From 34dc0c240cdd8d99fa5411fc16b53436abc1f30e Mon Sep 17 00:00:00 2001 From: Nano Taboada Date: Sat, 11 Apr 2026 20:38:17 -0300 Subject: [PATCH 1/2] ci(cd): normalize and align CD pipeline (#564) - Extract test job from release so tests run before any publish step - Add enable-cache: true to astral-sh/setup-uv for faster installs - Add id-token: write and attestations: write to release permissions - Set provenance: mode=max - Add id: push and actions/attest-build-provenance@v4.1.0 - Add --no-merges to changelog git log command - Normalize first-release message to "No changes (first release)" - Remove changelog.txt write step Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/python-cd.yml | 68 ++++++++++++++++++++------------- CHANGELOG.md | 9 +++++ 2 files changed, 51 insertions(+), 26 deletions(-) diff --git a/.github/workflows/python-cd.yml b/.github/workflows/python-cd.yml index 78658c4..7c6c7ea 100644 --- a/.github/workflows/python-cd.yml +++ b/.github/workflows/python-cd.yml @@ -13,11 +13,42 @@ env: PACKAGE_NAME: nanotaboada/python-samples-fastapi-restful jobs: + test: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Set up Python + uses: actions/setup-python@v6.2.0 + with: + python-version-file: ${{ env.PYTHON_VERSION_FILE }} + + - name: Set up uv + uses: astral-sh/setup-uv@v8.0.0 + with: + version: "latest" + enable-cache: true + + - name: Install test dependencies + run: | + uv venv + uv pip install --group dev + + - name: Run tests with pytest + run: | + uv run pytest --cov=./ --cov-report=xml --cov-report=term -v + release: + needs: test runs-on: ubuntu-latest permissions: contents: write packages: write + id-token: write + attestations: write steps: - name: Checkout repository uses: actions/checkout@v6 @@ -74,25 +105,6 @@ jobs: echo "📦 Release version: $SEMVER" echo "♟️ Coach name: $COACH" - - name: Set up Python - uses: actions/setup-python@v6.2.0 - with: - python-version-file: ${{ env.PYTHON_VERSION_FILE }} - - - name: Set up uv - uses: astral-sh/setup-uv@v8.0.0 - with: - version: "latest" - - - name: Install test dependencies - run: | - uv venv - uv pip install --group dev - - - name: Run tests with pytest - run: | - uv run pytest --cov=./ --cov-report=xml --cov-report=term -v - - name: Log in to GitHub Container Registry uses: docker/login-action@v4.1.0 with: @@ -104,12 +116,13 @@ jobs: uses: docker/setup-buildx-action@v4.0.0 - name: Build and push Docker image to GitHub Container Registry + id: push uses: docker/build-push-action@v7.0.0 with: context: . push: true platforms: linux/amd64,linux/arm64 - provenance: false + provenance: mode=max cache-from: type=gha cache-to: type=gha,mode=max tags: | @@ -117,6 +130,13 @@ jobs: ghcr.io/${{ env.PACKAGE_NAME }}:${{ steps.version.outputs.coach }} ghcr.io/${{ env.PACKAGE_NAME }}:latest + - name: Attest build provenance + uses: actions/attest-build-provenance@v4.1.0 + with: + subject-name: ghcr.io/${{ env.PACKAGE_NAME }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + - name: Generate changelog id: changelog run: | @@ -125,10 +145,10 @@ jobs: if [ -z "$PREVIOUS_TAG" ]; then echo "📝 First release - no previous tag found" - CHANGELOG="Initial release" + CHANGELOG="No changes (first release)" else echo "📝 Generating changelog from $PREVIOUS_TAG to ${{ steps.version.outputs.tag_name }}" - CHANGELOG=$(git log --pretty=format:"- %s (%h)" ${PREVIOUS_TAG}..${{ steps.version.outputs.tag_name }}) + CHANGELOG=$(git log --pretty=format:"- %s (%h)" --no-merges ${PREVIOUS_TAG}..${{ steps.version.outputs.tag_name }}) # Guard against empty changelog (e.g., re-tagging same commit) if [ -z "$CHANGELOG" ]; then @@ -136,10 +156,6 @@ jobs: fi fi - # Write changelog to file - echo "$CHANGELOG" > changelog.txt - cat changelog.txt - # Set output for use in release body { echo "changelog< Date: Sat, 11 Apr 2026 21:17:02 -0300 Subject: [PATCH 2/2] ci(cd): drop coverage flags from CD test job (#564) CD only needs a pass/fail signal; coverage reporting belongs in CI. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/python-cd.yml | 2 +- CHANGELOG.md | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/python-cd.yml b/.github/workflows/python-cd.yml index 7c6c7ea..54ce62e 100644 --- a/.github/workflows/python-cd.yml +++ b/.github/workflows/python-cd.yml @@ -39,7 +39,7 @@ jobs: - name: Run tests with pytest run: | - uv run pytest --cov=./ --cov-report=xml --cov-report=term -v + uv run pytest -v release: needs: test diff --git a/CHANGELOG.md b/CHANGELOG.md index 1c7e7dd..f44c79d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,13 +45,13 @@ This project uses famous football coaches as release codenames, following an A-Z ### Added - Extract `test` job from `release` in CD pipeline so tests run in isolation - before any publish step; add `enable-cache: true` to `astral-sh/setup-uv` - for faster dependency installs; add `id-token: write` and - `attestations: write` permissions to `release`; set `provenance: mode=max` - and attest the image digest with `actions/attest-build-provenance@v4.1.0` - (`push-to-registry: true`); add `--no-merges` to the changelog `git log` - command; normalize first-release message to - `"No changes (first release)"` (#564) + before any publish step; run `pytest -v` only (no coverage — CI owns that); + add `enable-cache: true` to `astral-sh/setup-uv` for faster dependency + installs; add `id-token: write` and `attestations: write` permissions to + `release`; set `provenance: mode=max` and attest the image digest with + `actions/attest-build-provenance@v4.1.0` (`push-to-registry: true`); add + `--no-merges` to the changelog `git log` command; normalize first-release + message to `"No changes (first release)"` (#564) - `alembic/`: Alembic migration support for async SQLAlchemy — `env.py` configured for async execution with `render_as_batch=True` (SQLite/PostgreSQL