Refactor README into Supabase/Vercel CLI house style #118
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| branches: [main] | |
| types: [opened, reopened, ready_for_review] | |
| push: | |
| # Least privilege: CI only needs to read the repo. Actions are pinned to commit | |
| # SHAs (a moved tag can't silently change what runs); Dependabot keeps them current. | |
| permissions: | |
| contents: read | |
| jobs: | |
| check: | |
| name: lint + typecheck + tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false # no job pushes; don't leave the token in .git/config | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.12" | |
| cache: pip | |
| # PortAudio backs sounddevice; ffmpeg decodes non-WAV/URL audio (the `--sample` | |
| # stream tests build a FileSource for the hosted sample, which needs ffmpeg). | |
| - name: System deps (PortAudio + ffmpeg) | |
| run: sudo apt-get update && sudo apt-get install -y libportaudio2 ffmpeg | |
| # check.sh lints Markdown via the markdownlint CLI (a Node tool); pin to the | |
| # version used locally. The runner ships Node, so a global npm install suffices. | |
| - name: markdownlint CLI | |
| run: npm install -g markdownlint-cli@0.45.0 | |
| # check.sh runs every tool through `uv run` / `uv build` for a locked, | |
| # reproducible env, so only uv must be on PATH (installed from PyPI to match | |
| # the repo's pip-based, no-new-action posture). `uv run` itself syncs the | |
| # project + dev group into .venv, so no `pip install -e .` is needed here. | |
| - name: Install | |
| run: python -m pip install uv | |
| - name: Lint, typecheck, test | |
| run: ./scripts/check.sh | |
| pre-commit: | |
| name: pre-commit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false # no job pushes; don't leave the token in .git/config | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.12" | |
| cache: pip | |
| # PortAudio backs sounddevice; ffmpeg decodes the `--sample` stream source. | |
| - name: System deps (PortAudio + ffmpeg) | |
| run: sudo apt-get update && sudo apt-get install -y libportaudio2 ffmpeg | |
| # The local pytest hook runs `python -m pytest`, so the package + dev group | |
| # must be importable. `pip install --group` needs pip >= 25.1, so upgrade first. | |
| - name: Install | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install -e . --group dev | |
| - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 | |
| build: | |
| name: build + twine check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false # no job pushes; don't leave the token in .git/config | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.12" | |
| cache: pip | |
| - name: Build wheel + sdist | |
| run: | | |
| python -m pip install build twine | |
| python -m build | |
| - name: Validate metadata | |
| run: twine check dist/* | |
| audit: | |
| name: pip-audit (dependency CVEs) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false # no job pushes; don't leave the token in .git/config | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.12" | |
| cache: pip | |
| - name: Audit runtime dependencies for known CVEs | |
| run: | | |
| # Keep build tooling current first: pip-audit scans the whole environment, | |
| # so a pip/setuptools advisory that a one-line upgrade fixes would otherwise | |
| # fail the gate on something that isn't one of our runtime dependencies. | |
| python -m pip install --upgrade pip setuptools | |
| python -m pip install -e . pip-audit | |
| # Append `--ignore-vuln <ID>` to accept an unfixable transitive advisory. | |
| python -m pip_audit | |
| install-smoke: | |
| name: install.sh real install (${{ matrix.os }}) | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| kfilter: "" # both branches: pipx + pip --user | |
| - os: macos-latest | |
| kfilter: "-k pipx" # pipx only — PEP 668 makes pip --user flaky on macOS | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false # no job pushes; don't leave the token in .git/config | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.12" | |
| cache: pip | |
| # `aai version` imports the package, which pulls in sounddevice (needs | |
| # PortAudio) and ffmpeg-backed sources. Match the other jobs' system deps. | |
| - name: System deps (Linux) | |
| if: runner.os == 'Linux' | |
| run: sudo apt-get update && sudo apt-get install -y libportaudio2 ffmpeg | |
| - name: System deps (macOS) | |
| if: runner.os == 'macOS' | |
| run: brew install portaudio ffmpeg | |
| # Use the system interpreter (no virtualenv) so install.sh's `pip --user` | |
| # branch is allowed. Editable install makes `aai_cli` importable for the | |
| # test's __version__ check; uv builds the wheel; pipx drives the pipx branch. | |
| - name: Tooling | |
| run: | | |
| python -m pip install --upgrade pip # need pip >= 25.1 for --group | |
| python -m pip install -e . --group dev uv pipx | |
| - name: Real install smoke | |
| run: python -m pytest -q -m install_script ${{ matrix.kfilter }} |