3.12] - fail-fast : false - steps: - - uses: actions/checkout@v6 - with: - ref: ${{ inputs.BRANCH_REF }} - fetch-depth: 2 - - name: Configure uv environment - uses: ./.github/actions/setup-uv-local - with: - python-version: ${{ matrix.python-version }} - - name: Setup Python ${{ matrix.python-version }} and install dependencies - run: | - uv sync --frozen --no-dev --group test - - name: Run unit tests - run: | - uv run --no-sync qa test tests/unit --cov=. --cov-report=xml --log-cli-level=WARNING - - name: Upload coverage to Codecov - uses: Wandalen/wretry.action@v3 - with: - action: codecov/codecov-action@v3 - with: | - flags: unittests - fail_ci_if_error: true - token: 3e6d6cb5-fcdb-41ea-b134-f6c5856363e9 - attempt_limit: 5 - attempt_delay: 10000 - smoke-tests: strategy: max-parallel: 2 diff --git a/.github/workflows/tests-unit.yml b/.github/workflows/tests-unit.yml new file mode 100644 index 000000000..27c5b508f --- /dev/null +++ b/.github/workflows/tests-unit.yml @@ -0,0 +1,46 @@ +name: Tests Unit + +on: + workflow_call: + inputs: + BRANCH_REF: + type: string + required: true + secrets: + CODECOV_TOKEN: + required: true + +permissions: + contents: read + +jobs: + unit-tests: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + python-version: ["3.14", "3.12"] + steps: + - uses: actions/checkout@v6 + with: + ref: ${{ inputs.BRANCH_REF }} + fetch-depth: 2 + - name: Configure uv environment + uses: ./.github/actions/setup-uv-local + with: + python-version: ${{ matrix.python-version }} + - name: Install dependencies + run: uv sync --frozen --no-dev --group test + - name: Run unit tests + run: uv run --no-sync qa test tests/unit --cov=. --cov-report=xml --log-cli-level=WARNING + - name: Upload coverage to Codecov + uses: Wandalen/wretry.action@v3 + with: + action: codecov/codecov-action@v3 + with: | + name: unit-tests-${{ matrix.python-version }} + flags: unittests + fail_ci_if_error: true + token: ${{ secrets.CODECOV_TOKEN }} + attempt_limit: 5 + attempt_delay: 10000 From b01356851049c48a14286dbaf0a19cb29d660163 Mon Sep 17 00:00:00 2001 From: amimas Date: Sat, 25 Apr 2026 09:50:18 -0400 Subject: [PATCH 04/10] ci: implement build-artifacts domain and refactor release pipeline - Create build-artifacts.yml to consolidate package building, doc generation, and smoke tests - Update prs.yml and _main.yml to call the new build-artifacts workflow - Refactor _releases.yml to gate publication on smoke test success across OS matrix - Remove legacy smoke tests from tests-standard.yml and documentation steps from docs.yml - Standardize on Python 3.14 and uv sync for all release and artifact jobs --- .github/workflows/_main.yml | 4 +- .github/workflows/_releases.yml | 31 +++++++----- .github/workflows/build-artifacts.yml | 70 +++++++++++++++++++++++++++ .github/workflows/docs.yml | 28 ----------- .github/workflows/prs.yml | 9 ++-- .github/workflows/tests-standard.yml | 36 -------------- 6 files changed, 95 insertions(+), 83 deletions(-) create mode 100644 .github/workflows/build-artifacts.yml delete mode 100644 .github/workflows/docs.yml delete mode 100644 .github/workflows/tests-standard.yml diff --git a/.github/workflows/_main.yml b/.github/workflows/_main.yml index 107efe79e..9a422ecfc 100644 --- a/.github/workflows/_main.yml +++ b/.github/workflows/_main.yml @@ -18,8 +18,8 @@ on: jobs: - build-docs: - uses: ./.github/workflows/docs.yml + build-artifacts: + uses: ./.github/workflows/build-artifacts.yml with: BRANCH_REF: ${{ github.ref }} diff --git a/.github/workflows/_releases.yml b/.github/workflows/_releases.yml index 5e360bb7b..0734383c2 100644 --- a/.github/workflows/_releases.yml +++ b/.github/workflows/_releases.yml @@ -30,11 +30,18 @@ jobs: BRANCH_REF: ${{ github.ref }} secrets: inherit - publish-docs: + build-and-test-artifacts: needs: - static-analysis - tests-unit - tests-acceptance + uses: ./.github/workflows/build-artifacts.yml + with: + BRANCH_REF: ${{ github.ref }} + + publish-docs: + needs: + - build-and-test-artifacts runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 @@ -43,10 +50,12 @@ jobs: fetch-depth: 2 - name: Configure uv environment uses: ./.github/actions/setup-uv-local + with: + python-version: "3.14" - name: Setup Python ${{ env.UV_PYTHON }} and install dependencies run: | uv sync --frozen --no-dev --group docs - - name: Build docs + - name: Build documentation run: | uv run --no-sync docs build - name: Deploy 🚀 @@ -57,9 +66,7 @@ jobs: publish-to-github: needs: - - static-analysis - - tests-unit - - tests-acceptance + - build-and-test-artifacts runs-on: ubuntu-latest steps: - name: Create release in GitHub @@ -72,9 +79,7 @@ jobs: publish-to-pypi: needs: - - static-analysis - - tests-unit - - tests-acceptance + - build-and-test-artifacts runs-on: ubuntu-latest environment: name: pypi @@ -88,6 +93,8 @@ jobs: fetch-depth: 2 - name: Configure uv environment uses: ./.github/actions/setup-uv-local + with: + python-version: "3.14" - name: Setup Python ${{ env.UV_PYTHON }} and install dependencies run: | uv sync --frozen --no-dev --group release @@ -101,12 +108,14 @@ jobs: publish-to-ghcr: needs: - - static-analysis - - tests-unit - - tests-acceptance + - build-and-test-artifacts runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 + - name: Configure uv environment + uses: ./.github/actions/setup-uv-local + with: + python-version: "3.14" - name: Get the version from the tag run: echo "VERSION=${GITHUB_REF/refs\/tags\/v/}" >> $GITHUB_ENV - name: Docker metadata diff --git a/.github/workflows/build-artifacts.yml b/.github/workflows/build-artifacts.yml new file mode 100644 index 000000000..b8b27ce41 --- /dev/null +++ b/.github/workflows/build-artifacts.yml @@ -0,0 +1,70 @@ +name: Build and Artifacts + +on: + workflow_call: + inputs: + BRANCH_REF: + type: string + required: true + +permissions: + contents: read + +jobs: + package: + name: Package Build & Verify + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + with: + ref: ${{ inputs.BRANCH_REF }} + fetch-depth: 2 + - name: Configure uv environment + uses: ./.github/actions/setup-uv-local + with: + python-version: "3.14" + - name: Install dependencies + run: uv sync --frozen --no-dev --group release + - name: Build and verify the package + run: | + uv run --no-sync package build + uv run --no-sync package verify + + docs: + name: Documentation Build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + with: + ref: ${{ inputs.BRANCH_REF }} + fetch-depth: 2 + - name: Configure uv environment + uses: ./.github/actions/setup-uv-local + with: + python-version: "3.14" + - name: Install dependencies + run: uv sync --frozen --no-dev --group docs + - name: Build documentation + run: uv run --no-sync docs build + + smoke-tests: + name: Smoke Test (${{ matrix.os }}, ${{ matrix.python-version }}) + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, macos-latest, windows-latest] + python-version: ["3.14", "3.12"] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v6 + with: + ref: ${{ inputs.BRANCH_REF }} + fetch-depth: 2 + - name: Configure uv environment + uses: ./.github/actions/setup-uv-local + with: + python-version: ${{ matrix.python-version }} + - name: Install dependencies + run: uv sync --frozen --no-dev --group test + - name: Run smoke tests + run: uv run --no-sync gitlabform -V diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml deleted file mode 100644 index 916fc1dda..000000000 --- a/.github/workflows/docs.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Docs - -on: - workflow_call: - inputs: - BRANCH_REF: - type: string - required: true - -permissions: - contents: read - -jobs: - build-docs: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - with: - ref: ${{ inputs.BRANCH_REF }} - fetch-depth: 2 - - name: Configure uv environment - uses: ./.github/actions/setup-uv-local - - name: Setup Python ${{ env.UV_PYTHON }} and install dependencies - run: | - uv sync --frozen --no-dev --group docs - - name: Build documentation - run: | - uv run --no-sync docs build diff --git a/.github/workflows/prs.yml b/.github/workflows/prs.yml index 095457272..f1965e61c 100644 --- a/.github/workflows/prs.yml +++ b/.github/workflows/prs.yml @@ -9,13 +9,10 @@ on: jobs: - build-docs: - uses: ./.github/workflows/docs.yml - permissions: - contents: read - pull-requests: write + build-artifacts: + uses: ./.github/workflows/build-artifacts.yml with: - branch_ref: ${{ inputs.BRANCH_REF }} + BRANCH_REF: ${{ inputs.BRANCH_REF }} static-analysis: uses: ./.github/workflows/static-analysis.yml diff --git a/.github/workflows/tests-standard.yml b/.github/workflows/tests-standard.yml deleted file mode 100644 index e046240bb..000000000 --- a/.github/workflows/tests-standard.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: Tests standard - -on: - workflow_call: - inputs: - BRANCH_REF: - type: string - required: true - -permissions: - contents: read - -jobs: - smoke-tests: - strategy: - max-parallel: 2 - matrix: - os: [ubuntu-latest, windows-latest, macos-latest] - python-version: [ 3.14, 3.12 ] - fail-fast: true - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@v6 - with: - ref: ${{ inputs.BRANCH_REF }} - fetch-depth: 2 - - name: Configure uv environment - uses: ./.github/actions/setup-uv-local - with: - python-version: ${{ matrix.python-version }} - - name: Setup Python ${{ matrix.python-version }} and install dependencies - run: | - uv sync --frozen --no-dev --group test - - name: Run smoke tests - run: | - uv run --no-sync gitlabform -V From b93d5728d1a5f1bb453311dac9e668c6dfcac937 Mon Sep 17 00:00:00 2001 From: amimas Date: Sat, 25 Apr 2026 10:03:52 -0400 Subject: [PATCH 05/10] chore(ci): apply step names consistently --- .github/workflows/_releases.yml | 9 ++++++--- .github/workflows/build-artifacts.yml | 7 ++++++- .github/workflows/static-analysis.yml | 6 ++++-- .github/workflows/tests-acceptance.yml | 10 ++++++---- .github/workflows/tests-unit.yml | 3 ++- 5 files changed, 24 insertions(+), 11 deletions(-) diff --git a/.github/workflows/_releases.yml b/.github/workflows/_releases.yml index 0734383c2..a4225d27a 100644 --- a/.github/workflows/_releases.yml +++ b/.github/workflows/_releases.yml @@ -44,7 +44,8 @@ jobs: - build-and-test-artifacts runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@v6 with: ref: ${{ github.ref }} fetch-depth: 2 @@ -87,7 +88,8 @@ jobs: permissions: id-token: write # IMPORTANT: this permission is mandatory for trusted publishing steps: - - uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@v6 with: ref: ${{ github.ref }} fetch-depth: 2 @@ -111,7 +113,8 @@ jobs: - build-and-test-artifacts runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@v6 - name: Configure uv environment uses: ./.github/actions/setup-uv-local with: diff --git a/.github/workflows/build-artifacts.yml b/.github/workflows/build-artifacts.yml index b8b27ce41..9e8db7dae 100644 --- a/.github/workflows/build-artifacts.yml +++ b/.github/workflows/build-artifacts.yml @@ -15,7 +15,12 @@ jobs: name: Package Build & Verify runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@v6 with: ref: ${{ inputs.BRANCH_REF }} fetch-depth: 2 diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 88f52fede..1dcccf315 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -14,7 +14,8 @@ jobs: lockfile-verify: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@v6 with: ref: ${{ inputs.BRANCH_REF }} - name: Configure uv environment @@ -30,7 +31,8 @@ jobs: check: [black, mypy, bandit] python-version: ["3.14", "3.12"] steps: - - uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@v6 with: ref: ${{ inputs.BRANCH_REF }} fetch-depth: 2 diff --git a/.github/workflows/tests-acceptance.yml b/.github/workflows/tests-acceptance.yml index 762d7c788..c88a84730 100644 --- a/.github/workflows/tests-acceptance.yml +++ b/.github/workflows/tests-acceptance.yml @@ -26,13 +26,14 @@ jobs: flavor: [ce, ee] fail-fast: false steps: - - uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@v6 with: ref: ${{ inputs.BRANCH_REF }} fetch-depth: 2 - name: Configure uv environment uses: ./.github/actions/setup-uv-local - - name: Setup python and install dependencies + - name: Install dependencies run: uv sync --frozen --no-dev --group test - name: Start GitLab (${{ matrix.flavor }}) in docker run: uv run --no-sync gitlab-local up --gitlab-flavor ${{ matrix.flavor }} @@ -58,13 +59,14 @@ jobs: tier: [premium, ultimate] fail-fast: false steps: - - uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@v6 with: ref: ${{ inputs.BRANCH_REF }} fetch-depth: 2 - name: Configure uv environment uses: ./.github/actions/setup-uv-local - - name: Setup python and install dependencies + - name: Install dependencies run: uv sync --frozen --no-dev --group test - name: Start GitLab (${{ matrix.tier }}) in docker env: diff --git a/.github/workflows/tests-unit.yml b/.github/workflows/tests-unit.yml index 27c5b508f..42a58f895 100644 --- a/.github/workflows/tests-unit.yml +++ b/.github/workflows/tests-unit.yml @@ -21,7 +21,8 @@ jobs: matrix: python-version: ["3.14", "3.12"] steps: - - uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@v6 with: ref: ${{ inputs.BRANCH_REF }} fetch-depth: 2 From 9f3690778b47abd7c089d1a064ccfcf0e6b01e2e Mon Sep 17 00:00:00 2001 From: amimas Date: Sun, 31 May 2026 16:00:22 -0400 Subject: [PATCH 06/10] fix(ci): pass environment to acceptance workflow to preserve PR approval gating - Add environment input to tests-acceptance.yml - Use caller-provided environment for licensed acceptance jobs - Pass Integrate Pull Request from prs.yml and Main Tests from _main.yml / _releases.yml --- .github/workflows/_main.yml | 1 + .github/workflows/_releases.yml | 1 + .github/workflows/build-artifacts.yml | 4 ---- .github/workflows/prs.yml | 1 + .github/workflows/tests-acceptance.yml | 6 +++++- 5 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/_main.yml b/.github/workflows/_main.yml index 9a422ecfc..24a1bd775 100644 --- a/.github/workflows/_main.yml +++ b/.github/workflows/_main.yml @@ -38,4 +38,5 @@ jobs: uses: ./.github/workflows/tests-acceptance.yml with: BRANCH_REF: ${{ github.ref }} + environment: Main Tests secrets: inherit diff --git a/.github/workflows/_releases.yml b/.github/workflows/_releases.yml index a4225d27a..ce5166b14 100644 --- a/.github/workflows/_releases.yml +++ b/.github/workflows/_releases.yml @@ -28,6 +28,7 @@ jobs: uses: ./.github/workflows/tests-acceptance.yml with: BRANCH_REF: ${{ github.ref }} + environment: Main Tests secrets: inherit build-and-test-artifacts: diff --git a/.github/workflows/build-artifacts.yml b/.github/workflows/build-artifacts.yml index 9e8db7dae..6ddd87e43 100644 --- a/.github/workflows/build-artifacts.yml +++ b/.github/workflows/build-artifacts.yml @@ -15,10 +15,6 @@ jobs: name: Package Build & Verify runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v6 - - name: Checkout repository - uses: actions/checkout@v6 - name: Checkout repository uses: actions/checkout@v6 with: diff --git a/.github/workflows/prs.yml b/.github/workflows/prs.yml index f1965e61c..bb5805328 100644 --- a/.github/workflows/prs.yml +++ b/.github/workflows/prs.yml @@ -29,6 +29,7 @@ jobs: uses: ./.github/workflows/tests-acceptance.yml with: BRANCH_REF: ${{ inputs.BRANCH_REF }} + environment: Integrate Pull Request secrets: inherit analyze: diff --git a/.github/workflows/tests-acceptance.yml b/.github/workflows/tests-acceptance.yml index c88a84730..a705a295e 100644 --- a/.github/workflows/tests-acceptance.yml +++ b/.github/workflows/tests-acceptance.yml @@ -6,6 +6,10 @@ on: BRANCH_REF: type: string required: true + environment: + description: "Environment to run licensed acceptance tests in: 'Integrate Pull Request' for PRs (requires approval) or 'Main Tests' for main/release runs." + type: string + required: true secrets: GITLAB_EE_LICENSE: required: false @@ -52,7 +56,7 @@ jobs: acceptance-licensed: needs: [acceptance-standard] - environment: Main Tests + environment: ${{ inputs.environment }} runs-on: ubuntu-latest strategy: matrix: From ea973402441bc625588cb91e7fa865a8c0a93127 Mon Sep 17 00:00:00 2001 From: amimas Date: Sun, 31 May 2026 16:24:12 -0400 Subject: [PATCH 07/10] chore(ci): consolidate PR workflows into single entrypoint MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Combine pull_request and pull_request_target into one PR entrypoint so same‑repo and fork PRs run with the correct event context. Remove the fork‑specific entry, rename the reusable PR workflow for clarity, update callers and docs, and validate the workflow YAML. --- .../workflows/{prs.yml => pr-ci-workflow.yml} | 0 .github/workflows/pr_on_main_repo.yml | 29 ------------------- .../{pr_on_fork.yml => prs-entrypoint.yml} | 9 ++++-- 3 files changed, 6 insertions(+), 32 deletions(-) rename .github/workflows/{prs.yml => pr-ci-workflow.yml} (100%) delete mode 100644 .github/workflows/pr_on_main_repo.yml rename .github/workflows/{pr_on_fork.yml => prs-entrypoint.yml} (62%) diff --git a/.github/workflows/prs.yml b/.github/workflows/pr-ci-workflow.yml similarity index 100% rename from .github/workflows/prs.yml rename to .github/workflows/pr-ci-workflow.yml diff --git a/.github/workflows/pr_on_main_repo.yml b/.github/workflows/pr_on_main_repo.yml deleted file mode 100644 index 3bbb29887..000000000 --- a/.github/workflows/pr_on_main_repo.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: Linter and tests (PRs raised on main repo) - -permissions: - actions: read - contents: read - pull-requests: write -concurrency: - group: ${{github.workflow}}-${{ github.event.pull_request.number }} - cancel-in-progress: true - -on: - pull_request: - branches: - - main - -jobs: - pr_jobs: - # github.event.pull_request object defined here: https://docs.github.com/en/rest/pulls/pulls?apiVersion=2026-03-10#get-a-pull-request - if: ${{ github.event.pull_request.head.repo.full_name == 'gitlabform/gitlabform' }} - uses: ./.github/workflows/prs.yml - permissions: - actions: read - contents: read - packages: read - pull-requests: write - security-events: write - with: - branch_ref: ${{ github.event.pull_request.head.sha }} - secrets: inherit \ No newline at end of file diff --git a/.github/workflows/pr_on_fork.yml b/.github/workflows/prs-entrypoint.yml similarity index 62% rename from .github/workflows/pr_on_fork.yml rename to .github/workflows/prs-entrypoint.yml index fe255d2bf..2bd102cd3 100644 --- a/.github/workflows/pr_on_fork.yml +++ b/.github/workflows/prs-entrypoint.yml @@ -1,4 +1,4 @@ -name: Linter and tests (PRs raised from Forks) +name: Linter and tests (PRs) permissions: actions: read @@ -9,6 +9,9 @@ concurrency: cancel-in-progress: true on: + pull_request: + branches: + - main pull_request_target: branches: - main @@ -16,8 +19,8 @@ on: jobs: pr_jobs: # github.event.pull_request object defined here: https://docs.github.com/en/rest/pulls/pulls?apiVersion=2026-03-10#get-a-pull-request - if: ${{ github.event.pull_request.head.repo.full_name != 'gitlabform/gitlabform' }} - uses: ./.github/workflows/prs.yml + if: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'gitlabform/gitlabform') || (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != 'gitlabform/gitlabform') }} + uses: ./.github/workflows/pr-ci-workflow.yml permissions: actions: read contents: read From 00c08b5db1bb0e3a4c3de426edcaf54efbbc179d Mon Sep 17 00:00:00 2001 From: amimas Date: Sun, 31 May 2026 16:43:37 -0400 Subject: [PATCH 08/10] chore(ci): shorten workflow and job display names for Actions UI Add concise top-level and job name: fields to improve readability in PR, main and release workflow UI. --- .github/workflows/_main.yml | 4 ++++ .github/workflows/_releases.yml | 8 ++++++++ .github/workflows/build-artifacts.yml | 2 +- .github/workflows/pr-ci-workflow.yml | 4 ++++ .github/workflows/prs-entrypoint.yml | 1 + .github/workflows/tests-acceptance.yml | 2 +- .github/workflows/tests-unit.yml | 2 +- 7 files changed, 20 insertions(+), 3 deletions(-) diff --git a/.github/workflows/_main.yml b/.github/workflows/_main.yml index 24a1bd775..d8311cb6e 100644 --- a/.github/workflows/_main.yml +++ b/.github/workflows/_main.yml @@ -19,22 +19,26 @@ on: jobs: build-artifacts: + name: Build uses: ./.github/workflows/build-artifacts.yml with: BRANCH_REF: ${{ github.ref }} static-analysis: + name: Lint uses: ./.github/workflows/static-analysis.yml with: BRANCH_REF: ${{ github.ref }} tests-unit: + name: Unit uses: ./.github/workflows/tests-unit.yml with: BRANCH_REF: ${{ github.ref }} secrets: inherit tests-acceptance: + name: Acceptance uses: ./.github/workflows/tests-acceptance.yml with: BRANCH_REF: ${{ github.ref }} diff --git a/.github/workflows/_releases.yml b/.github/workflows/_releases.yml index ce5166b14..389e36fc7 100644 --- a/.github/workflows/_releases.yml +++ b/.github/workflows/_releases.yml @@ -14,17 +14,20 @@ permissions: jobs: static-analysis: + name: Lint uses: ./.github/workflows/static-analysis.yml with: BRANCH_REF: ${{ github.ref }} tests-unit: + name: Unit tests uses: ./.github/workflows/tests-unit.yml with: BRANCH_REF: ${{ github.ref }} secrets: inherit tests-acceptance: + name: Acceptance tests uses: ./.github/workflows/tests-acceptance.yml with: BRANCH_REF: ${{ github.ref }} @@ -32,6 +35,7 @@ jobs: secrets: inherit build-and-test-artifacts: + name: Build & Test needs: - static-analysis - tests-unit @@ -41,6 +45,7 @@ jobs: BRANCH_REF: ${{ github.ref }} publish-docs: + name: Docs needs: - build-and-test-artifacts runs-on: ubuntu-latest @@ -67,6 +72,7 @@ jobs: folder: site publish-to-github: + name: Publish Release needs: - build-and-test-artifacts runs-on: ubuntu-latest @@ -80,6 +86,7 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} publish-to-pypi: + name: Publish PyPI needs: - build-and-test-artifacts runs-on: ubuntu-latest @@ -110,6 +117,7 @@ jobs: uv run --no-sync package publish publish-to-ghcr: + name: Publish GHCR needs: - build-and-test-artifacts runs-on: ubuntu-latest diff --git a/.github/workflows/build-artifacts.yml b/.github/workflows/build-artifacts.yml index 6ddd87e43..13381754b 100644 --- a/.github/workflows/build-artifacts.yml +++ b/.github/workflows/build-artifacts.yml @@ -1,4 +1,4 @@ -name: Build and Artifacts +name: Build and package artifacts on: workflow_call: diff --git a/.github/workflows/pr-ci-workflow.yml b/.github/workflows/pr-ci-workflow.yml index bb5805328..29a41f422 100644 --- a/.github/workflows/pr-ci-workflow.yml +++ b/.github/workflows/pr-ci-workflow.yml @@ -10,22 +10,26 @@ on: jobs: build-artifacts: + name: Build uses: ./.github/workflows/build-artifacts.yml with: BRANCH_REF: ${{ inputs.BRANCH_REF }} static-analysis: + name: Lint uses: ./.github/workflows/static-analysis.yml with: BRANCH_REF: ${{ inputs.BRANCH_REF }} tests-unit: + name: Unit tests uses: ./.github/workflows/tests-unit.yml with: BRANCH_REF: ${{ inputs.BRANCH_REF }} secrets: inherit tests-acceptance: + name: Acceptance tests uses: ./.github/workflows/tests-acceptance.yml with: BRANCH_REF: ${{ inputs.BRANCH_REF }} diff --git a/.github/workflows/prs-entrypoint.yml b/.github/workflows/prs-entrypoint.yml index 2bd102cd3..538c9bb52 100644 --- a/.github/workflows/prs-entrypoint.yml +++ b/.github/workflows/prs-entrypoint.yml @@ -18,6 +18,7 @@ on: jobs: pr_jobs: + name: PR CI # github.event.pull_request object defined here: https://docs.github.com/en/rest/pulls/pulls?apiVersion=2026-03-10#get-a-pull-request if: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'gitlabform/gitlabform') || (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != 'gitlabform/gitlabform') }} uses: ./.github/workflows/pr-ci-workflow.yml diff --git a/.github/workflows/tests-acceptance.yml b/.github/workflows/tests-acceptance.yml index a705a295e..e5f50f27a 100644 --- a/.github/workflows/tests-acceptance.yml +++ b/.github/workflows/tests-acceptance.yml @@ -1,4 +1,4 @@ -name: Tests Acceptance +name: Acceptance tests run on live GitLab instance on: workflow_call: diff --git a/.github/workflows/tests-unit.yml b/.github/workflows/tests-unit.yml index 42a58f895..b39ac9cd5 100644 --- a/.github/workflows/tests-unit.yml +++ b/.github/workflows/tests-unit.yml @@ -1,4 +1,4 @@ -name: Tests Unit +name: Unit tests on: workflow_call: From ccb764966a034ad60c31f466be8ee687c298aab6 Mon Sep 17 00:00:00 2001 From: amimas Date: Sat, 6 Jun 2026 10:21:58 -0400 Subject: [PATCH 09/10] fix(ci): apply post-reorg fixes and incorporate main branch fixes - Fix BRANCH_REF casing in prs-entrypoint.yml (lowercase branch_ref would silently be ignored, breaking all PR pipeline runs) - Simplify static-analysis linting matrix: remove redundant python-version axis for black/mypy/bandit (style/security checks are version-agnostic) - Add publish-to-pypi as a dependency of publish-to-ghcr in _releases.yml, aligning with main branch fix (f03b75f) - Remove redundant 'Configure uv environment' step from publish-to-ghcr, aligning with main branch simplification (f03b75f) - Add TODO comments in publish-to-pypi and publish-to-ghcr to track consuming built package artifacts (package-dist) in a follow-up PR - Rename build-artifacts.yml -> build.yml and tests-unit.yml -> tests.yml and update all callers across _main.yml, _releases.yml, pr-ci-workflow.yml --- .github/workflows/_main.yml | 10 +++--- .github/workflows/_releases.yml | 32 ++++++++----------- .../{build-artifacts.yml => build.yml} | 18 +++++++++-- .github/workflows/pr-ci-workflow.yml | 10 +++--- .github/workflows/prs-entrypoint.yml | 2 +- .github/workflows/static-analysis.yml | 7 ++-- .../workflows/{tests-unit.yml => tests.yml} | 6 ++-- 7 files changed, 49 insertions(+), 36 deletions(-) rename .github/workflows/{build-artifacts.yml => build.yml} (80%) rename .github/workflows/{tests-unit.yml => tests.yml} (88%) diff --git a/.github/workflows/_main.yml b/.github/workflows/_main.yml index d8311cb6e..ef918752d 100644 --- a/.github/workflows/_main.yml +++ b/.github/workflows/_main.yml @@ -18,9 +18,9 @@ on: jobs: - build-artifacts: + build: name: Build - uses: ./.github/workflows/build-artifacts.yml + uses: ./.github/workflows/build.yml with: BRANCH_REF: ${{ github.ref }} @@ -30,9 +30,9 @@ jobs: with: BRANCH_REF: ${{ github.ref }} - tests-unit: - name: Unit - uses: ./.github/workflows/tests-unit.yml + tests: + name: Tests + uses: ./.github/workflows/tests.yml with: BRANCH_REF: ${{ github.ref }} secrets: inherit diff --git a/.github/workflows/_releases.yml b/.github/workflows/_releases.yml index 389e36fc7..92da0ec76 100644 --- a/.github/workflows/_releases.yml +++ b/.github/workflows/_releases.yml @@ -19,9 +19,9 @@ jobs: with: BRANCH_REF: ${{ github.ref }} - tests-unit: - name: Unit tests - uses: ./.github/workflows/tests-unit.yml + tests: + name: Tests + uses: ./.github/workflows/tests.yml with: BRANCH_REF: ${{ github.ref }} secrets: inherit @@ -38,9 +38,9 @@ jobs: name: Build & Test needs: - static-analysis - - tests-unit + - tests - tests-acceptance - uses: ./.github/workflows/build-artifacts.yml + uses: ./.github/workflows/build.yml with: BRANCH_REF: ${{ github.ref }} @@ -55,16 +55,11 @@ jobs: with: ref: ${{ github.ref }} fetch-depth: 2 - - name: Configure uv environment - uses: ./.github/actions/setup-uv-local + - name: Download built documentation + uses: actions/download-artifact@v4 with: - python-version: "3.14" - - name: Setup Python ${{ env.UV_PYTHON }} and install dependencies - run: | - uv sync --frozen --no-dev --group docs - - name: Build documentation - run: | - uv run --no-sync docs build + name: docs-site + path: site - name: Deploy 🚀 uses: JamesIves/github-pages-deploy-action@v4.8.0 with: @@ -108,6 +103,8 @@ jobs: - name: Setup Python ${{ env.UV_PYTHON }} and install dependencies run: | uv sync --frozen --no-dev --group release + # TODO: In a separate PR, consume the build artifact (package-dist) uploaded + # in build-and-test-artifacts instead of rebuilding and verifying the package here. - name: Build and verify the package run: | uv run --no-sync package build @@ -120,14 +117,13 @@ jobs: name: Publish GHCR needs: - build-and-test-artifacts + - publish-to-pypi runs-on: ubuntu-latest steps: + # TODO: In a separate PR, optimize docker image build to consume the built package artifact + # (package-dist) instead of copying and rebuilding from source if applicable. - name: Checkout repository uses: actions/checkout@v6 - - name: Configure uv environment - uses: ./.github/actions/setup-uv-local - with: - python-version: "3.14" - name: Get the version from the tag run: echo "VERSION=${GITHUB_REF/refs\/tags\/v/}" >> $GITHUB_ENV - name: Docker metadata diff --git a/.github/workflows/build-artifacts.yml b/.github/workflows/build.yml similarity index 80% rename from .github/workflows/build-artifacts.yml rename to .github/workflows/build.yml index 13381754b..dbadbd2d0 100644 --- a/.github/workflows/build-artifacts.yml +++ b/.github/workflows/build.yml @@ -30,12 +30,19 @@ jobs: run: | uv run --no-sync package build uv run --no-sync package verify + - name: Upload package distribution + uses: actions/upload-artifact@v4 + with: + name: package-dist + path: dist/* docs: name: Documentation Build runs-on: ubuntu-latest + needs: package steps: - - uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@v6 with: ref: ${{ inputs.BRANCH_REF }} fetch-depth: 2 @@ -47,6 +54,11 @@ jobs: run: uv sync --frozen --no-dev --group docs - name: Build documentation run: uv run --no-sync docs build + - name: Upload docs site + uses: actions/upload-artifact@v4 + with: + name: docs-site + path: site smoke-tests: name: Smoke Test (${{ matrix.os }}, ${{ matrix.python-version }}) @@ -55,9 +67,11 @@ jobs: matrix: os: [ubuntu-latest, macos-latest, windows-latest] python-version: ["3.14", "3.12"] + needs: package runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@v6 with: ref: ${{ inputs.BRANCH_REF }} fetch-depth: 2 diff --git a/.github/workflows/pr-ci-workflow.yml b/.github/workflows/pr-ci-workflow.yml index 29a41f422..42ed6ae69 100644 --- a/.github/workflows/pr-ci-workflow.yml +++ b/.github/workflows/pr-ci-workflow.yml @@ -9,9 +9,9 @@ on: jobs: - build-artifacts: + build: name: Build - uses: ./.github/workflows/build-artifacts.yml + uses: ./.github/workflows/build.yml with: BRANCH_REF: ${{ inputs.BRANCH_REF }} @@ -21,9 +21,9 @@ jobs: with: BRANCH_REF: ${{ inputs.BRANCH_REF }} - tests-unit: - name: Unit tests - uses: ./.github/workflows/tests-unit.yml + tests: + name: Tests + uses: ./.github/workflows/tests.yml with: BRANCH_REF: ${{ inputs.BRANCH_REF }} secrets: inherit diff --git a/.github/workflows/prs-entrypoint.yml b/.github/workflows/prs-entrypoint.yml index 538c9bb52..049aa4a58 100644 --- a/.github/workflows/prs-entrypoint.yml +++ b/.github/workflows/prs-entrypoint.yml @@ -29,5 +29,5 @@ jobs: pull-requests: write security-events: write with: - branch_ref: ${{ github.event.pull_request.head.sha }} + BRANCH_REF: ${{ github.event.pull_request.head.sha }} secrets: inherit \ No newline at end of file diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 1dcccf315..4f0e331fa 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -10,6 +10,10 @@ on: permissions: contents: read +# This workflow currently covers lockfile verification plus lint-style checks. +# Bandit is treated here as a lightweight quality/security guardrail, not a full +# security scanning pipeline. Future security-only workflows can be introduced +# once heavier security tooling is needed. jobs: lockfile-verify: runs-on: ubuntu-latest @@ -29,7 +33,6 @@ jobs: fail-fast: false matrix: check: [black, mypy, bandit] - python-version: ["3.14", "3.12"] steps: - name: Checkout repository uses: actions/checkout@v6 @@ -38,8 +41,6 @@ jobs: fetch-depth: 2 - name: Configure uv environment uses: ./.github/actions/setup-uv-local - with: - python-version: ${{ matrix.python-version }} - name: Install dependencies run: uv sync --frozen --no-dev --group lint - name: Run ${{ matrix.check }} diff --git a/.github/workflows/tests-unit.yml b/.github/workflows/tests.yml similarity index 88% rename from .github/workflows/tests-unit.yml rename to .github/workflows/tests.yml index b39ac9cd5..af202cab4 100644 --- a/.github/workflows/tests-unit.yml +++ b/.github/workflows/tests.yml @@ -1,4 +1,5 @@ -name: Unit tests +name: Tests +# This workflow is the canonical tests domain. Add future test jobs (integration, component, regression) here. on: workflow_call: @@ -14,7 +15,8 @@ permissions: contents: read jobs: - unit-tests: + unit: + name: Unit tests runs-on: ubuntu-latest strategy: fail-fast: false From 9c4623e43efaeff81a10592ad1e18be5e13d3c2d Mon Sep 17 00:00:00 2001 From: amimas Date: Sat, 6 Jun 2026 11:00:09 -0400 Subject: [PATCH 10/10] refactor: update names for individual jobs for clarity --- .github/workflows/_main.yml | 2 +- .github/workflows/_releases.yml | 2 +- .github/workflows/build.yml | 6 +++--- .github/workflows/pr-ci-workflow.yml | 2 +- .github/workflows/prs-entrypoint.yml | 2 +- .github/workflows/static-analysis.yml | 2 ++ .github/workflows/tests-acceptance.yml | 4 +++- .github/workflows/tests.yml | 2 +- 8 files changed, 13 insertions(+), 9 deletions(-) diff --git a/.github/workflows/_main.yml b/.github/workflows/_main.yml index ef918752d..d36d8a077 100644 --- a/.github/workflows/_main.yml +++ b/.github/workflows/_main.yml @@ -38,7 +38,7 @@ jobs: secrets: inherit tests-acceptance: - name: Acceptance + name: Acceptance Tests uses: ./.github/workflows/tests-acceptance.yml with: BRANCH_REF: ${{ github.ref }} diff --git a/.github/workflows/_releases.yml b/.github/workflows/_releases.yml index 92da0ec76..179d7a9b4 100644 --- a/.github/workflows/_releases.yml +++ b/.github/workflows/_releases.yml @@ -27,7 +27,7 @@ jobs: secrets: inherit tests-acceptance: - name: Acceptance tests + name: Acceptance Tests uses: ./.github/workflows/tests-acceptance.yml with: BRANCH_REF: ${{ github.ref }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index dbadbd2d0..ac2fdd8e3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,7 +12,7 @@ permissions: jobs: package: - name: Package Build & Verify + name: Package runs-on: ubuntu-latest steps: - name: Checkout repository @@ -37,7 +37,7 @@ jobs: path: dist/* docs: - name: Documentation Build + name: Docs runs-on: ubuntu-latest needs: package steps: @@ -61,7 +61,7 @@ jobs: path: site smoke-tests: - name: Smoke Test (${{ matrix.os }}, ${{ matrix.python-version }}) + name: "Smoke (${{ matrix.os == 'ubuntu-latest' && 'Linux' || matrix.os == 'macos-latest' && 'macOS' || 'Windows' }}, ${{ matrix.python-version }})" strategy: fail-fast: false matrix: diff --git a/.github/workflows/pr-ci-workflow.yml b/.github/workflows/pr-ci-workflow.yml index 42ed6ae69..454eb9190 100644 --- a/.github/workflows/pr-ci-workflow.yml +++ b/.github/workflows/pr-ci-workflow.yml @@ -29,7 +29,7 @@ jobs: secrets: inherit tests-acceptance: - name: Acceptance tests + name: Acceptance Tests uses: ./.github/workflows/tests-acceptance.yml with: BRANCH_REF: ${{ inputs.BRANCH_REF }} diff --git a/.github/workflows/prs-entrypoint.yml b/.github/workflows/prs-entrypoint.yml index 049aa4a58..2bf22e722 100644 --- a/.github/workflows/prs-entrypoint.yml +++ b/.github/workflows/prs-entrypoint.yml @@ -1,4 +1,4 @@ -name: Linter and tests (PRs) +name: PR CI permissions: actions: read diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 4f0e331fa..6c346402d 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -16,6 +16,7 @@ permissions: # once heavier security tooling is needed. jobs: lockfile-verify: + name: Lockfile runs-on: ubuntu-latest steps: - name: Checkout repository @@ -28,6 +29,7 @@ jobs: run: uv lock --check linting: + name: "${{ matrix.check == 'black' && 'Black' || matrix.check == 'mypy' && 'Mypy' || 'Bandit' }}" runs-on: ubuntu-latest strategy: fail-fast: false diff --git a/.github/workflows/tests-acceptance.yml b/.github/workflows/tests-acceptance.yml index e5f50f27a..6b7f00b3f 100644 --- a/.github/workflows/tests-acceptance.yml +++ b/.github/workflows/tests-acceptance.yml @@ -1,4 +1,4 @@ -name: Acceptance tests run on live GitLab instance +name: Acceptance Tests on: workflow_call: @@ -24,6 +24,7 @@ permissions: jobs: acceptance-standard: + name: "GitLab ${{ matrix.flavor == 'ce' && 'CE' || 'EE' }}" runs-on: ubuntu-latest strategy: matrix: @@ -55,6 +56,7 @@ jobs: attempt_delay: 10000 acceptance-licensed: + name: "GitLab ${{ matrix.tier == 'premium' && 'Premium' || 'Ultimate' }}" needs: [acceptance-standard] environment: ${{ inputs.environment }} runs-on: ubuntu-latest diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index af202cab4..625612280 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -16,7 +16,7 @@ permissions: jobs: unit: - name: Unit tests + name: "Unit (${{ matrix.python-version }})" runs-on: ubuntu-latest strategy: fail-fast: false