ci: add test workflow for PRs and main branch pushes#5
Conversation
Runs ruff lint and pytest across Python 3.10–3.13 on every push to main and every pull request. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Install uv | ||
| uses: astral-sh/setup-uv@v5 | ||
| with: | ||
| enable-cache: true |
There was a problem hiding this comment.
nit: the existing publish.yml in this repo pins all third-party actions to commit SHAs with a trailing version comment (e.g. actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6). This workflow uses mutable tag refs (@v4, @v5) instead, which breaks that convention and re-introduces the supply-chain risk that SHA-pinning is intended to mitigate (a compromised tag could push code into CI). Consider pinning to SHAs here too for consistency. (not blocking)
| cancel-in-progress: true | ||
|
|
||
| jobs: |
There was a problem hiding this comment.
nit: no top-level permissions: block. The default GITHUB_TOKEN permissions can be broader than this job needs (it only checks out code and runs tests). The sibling publish.yml sets permissions: contents: read at the workflow level — worth doing the same here to follow least-privilege. (not blocking)
| cancel-in-progress: true | |
| jobs: | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read |
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| python-version: ["3.10", "3.11", "3.12", "3.13"] |
There was a problem hiding this comment.
super nit: pyproject.toml lists Programming Language :: Python :: 3.14 in its classifiers, but 3.14 isn't in the test matrix. Either add "3.14" here or drop the 3.14 classifier so the supported-versions story stays consistent. (not blocking)
Address review nits from #5: - Pin actions/checkout and astral-sh/setup-uv to commit SHAs (consistent with publish.yml, eliminates mutable-tag supply-chain risk) - Add top-level permissions: contents: read (least privilege, matches publish.yml) - Add Python 3.14 to test matrix (matches pyproject.toml classifiers) Co-authored-by: Eddie A Tejeda <669988+eddietejeda@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
1 participant
Summary
.github/workflows/ci.ymlto run tests on every push tomainand every pull requestruff checkfor lint andpytest -vfor the test suiteTest plan
🤖 Generated with Claude Code