feat(auth): browser-based Stytch OAuth login + environment switching #40
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| branches: [main] | |
| push: | |
| branches: [main] | |
| # Least privilege: CI only needs to read the repo. Actions are pinned to commit | |
| # SHAs (a moved tag can't silently change what runs); Dependabot keeps them current. | |
| permissions: | |
| contents: read | |
| jobs: | |
| check: | |
| name: lint + typecheck + tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.12" | |
| cache: pip | |
| # PortAudio backs sounddevice; ffmpeg decodes non-WAV/URL audio (the `--sample` | |
| # stream tests build a FileSource for the hosted sample, which needs ffmpeg). | |
| - name: System deps (PortAudio + ffmpeg) | |
| run: sudo apt-get update && sudo apt-get install -y libportaudio2 ffmpeg | |
| # check.sh lints Markdown via the markdownlint CLI (a Node tool); pin to the | |
| # version used locally. The runner ships Node, so a global npm install suffices. | |
| - name: markdownlint CLI | |
| run: npm install -g markdownlint-cli@0.45.0 | |
| # check.sh runs every tool through `uv run` / `uv build` for a locked, | |
| # reproducible env, so uv must be on PATH (installed from PyPI to match the | |
| # repo's pip-based, no-new-action posture). | |
| - name: Install | |
| run: python -m pip install -e ".[dev]" uv | |
| - name: Lint, typecheck, test | |
| run: ./scripts/check.sh | |
| pre-commit: | |
| name: pre-commit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.12" | |
| cache: pip | |
| # PortAudio backs sounddevice; ffmpeg decodes the `--sample` stream source. | |
| - name: System deps (PortAudio + ffmpeg) | |
| run: sudo apt-get update && sudo apt-get install -y libportaudio2 ffmpeg | |
| # The local pytest hook runs `python -m pytest`, so the package must be importable. | |
| - name: Install | |
| run: python -m pip install -e ".[dev]" | |
| - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 | |
| build: | |
| name: build + twine check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.12" | |
| cache: pip | |
| - name: Build wheel + sdist | |
| run: | | |
| python -m pip install build twine | |
| python -m build | |
| - name: Validate metadata | |
| run: twine check dist/* | |
| audit: | |
| name: pip-audit (dependency CVEs) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.12" | |
| cache: pip | |
| - name: Audit runtime dependencies for known CVEs | |
| run: | | |
| python -m pip install -e . pip-audit | |
| # Append `--ignore-vuln <ID>` to accept an unfixable transitive advisory. | |
| python -m pip_audit |