Summary
Improve the CD pipeline: extract a dedicated test gate before deployment, add uv dependency caching, enable build provenance attestation, and tighten changelog generation.
Changes
Structure
- Extract a dedicated
test job (currently tests run inside release)
- Add
needs: test to release job
- Add
id-token: write and attestations: write permissions to release job
Test job steps
- Checkout repository
- Set up Python
- Set up uv — add
enable-cache: true (dependency caching missing in CD, present in CI)
- Install test dependencies
- Run tests with pytest
Release job
- Set
provenance: false → provenance: mode=max
- Add
actions/attest-build-provenance@v4.1.0 step after image push with push-to-registry: true
- Add
--no-merges flag to changelog git log
- Add empty changelog guard:
No new changes since $PREVIOUS_TAG when a previous tag exists, No changes (first release) otherwise
- Drop Quick Start section from release body (belongs in README)
Acceptance Criteria
Summary
Improve the CD pipeline: extract a dedicated test gate before deployment, add uv dependency caching, enable build provenance attestation, and tighten changelog generation.
Changes
Structure
testjob (currently tests run insiderelease)needs: testtoreleasejobid-token: writeandattestations: writepermissions toreleasejobTest job steps
enable-cache: true(dependency caching missing in CD, present in CI)Release job
provenance: false→provenance: mode=maxactions/attest-build-provenance@v4.1.0step after image push withpush-to-registry: true--no-mergesflag to changeloggit logNo new changes since $PREVIOUS_TAGwhen a previous tag exists,No changes (first release)otherwiseAcceptance Criteria
v*.*.*-*tags and completes successfullytestjob fails fast if tests fail before any image is pushedlinux/amd64andlinux/arm64