Skip to content

🔖 (release): python-sdk 0.0.1rc3 #333

🔖 (release): python-sdk 0.0.1rc3

🔖 (release): python-sdk 0.0.1rc3 #333

Workflow file for this run

name: CI
on:
# No matter for push or pull request events, it would trigger CI for safely saving the source code.
# For the push event, it only runs building and testing.
push:
branches:
- "master"
- "!**e2e"
- "!e2e**"
paths:
# For GitHub Action
- ".github/workflows/ci.yaml"
- ".github/workflows/rw_build_and_test.yaml"
- ".github/workflows/rw_run_all_test_and_record.yaml"
# For source code and test
- "agent_assembly/**/*.py"
- "!**/__pkg_info__.py"
- "test/**/*.py"
# For shell script for CI
- "scripts/run_all_tests.sh"
# For configurations for test or CI
- ".coveragerc"
- "codecov.yml"
- "pytest.ini"
- "sonar-project.properties"
# For Python project configuration
- "pyproject.toml"
- "uv.lock"
# For the push event, in addition to build and test would be run, it would trigger other service to keep the reports
# or other checking, i.e., record the test report by CodeCov and check the code quality by SonarQube.
pull_request:
branches:
- "master"
- "!**e2e"
- "!e2e**"
paths:
# For GitHub Action
- ".github/workflows/ci.yaml"
- ".github/workflows/rw_build_and_test.yaml"
- ".github/workflows/rw_run_all_test_and_record.yaml"
# For source code and test
- "agent_assembly/**/*.py"
- "!**/__pkg_info__.py"
- "test/**/*.py"
# For shell script for CI
- "scripts/run_all_tests.sh"
# For configurations for test or CI
- ".coveragerc"
- "codecov.yml"
- "pytest.ini"
- "sonar-project.properties"
# For Python project configuration
- "pyproject.toml"
- "uv.lock"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# AAASM-3993: least-privilege default token — this workflow only checks out and
# runs tests/builds; no job pushes, comments, or deploys.
permissions:
contents: read
jobs:
build-and-test_all:
# name: Run all tests and organize all test reports
uses: ./.github/workflows/rw_run_all_test_and_record.yaml
with:
# PRs run ubuntu-only to trim the 4-OS matrix; push/scheduled/release keep the full list.
operating-systems: >-
${{ github.event_name == 'pull_request'
&& '["ubuntu-latest"]'
|| '["ubuntu-latest", "ubuntu-22.04", "macos-latest", "macos-14"]' }}
secrets:
codecov_token: ${{ secrets.CODECOV_TOKEN }}
sonar_token: ${{ secrets.SONAR_TOKEN }}
# AAASM-3612: advisory gate. Fail CI when a (possibly transitive) dependency
# in the locked set carries a known advisory, so a poisoned dep cannot ride
# into a release through uv.lock. pip-audit resolves the synced environment
# against the PyPI Advisory + OSV databases; a non-empty result exits
# non-zero and fails the job.
dependency-audit:
name: Dependency advisory audit (pip-audit)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.12"
- name: Install uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
- name: Sync locked environment
run: uv sync --frozen
- name: Run pip-audit advisory gate
# Documented allowlist for advisories with NO available fix, mirroring
# go-sdk's KNOWN_UNFIXED. Add an entry ONLY when there is no fixed
# release, with a dated rationale, in the form:
# --ignore-vuln GHSA-xxxx-xxxx-xxxx # <date> <reason; awaiting fix>
# The list starts empty: every known-vuln dependency fails the gate.
run: |
set -euo pipefail
uvx pip-audit \
--strict \
--desc
# To allowlist an unfixable advisory, append flags above, e.g.:
# --ignore-vuln GHSA-xxxx-xxxx-xxxx # 2026-06-23 no fixed release yet
# AAASM-4034: dedicated leg that installs `langchain-core` (the non-default
# `langchain-test` group) so the AAASM-4014 `__getattr__` is exercised against
# the REAL `langchain_core.callbacks.BaseCallbackHandler`. The main test matrix
# deliberately stays langchain-free — installing it there would swap the base
# class under the whole suite — so the `importorskip`-guarded contract test only
# runs here. Kept as a focused single-file run so it cannot slow the main gate.
langchain-contract-test:
name: LangChain-installed __getattr__ contract test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.13"
- name: Install uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
- name: Sync locked environment with the langchain-test group
run: uv sync --frozen --group langchain-test
- name: Run the langchain-installed callback contract test
run: >-
uv run python -m pytest
test/unit/adapters/langchain/test_getattr_contract_with_langchain.py
-v
# Single aggregate required check. Collapses the reusable-workflow fan-out into one
# stable status so branch protection needs only this check, and it still reports a
# result (success on skip) instead of staying pending when path filters skip the
# underlying test jobs.
ci-success:
name: CI Success
needs: [build-and-test_all, dependency-audit, langchain-contract-test]
if: always()
runs-on: ubuntu-latest
steps:
- name: Verify upstream jobs did not fail or get cancelled
run: |
test_result="${{ needs.build-and-test_all.result }}"
audit_result="${{ needs.dependency-audit.result }}"
langchain_result="${{ needs.langchain-contract-test.result }}"
echo "build-and-test_all result: ${test_result}"
echo "dependency-audit result: ${audit_result}"
echo "langchain-contract-test result: ${langchain_result}"
for result in "${test_result}" "${audit_result}" "${langchain_result}"; do
if [ "${result}" = "failure" ] || [ "${result}" = "cancelled" ]; then
echo "::error::CI failed: build-and-test_all=${test_result} dependency-audit=${audit_result} langchain-contract-test=${langchain_result}"
exit 1
fi
done
echo "CI Success: all required upstream jobs passed or were skipped."