🔖 (release): python-sdk 0.0.1rc3 #333
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| # No matter for push or pull request events, it would trigger CI for safely saving the source code. | |
| # For the push event, it only runs building and testing. | |
| push: | |
| branches: | |
| - "master" | |
| - "!**e2e" | |
| - "!e2e**" | |
| paths: | |
| # For GitHub Action | |
| - ".github/workflows/ci.yaml" | |
| - ".github/workflows/rw_build_and_test.yaml" | |
| - ".github/workflows/rw_run_all_test_and_record.yaml" | |
| # For source code and test | |
| - "agent_assembly/**/*.py" | |
| - "!**/__pkg_info__.py" | |
| - "test/**/*.py" | |
| # For shell script for CI | |
| - "scripts/run_all_tests.sh" | |
| # For configurations for test or CI | |
| - ".coveragerc" | |
| - "codecov.yml" | |
| - "pytest.ini" | |
| - "sonar-project.properties" | |
| # For Python project configuration | |
| - "pyproject.toml" | |
| - "uv.lock" | |
| # For the push event, in addition to build and test would be run, it would trigger other service to keep the reports | |
| # or other checking, i.e., record the test report by CodeCov and check the code quality by SonarQube. | |
| pull_request: | |
| branches: | |
| - "master" | |
| - "!**e2e" | |
| - "!e2e**" | |
| paths: | |
| # For GitHub Action | |
| - ".github/workflows/ci.yaml" | |
| - ".github/workflows/rw_build_and_test.yaml" | |
| - ".github/workflows/rw_run_all_test_and_record.yaml" | |
| # For source code and test | |
| - "agent_assembly/**/*.py" | |
| - "!**/__pkg_info__.py" | |
| - "test/**/*.py" | |
| # For shell script for CI | |
| - "scripts/run_all_tests.sh" | |
| # For configurations for test or CI | |
| - ".coveragerc" | |
| - "codecov.yml" | |
| - "pytest.ini" | |
| - "sonar-project.properties" | |
| # For Python project configuration | |
| - "pyproject.toml" | |
| - "uv.lock" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # AAASM-3993: least-privilege default token — this workflow only checks out and | |
| # runs tests/builds; no job pushes, comments, or deploys. | |
| permissions: | |
| contents: read | |
| jobs: | |
| build-and-test_all: | |
| # name: Run all tests and organize all test reports | |
| uses: ./.github/workflows/rw_run_all_test_and_record.yaml | |
| with: | |
| # PRs run ubuntu-only to trim the 4-OS matrix; push/scheduled/release keep the full list. | |
| operating-systems: >- | |
| ${{ github.event_name == 'pull_request' | |
| && '["ubuntu-latest"]' | |
| || '["ubuntu-latest", "ubuntu-22.04", "macos-latest", "macos-14"]' }} | |
| secrets: | |
| codecov_token: ${{ secrets.CODECOV_TOKEN }} | |
| sonar_token: ${{ secrets.SONAR_TOKEN }} | |
| # AAASM-3612: advisory gate. Fail CI when a (possibly transitive) dependency | |
| # in the locked set carries a known advisory, so a poisoned dep cannot ride | |
| # into a release through uv.lock. pip-audit resolves the synced environment | |
| # against the PyPI Advisory + OSV databases; a non-empty result exits | |
| # non-zero and fails the job. | |
| dependency-audit: | |
| name: Dependency advisory audit (pip-audit) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 | |
| - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 | |
| with: | |
| python-version: "3.12" | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | |
| - name: Sync locked environment | |
| run: uv sync --frozen | |
| - name: Run pip-audit advisory gate | |
| # Documented allowlist for advisories with NO available fix, mirroring | |
| # go-sdk's KNOWN_UNFIXED. Add an entry ONLY when there is no fixed | |
| # release, with a dated rationale, in the form: | |
| # --ignore-vuln GHSA-xxxx-xxxx-xxxx # <date> <reason; awaiting fix> | |
| # The list starts empty: every known-vuln dependency fails the gate. | |
| run: | | |
| set -euo pipefail | |
| uvx pip-audit \ | |
| --strict \ | |
| --desc | |
| # To allowlist an unfixable advisory, append flags above, e.g.: | |
| # --ignore-vuln GHSA-xxxx-xxxx-xxxx # 2026-06-23 no fixed release yet | |
| # AAASM-4034: dedicated leg that installs `langchain-core` (the non-default | |
| # `langchain-test` group) so the AAASM-4014 `__getattr__` is exercised against | |
| # the REAL `langchain_core.callbacks.BaseCallbackHandler`. The main test matrix | |
| # deliberately stays langchain-free — installing it there would swap the base | |
| # class under the whole suite — so the `importorskip`-guarded contract test only | |
| # runs here. Kept as a focused single-file run so it cannot slow the main gate. | |
| langchain-contract-test: | |
| name: LangChain-installed __getattr__ contract test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 | |
| - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 | |
| with: | |
| python-version: "3.13" | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | |
| - name: Sync locked environment with the langchain-test group | |
| run: uv sync --frozen --group langchain-test | |
| - name: Run the langchain-installed callback contract test | |
| run: >- | |
| uv run python -m pytest | |
| test/unit/adapters/langchain/test_getattr_contract_with_langchain.py | |
| -v | |
| # Single aggregate required check. Collapses the reusable-workflow fan-out into one | |
| # stable status so branch protection needs only this check, and it still reports a | |
| # result (success on skip) instead of staying pending when path filters skip the | |
| # underlying test jobs. | |
| ci-success: | |
| name: CI Success | |
| needs: [build-and-test_all, dependency-audit, langchain-contract-test] | |
| if: always() | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Verify upstream jobs did not fail or get cancelled | |
| run: | | |
| test_result="${{ needs.build-and-test_all.result }}" | |
| audit_result="${{ needs.dependency-audit.result }}" | |
| langchain_result="${{ needs.langchain-contract-test.result }}" | |
| echo "build-and-test_all result: ${test_result}" | |
| echo "dependency-audit result: ${audit_result}" | |
| echo "langchain-contract-test result: ${langchain_result}" | |
| for result in "${test_result}" "${audit_result}" "${langchain_result}"; do | |
| if [ "${result}" = "failure" ] || [ "${result}" = "cancelled" ]; then | |
| echo "::error::CI failed: build-and-test_all=${test_result} dependency-audit=${audit_result} langchain-contract-test=${langchain_result}" | |
| exit 1 | |
| fi | |
| done | |
| echo "CI Success: all required upstream jobs passed or were skipped." |