sqlitegraph/.github/workflows/python.yml at main · oldnordic/sqlitegraph · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
name: Python

# Scope: gates for the Python bindings (sqlitegraph-py/). This workflow is
# entirely independent of the Rust crate's Validate workflow.
#
# Path filter: the job only runs when files that could affect the Python
# bindings change. A Rust-only PR (touching sqlitegraph-core/src/ or the CLI)
# does NOT trigger this workflow, so it cannot break Rust-only CI.
#
# Security review:
#   Only trusted inputs (paths and branches from `on:` config) are referenced.
#   No untrusted user-supplied fields are interpolated into run: blocks.

on:
  push:
    branches: [main, master]
    paths:
      - "sqlitegraph-py/**"
      - ".github/workflows/python.yml"
  pull_request:
    branches: [main, master]
    paths:
      - "sqlitegraph-py/**"
      - ".github/workflows/python.yml"
  workflow_dispatch:

permissions:
  contents: read

jobs:
  python:
    name: python (ruff + mypy + pytest)
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: sqlitegraph-py
    steps:
      - uses: actions/checkout@v4

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Setup Rust (for maturin develop)
        uses: dtolnay/rust-toolchain@stable
        with:
          components: rustfmt

      - name: cargo fmt --check (sqlitegraph-py)
        run: cargo fmt --check

      - name: Create venv + install dev dependencies
        run: |
          python -m venv .venv
          source .venv/bin/activate
          python -m pip install --upgrade pip
          pip install maturin
          pip install -e ".[dev]"
          echo "$PWD/.venv/bin" >> "$GITHUB_PATH"
          echo "VIRTUAL_ENV=$PWD/.venv" >> "$GITHUB_ENV"

      - name: Build extension
        run: maturin develop --release

      - name: Check Python terminology (LLM / AI assistant / production-ready)
        run: |
          set -e
          if grep -riE "\bLLM\b|\bAI assistant\b|production-ready" \
              python tests README.md 2>/dev/null; then
            echo "FAIL: forbidden terminology in Python sources or README"
            exit 1
          fi
          echo "Terminology clean"

      - name: Check raise NotImplementedError outside tests
        run: |
          set -e
          if grep -rn 'raise NotImplementedError' python 2>/dev/null | grep -v '\.pyi:'; then
            echo "FAIL: raise NotImplementedError in library code"
            exit 1
          fi
          echo "No NotImplementedError stubs"

      - name: Check bare except outside tests
        run: |
          set -e
          if grep -rEn '^\s*except\s*:' python 2>/dev/null; then
            echo "FAIL: bare 'except:' in library code"
            exit 1
          fi
          echo "No bare except clauses"

      - name: Rust stub scan (py crate src)
        run: |
          set -e
          # These would ship inside the wheel — block them at the gate.
          if grep -rnE 'todo!\(|unimplemented!\(|panic!\(|unreachable!\(|\.unwrap\(\)|\.expect\(' src 2>/dev/null; then
            echo "FAIL: Rust stubs (todo!/unimplemented!/panic!/unreachable!/unwrap()/expect(...)) in sqlitegraph-py/src/"
            echo "This code ships in the wheel users pip install."
            exit 1
          fi
          echo "No Rust stubs in py crate"

      - name: ruff format --check
        run: ruff format --check .

      - name: ruff check
        run: ruff check .

      - name: mypy
        run: mypy

      - name: pytest
        run: pytest -q