From c950aa977de9604b5185eddb4392b5ae227734f3 Mon Sep 17 00:00:00 2001
From: Yuval Shlomo Dekel <Yuval.Shlomo.Dekel@ibm.com>
Date: Mon, 16 Mar 2026 11:57:17 +0200
Subject: [PATCH] Enhance GH workflow

---
 .github/workflows/ci.yml             | 111 +++++++++++++++++++++++++++
 .github/workflows/create-release.yml |   7 +-
 .github/workflows/publish.yaml       |  12 +++
 .gitignore                           |   1 +
 4 files changed, 130 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/ci.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..964b86f
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,111 @@
+name: CI Tests
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  test:
+    name: Test Python ${{ matrix.python-version }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ['3.8', '3.9', '3.10', '3.11', '3.12']
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+      
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'pip'
+      
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+          pip install -r requirements-dev.txt
+      
+      - name: Run linting
+        run: |
+          pylint ibm_secrets_manager_sdk --rcfile=.pylintrc || true
+      
+      - name: Run unit tests
+        run: |
+          pytest test/unit/ -v --tb=short
+      
+      - name: Run integration tests
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        env:
+          SECRETS_MANAGER_URL: ${{ secrets.SECRETS_MANAGER_URL }}
+          SECRETS_MANAGER_APIKEY: ${{ secrets.SECRETS_MANAGER_APIKEY }}
+        run: |
+          pytest test/integration/ -v --tb=short || echo "Integration tests skipped or failed"
+  
+  lint:
+    name: Code Quality Checks
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+      
+      - name: Set up Python 3.9
+        uses: actions/setup-python@v6
+        with:
+          python-version: 3.9
+          cache: 'pip'
+      
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements-dev.txt
+      
+      - name: Check code formatting
+        run: |
+          pip install black
+          black --check ibm_secrets_manager_sdk/ test/ || echo "Code formatting check completed"
+      
+      - name: Run pylint
+        run: |
+          pylint ibm_secrets_manager_sdk --rcfile=.pylintrc --exit-zero
+  
+  build:
+    name: Build Distribution
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+      
+      - name: Set up Python 3.9
+        uses: actions/setup-python@v6
+        with:
+          python-version: 3.9
+      
+      - name: Install build dependencies
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install "setuptools<82" build wheel
+      
+      - name: Build distribution
+        run: |
+          python -m build --no-isolation --sdist --wheel --outdir dist/ .
+      
+      - name: Check distribution
+        run: |
+          pip install twine
+          twine check dist/*
+      
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+          retention-days: 7
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
index 270d0b3..2172b56 100644
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@@ -5,10 +5,15 @@ on:
   push:
     branches:
       - main
+
+concurrency:
+  group: release
+  cancel-in-progress: false
+
 jobs:
   release:
     runs-on: ubuntu-latest
-    permissions: 
+    permissions:
       contents: write
     steps:
       - name: Checkout code
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index a6bea58..6b92da5 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -1,6 +1,11 @@
 name: publish artifact
 on:
   workflow_dispatch:
+    inputs:
+      release_tag:
+        description: 'Release tag to publish (leave empty for latest)'
+        required: false
+        type: string
   release:
     types: [published]
 
@@ -13,18 +18,25 @@ jobs:
       - uses: actions/checkout@v6
         with:
           token: ${{ secrets.ADMIN_TOKEN }}
+          ref: ${{ inputs.release_tag || github.ref }}
+      
       - name: Set up Python 3.9
         uses: actions/setup-python@v6
         with:
           python-version: 3.9
+      
       - name: Install build dependencies with pinned setuptools
         run: |
           python -m pip install --upgrade pip
           python -m pip install "setuptools<82" build wheel --user
+      
       - name: Build a binary wheel and a source tarball
         run: |
           python -m build --no-isolation --sdist --wheel --outdir dist/ .
+      
       - name: Publish distribution to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           password: ${{ secrets.PYPI_API_TOKEN }}
+          skip-existing: true
+        timeout-minutes: 10
diff --git a/.gitignore b/.gitignore
index 972aaba..f356a00 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,6 +26,7 @@ share/python-wheels/
 .installed.cfg
 *.egg
 MANIFEST
+**DS_STORE
 
 # PyInstaller
 #  Usually these files are written by a python script from a template