From 6672a8379d2db75fa4d4bfe575e258c2bd35ea9d Mon Sep 17 00:00:00 2001 From: Jakob Guldberg Aaes Date: Sun, 8 Mar 2026 06:55:38 +0100 Subject: [PATCH 1/2] ci: simplify uv-based CI and release workflows Use setup-uv + uv sync/build/publish end-to-end, tighten release flow around tag-based trusted publishing, and pin workflow actions to major versions for safer automatic patch updates. --- .github/workflows/ci.yml | 176 ++++++++++++++-------------------- .github/workflows/release.yml | 89 +++++++++-------- 2 files changed, 118 insertions(+), 147 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0c2077b7..0f580d2b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [main, master] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -14,25 +17,21 @@ jobs: python-version: ["3.10", "3.11", "3.12", "3.13"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + - name: Set up uv (Python ${{ matrix.python-version }}) + uses: astral-sh/setup-uv@v7 with: python-version: ${{ matrix.python-version }} - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install build - pip install -e . + - name: Sync runtime dependencies + run: uv sync --locked --no-dev - name: Check package builds - run: python -m build + run: uv build - name: Verify CLI entry point - run: | - python -c "from sqlit.cli import main; print('CLI import OK')" + run: uv run python -c "from sqlit.cli import main; print('CLI import OK')" test-unit: runs-on: ubuntu-latest @@ -41,18 +40,15 @@ jobs: python-version: ["3.10", "3.12"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + - name: Set up uv (Python ${{ matrix.python-version }}) + uses: astral-sh/setup-uv@v7 with: python-version: ${{ matrix.python-version }} - - name: Install uv - uses: astral-sh/setup-uv@v5 - - name: Install dependencies - run: uv sync --group test --no-dev + run: uv sync --locked --group test --no-dev - name: Run unit tests run: | @@ -77,18 +73,16 @@ jobs: python-version: ["3.10", "3.12"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + - name: Set up uv (Python ${{ matrix.python-version }}) + uses: astral-sh/setup-uv@v7 with: python-version: ${{ matrix.python-version }} - - - name: Install uv - uses: astral-sh/setup-uv@v5 + enable-cache: true - name: Install dependencies - run: uv sync --group test --no-dev + run: uv sync --locked --group test --no-dev - name: Run SQLite integration tests run: uv run pytest tests/test_sqlite.py -v --timeout=60 @@ -114,18 +108,16 @@ jobs: --health-start-period 30s steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - name: Set up Python 3.12 - uses: actions/setup-python@v5 + - name: Set up uv + uses: astral-sh/setup-uv@v7 with: python-version: "3.12" - - - name: Install uv - uses: astral-sh/setup-uv@v5 + enable-cache: true - name: Install dependencies - run: uv sync --group test --no-dev --extra mssql + run: uv sync --locked --group test --no-dev --extra mssql - name: Wait for SQL Server to be ready run: | @@ -167,18 +159,16 @@ jobs: --health-start-period 10s steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - name: Set up Python 3.12 - uses: actions/setup-python@v5 + - name: Set up uv + uses: astral-sh/setup-uv@v7 with: python-version: "3.12" - - - name: Install uv - uses: astral-sh/setup-uv@v5 + enable-cache: true - name: Install dependencies - run: uv sync --group test --no-dev --extra postgres + run: uv sync --locked --group test --no-dev --extra postgres - name: Run PostgreSQL integration tests env: @@ -211,18 +201,16 @@ jobs: --health-start-period 30s steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - name: Set up Python 3.12 - uses: actions/setup-python@v5 + - name: Set up uv + uses: astral-sh/setup-uv@v7 with: python-version: "3.12" - - - name: Install uv - uses: astral-sh/setup-uv@v5 + enable-cache: true - name: Install dependencies - run: uv sync --group test --no-dev --extra mysql + run: uv sync --locked --group test --no-dev --extra mysql - name: Run MySQL integration tests env: @@ -254,18 +242,16 @@ jobs: --health-start-period 60s steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - name: Set up Python 3.12 - uses: actions/setup-python@v5 + - name: Set up uv + uses: astral-sh/setup-uv@v7 with: python-version: "3.12" - - - name: Install uv - uses: astral-sh/setup-uv@v5 + enable-cache: true - name: Install dependencies - run: uv sync --group test --no-dev --extra oracle + run: uv sync --locked --group test --no-dev --extra oracle - name: Run Oracle integration tests env: @@ -298,23 +284,21 @@ jobs: --health-start-period 30s steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - name: Set up Python 3.12 - uses: actions/setup-python@v5 + - name: Set up uv + uses: astral-sh/setup-uv@v7 with: python-version: "3.12" + enable-cache: true - name: Install MariaDB Connector/C run: | sudo apt-get update sudo apt-get install -y libmariadb-dev - - name: Install uv - uses: astral-sh/setup-uv@v5 - - name: Install dependencies - run: uv sync --group test --no-dev --extra mariadb + run: uv sync --locked --group test --no-dev --extra mariadb - name: Run MariaDB integration tests env: @@ -332,18 +316,16 @@ jobs: python-version: ["3.10", "3.12"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + - name: Set up uv (Python ${{ matrix.python-version }}) + uses: astral-sh/setup-uv@v7 with: python-version: ${{ matrix.python-version }} - - - name: Install uv - uses: astral-sh/setup-uv@v5 + enable-cache: true - name: Install dependencies - run: uv sync --group test --no-dev --extra duckdb + run: uv sync --locked --group test --no-dev --extra duckdb - name: Run DuckDB integration tests run: uv run pytest tests/test_duckdb.py -v --timeout=60 @@ -353,18 +335,16 @@ jobs: needs: build steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - name: Set up Python 3.12 - uses: actions/setup-python@v5 + - name: Set up uv + uses: astral-sh/setup-uv@v7 with: python-version: "3.12" - - - name: Install uv - uses: astral-sh/setup-uv@v5 + enable-cache: true - name: Install dependencies - run: uv sync --group test --no-dev --extra cockroachdb + run: uv sync --locked --group test --no-dev --extra cockroachdb - name: Start CockroachDB run: | @@ -404,18 +384,16 @@ jobs: - 3050:3050 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - name: Set up Python 3.12 - uses: actions/setup-python@v5 + - name: Set up uv + uses: astral-sh/setup-uv@v7 with: python-version: "3.12" - - - name: Install uv - uses: astral-sh/setup-uv@v5 + enable-cache: true - name: Install dependencies - run: uv sync --group test --no-dev --extra firebird + run: uv sync --locked --group test --no-dev --extra firebird - name: Run Firebird integration tests env: @@ -431,18 +409,16 @@ jobs: needs: build steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - name: Set up Python 3.12 - uses: actions/setup-python@v5 + - name: Set up uv + uses: astral-sh/setup-uv@v7 with: python-version: "3.12" - - - name: Install uv - uses: astral-sh/setup-uv@v5 + enable-cache: true - name: Install dependencies - run: uv sync --group test --no-dev --extra clickhouse + run: uv sync --locked --group test --no-dev --extra clickhouse - name: Start ClickHouse run: | @@ -474,18 +450,16 @@ jobs: needs: build steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - name: Set up Python 3.12 - uses: actions/setup-python@v5 + - name: Set up uv + uses: astral-sh/setup-uv@v7 with: python-version: "3.12" - - - name: Install uv - uses: astral-sh/setup-uv@v5 + enable-cache: true - name: Install dependencies - run: uv sync --group test --no-dev --extra ssh --extra postgres + run: uv sync --locked --group test --no-dev --extra ssh --extra postgres - name: Create Docker network run: docker network create ssh-test-net @@ -556,18 +530,16 @@ jobs: needs: build steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - name: Set up Python 3.12 - uses: actions/setup-python@v5 + - name: Set up uv + uses: astral-sh/setup-uv@v7 with: python-version: "3.12" - - - name: Install uv - uses: astral-sh/setup-uv@v5 + enable-cache: true - name: Install dependencies - run: uv sync --group test --no-dev --extra turso + run: uv sync --locked --group test --no-dev --extra turso - name: Start Turso (libsql-server) run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1cd849a0..5053dd62 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,84 +3,87 @@ name: Release and Publish on: push: tags: - - 'v*' + - "v*" workflow_dispatch: inputs: version: - description: 'Version to release (e.g., 0.4.2)' + description: "Version to release (e.g., 0.4.2)" required: true +permissions: + contents: read + jobs: - release: + publish: + if: startsWith(github.ref, 'refs/tags/v') runs-on: ubuntu-latest + environment: pypi permissions: - contents: write - steps: - - uses: actions/checkout@v4 - - - name: Extract version from tag - id: version - run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT - - - name: Create GitHub Release - uses: softprops/action-gh-release@v1 - with: - name: ${{ steps.version.outputs.VERSION }} - generate_release_notes: true - draft: false - prerelease: false - - build: - runs-on: ubuntu-latest + id-token: write + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - name: Set up Python - uses: actions/setup-python@v5 + - name: Set up uv + uses: astral-sh/setup-uv@v7 with: python-version: "3.12" - - name: Install build tools - run: python -m pip install --upgrade build - - name: Build package - run: python -m build + run: uv build --no-sources - name: Upload dist artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: dist path: dist/ - publish: - needs: build + - name: Publish to PyPI + run: uv publish --trusted-publishing always dist/* + + release: + needs: publish + if: needs.publish.result == 'success' && startsWith(github.ref, 'refs/tags/v') runs-on: ubuntu-latest - environment: pypi permissions: - id-token: write + contents: write steps: - name: Download dist artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: name: dist path: dist/ - - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + - name: Extract version from tag + id: version + run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT" + + - name: Create GitHub Release + uses: softprops/action-gh-release@v2 + with: + name: ${{ steps.version.outputs.VERSION }} + generate_release_notes: true + draft: false + prerelease: false + files: dist/* aur: needs: publish + if: always() && (github.event_name == 'workflow_dispatch' || needs.publish.result == 'success') runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Extract version id: version run: | if [ -n "${{ github.event.inputs.version }}" ]; then - echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT + echo "VERSION=${{ github.event.inputs.version }}" >> "$GITHUB_OUTPUT" + elif [[ "${GITHUB_REF}" == refs/tags/v* ]]; then + echo "VERSION=${GITHUB_REF#refs/tags/v}" >> "$GITHUB_OUTPUT" else - echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT + echo "Could not determine version" >&2 + exit 1 fi - name: Wait for PyPI and get checksum @@ -100,10 +103,9 @@ jobs: sleep 30 done - # Download and compute checksum curl -sL "$URL" -o /tmp/pkg.tar.gz CHECKSUM=$(sha256sum /tmp/pkg.tar.gz | cut -d' ' -f1) - echo "CHECKSUM=${CHECKSUM}" >> $GITHUB_OUTPUT + echo "CHECKSUM=${CHECKSUM}" >> "$GITHUB_OUTPUT" echo "Checksum: ${CHECKSUM}" - name: Update PKGBUILD @@ -116,11 +118,8 @@ jobs: sed -i "s/^pkgrel=.*/pkgrel=1/" PKGBUILD sed -i "s/^sha256sums=.*/sha256sums=('${CHECKSUM}')/" PKGBUILD - echo "Updated PKGBUILD:" - cat PKGBUILD - - name: Publish to AUR - uses: KSXGitHub/github-actions-deploy-aur@v3.0.1 + uses: KSXGitHub/github-actions-deploy-aur@v4 with: pkgname: python-sqlit-tui pkgbuild: ./aur/PKGBUILD From 552d8995a5eaf3502603fe33f934a2d1decca430 Mon Sep 17 00:00:00 2001 From: Jakob Guldberg Aaes Date: Sun, 8 Mar 2026 07:27:06 +0100 Subject: [PATCH 2/2] ci: reduce workflow duplication in GitHub Actions --- .github/workflows/ci.yml | 170 +++++++++++++++------------------- .github/workflows/release.yml | 11 +-- 2 files changed, 78 insertions(+), 103 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 405d5d91..9d6669c2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,9 +17,11 @@ jobs: python-version: ["3.10", "3.11", "3.12", "3.13"] steps: - - uses: actions/checkout@v6 + - &checkout-step + uses: actions/checkout@v6 - - name: Set up uv (Python ${{ matrix.python-version }}) + - &setup-uv-matrix-no-cache + name: Set up uv (Python ${{ matrix.python-version }}) uses: astral-sh/setup-uv@v7 with: python-version: ${{ matrix.python-version }} @@ -46,20 +48,20 @@ jobs: test-unit: runs-on: ubuntu-latest + env: + UV_EXTRAS: "" strategy: matrix: python-version: ["3.10", "3.12"] steps: - - uses: actions/checkout@v6 + - *checkout-step - - name: Set up uv (Python ${{ matrix.python-version }}) - uses: astral-sh/setup-uv@v7 - with: - python-version: ${{ matrix.python-version }} + - *setup-uv-matrix-no-cache - - name: Install dependencies - run: uv sync --locked --group test --no-dev + - &install-test-deps + name: Install dependencies + run: uv sync --locked --group test --no-dev ${{ env.UV_EXTRAS }} - name: Run unit tests run: | @@ -79,21 +81,23 @@ jobs: test-sqlite: runs-on: ubuntu-latest + env: + UV_EXTRAS: "" strategy: matrix: python-version: ["3.10", "3.12"] steps: - - uses: actions/checkout@v6 + - *checkout-step - - name: Set up uv (Python ${{ matrix.python-version }}) + - &setup-uv-matrix-with-cache + name: Set up uv (Python ${{ matrix.python-version }}) uses: astral-sh/setup-uv@v7 with: python-version: ${{ matrix.python-version }} enable-cache: true - - name: Install dependencies - run: uv sync --locked --group test --no-dev + - *install-test-deps - name: Run SQLite integration tests run: uv run pytest tests/test_sqlite.py -v --timeout=60 @@ -101,6 +105,8 @@ jobs: test-mssql: runs-on: ubuntu-latest needs: build + env: + UV_EXTRAS: --extra mssql services: mssql: @@ -119,16 +125,16 @@ jobs: --health-start-period 30s steps: - - uses: actions/checkout@v6 + - *checkout-step - - name: Set up uv + - &setup-uv-py312-with-cache + name: Set up uv uses: astral-sh/setup-uv@v7 with: python-version: "3.12" enable-cache: true - - name: Install dependencies - run: uv sync --locked --group test --no-dev --extra mssql + - *install-test-deps - name: Wait for SQL Server to be ready run: | @@ -152,6 +158,8 @@ jobs: test-postgresql: runs-on: ubuntu-latest needs: build + env: + UV_EXTRAS: --extra postgres services: postgres: @@ -170,16 +178,11 @@ jobs: --health-start-period 10s steps: - - uses: actions/checkout@v6 + - *checkout-step - - name: Set up uv - uses: astral-sh/setup-uv@v7 - with: - python-version: "3.12" - enable-cache: true + - *setup-uv-py312-with-cache - - name: Install dependencies - run: uv sync --locked --group test --no-dev --extra postgres + - *install-test-deps - name: Run PostgreSQL integration tests env: @@ -193,6 +196,8 @@ jobs: test-mysql: runs-on: ubuntu-latest needs: build + env: + UV_EXTRAS: --extra mysql services: mysql: @@ -212,16 +217,11 @@ jobs: --health-start-period 30s steps: - - uses: actions/checkout@v6 + - *checkout-step - - name: Set up uv - uses: astral-sh/setup-uv@v7 - with: - python-version: "3.12" - enable-cache: true + - *setup-uv-py312-with-cache - - name: Install dependencies - run: uv sync --locked --group test --no-dev --extra mysql + - *install-test-deps - name: Run MySQL integration tests env: @@ -235,6 +235,8 @@ jobs: test-oracle: runs-on: ubuntu-latest needs: build + env: + UV_EXTRAS: --extra oracle services: oracle: @@ -253,16 +255,11 @@ jobs: --health-start-period 60s steps: - - uses: actions/checkout@v6 + - *checkout-step - - name: Set up uv - uses: astral-sh/setup-uv@v7 - with: - python-version: "3.12" - enable-cache: true + - *setup-uv-py312-with-cache - - name: Install dependencies - run: uv sync --locked --group test --no-dev --extra oracle + - *install-test-deps - name: Run Oracle integration tests env: @@ -276,6 +273,8 @@ jobs: test-mariadb: runs-on: ubuntu-latest needs: build + env: + UV_EXTRAS: --extra mariadb services: mariadb: @@ -295,21 +294,16 @@ jobs: --health-start-period 30s steps: - - uses: actions/checkout@v6 + - *checkout-step - - name: Set up uv - uses: astral-sh/setup-uv@v7 - with: - python-version: "3.12" - enable-cache: true + - *setup-uv-py312-with-cache - name: Install MariaDB Connector/C run: | sudo apt-get update sudo apt-get install -y libmariadb-dev - - name: Install dependencies - run: uv sync --locked --group test --no-dev --extra mariadb + - *install-test-deps - name: Run MariaDB integration tests env: @@ -322,21 +316,18 @@ jobs: test-duckdb: runs-on: ubuntu-latest + env: + UV_EXTRAS: --extra duckdb strategy: matrix: python-version: ["3.10", "3.12"] steps: - - uses: actions/checkout@v6 + - *checkout-step - - name: Set up uv (Python ${{ matrix.python-version }}) - uses: astral-sh/setup-uv@v7 - with: - python-version: ${{ matrix.python-version }} - enable-cache: true + - *setup-uv-matrix-with-cache - - name: Install dependencies - run: uv sync --locked --group test --no-dev --extra duckdb + - *install-test-deps - name: Run DuckDB integration tests run: uv run pytest tests/test_duckdb.py -v --timeout=60 @@ -344,18 +335,15 @@ jobs: test-cockroachdb: runs-on: ubuntu-latest needs: build + env: + UV_EXTRAS: --extra cockroachdb steps: - - uses: actions/checkout@v6 + - *checkout-step - - name: Set up uv - uses: astral-sh/setup-uv@v7 - with: - python-version: "3.12" - enable-cache: true + - *setup-uv-py312-with-cache - - name: Install dependencies - run: uv sync --locked --group test --no-dev --extra cockroachdb + - *install-test-deps - name: Start CockroachDB run: | @@ -383,6 +371,8 @@ jobs: test-firebird: runs-on: ubuntu-latest needs: build + env: + UV_EXTRAS: --extra firebird services: firebird: @@ -395,16 +385,11 @@ jobs: - 3050:3050 steps: - - uses: actions/checkout@v6 + - *checkout-step - - name: Set up uv - uses: astral-sh/setup-uv@v7 - with: - python-version: "3.12" - enable-cache: true + - *setup-uv-py312-with-cache - - name: Install dependencies - run: uv sync --locked --group test --no-dev --extra firebird + - *install-test-deps - name: Run Firebird integration tests env: @@ -418,18 +403,15 @@ jobs: test-clickhouse: runs-on: ubuntu-latest needs: build + env: + UV_EXTRAS: --extra clickhouse steps: - - uses: actions/checkout@v6 + - *checkout-step - - name: Set up uv - uses: astral-sh/setup-uv@v7 - with: - python-version: "3.12" - enable-cache: true + - *setup-uv-py312-with-cache - - name: Install dependencies - run: uv sync --locked --group test --no-dev --extra clickhouse + - *install-test-deps - name: Start ClickHouse run: | @@ -459,18 +441,15 @@ jobs: test-ssh: runs-on: ubuntu-latest needs: build + env: + UV_EXTRAS: --extra ssh --extra postgres steps: - - uses: actions/checkout@v6 + - *checkout-step - - name: Set up uv - uses: astral-sh/setup-uv@v7 - with: - python-version: "3.12" - enable-cache: true + - *setup-uv-py312-with-cache - - name: Install dependencies - run: uv sync --locked --group test --no-dev --extra ssh --extra postgres + - *install-test-deps - name: Create Docker network run: docker network create ssh-test-net @@ -539,18 +518,15 @@ jobs: test-turso: runs-on: ubuntu-latest needs: build + env: + UV_EXTRAS: --extra turso steps: - - uses: actions/checkout@v6 + - *checkout-step - - name: Set up uv - uses: astral-sh/setup-uv@v7 - with: - python-version: "3.12" - enable-cache: true + - *setup-uv-py312-with-cache - - name: Install dependencies - run: uv sync --locked --group test --no-dev --extra turso + - *install-test-deps - name: Start Turso (libsql-server) run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 03a33f05..c38b95f1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,7 +22,8 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v6 + - &checkout_step + uses: actions/checkout@v6 - name: Set up uv uses: astral-sh/setup-uv@v7 @@ -34,7 +35,7 @@ jobs: - name: Upload dist artifacts uses: actions/upload-artifact@v7 - with: + with: &dist_artifact name: dist path: dist/ @@ -50,9 +51,7 @@ jobs: steps: - name: Download dist artifacts uses: actions/download-artifact@v8 - with: - name: dist - path: dist/ + with: *dist_artifact - name: Extract version from tag id: version @@ -72,7 +71,7 @@ jobs: if: always() && (github.event_name == 'workflow_dispatch' || needs.publish.result == 'success') runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - *checkout_step - name: Download dist artifacts uses: actions/download-artifact@v4