From 66013024a2c1fb29631b8f19b911c0cb8b65514c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Far=C3=ADas=20Santana?= Date: Sat, 27 Dec 2025 16:24:14 +0100 Subject: [PATCH 1/6] chore: Consolidate CI workflows and bump everything --- .github/workflows/ci.yaml | 69 +++++++++++++++++++++++----- .github/workflows/docs_pages.yaml | 12 ++--- .github/workflows/pypi_deploy.yaml | 8 ++-- .github/workflows/tagged_release.yml | 60 ------------------------ 4 files changed, 68 insertions(+), 81 deletions(-) delete mode 100644 .github/workflows/tagged_release.yml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b8f653a..2f6fe16 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -33,7 +33,14 @@ jobs: - '3.11' - '3.10' airflow-version: + # Latest release as of 2025-12-27 + # See: https://airflow.apache.org/docs/apache-airflow/stable/release_notes.html - '3.1.5' + # GCP Cloud Composer latest as of 2025-12-27 + # See: https://docs.cloud.google.com/composer/docs/composer-versions + - '3.1.0' + # AWS MWAA latest as of 2025-12-27 + # See: https://docs.aws.amazon.com/mwaa/latest/userguide/airflow-versions.html - '3.0.6' dbt-version: - '1.11.2' @@ -46,7 +53,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2.10.4 + uses: step-security/harden-runner@v2.14.0 with: egress-policy: block allowed-endpoints: > @@ -74,16 +81,17 @@ jobs: sudo apt-get update sudo apt-get install --yes --no-install-recommends postgresql - - uses: actions/checkout@v4.2.2 + - uses: actions/checkout@v6 + - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5.4.0 + uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} - name: Install uv and set the python version - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@v7 with: - version: 0.7.2 + version: 0.9.18 python-version: ${{ matrix.python-version }} - name: Install Airflow & dbt @@ -130,7 +138,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@v2.10.4 + uses: step-security/harden-runner@v2.14.0 with: egress-policy: block allowed-endpoints: > @@ -139,15 +147,15 @@ jobs: api.github.com:443 pypi.org:443 - - uses: actions/checkout@v4.2.2 - - uses: actions/setup-python@v5.4.0 + - uses: actions/checkout@v6 + - uses: actions/setup-python@v7 with: - python-version: '3.12' + python-version: '3.13' - name: Install uv and set the python version - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@v7 with: - version: 0.7.2 + version: 0.9.18 python-version: ${{ matrix.python-version }} - name: Install airflow-dbt-python with uv @@ -190,3 +198,42 @@ jobs: minColorRange: 50 maxColorRange: 90 valColorRange: ${{ env.total }} + + deploy: + runs-on: ubuntu-latest + needs: test + if: startsWith(github.ref, 'refs/tags/v') + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-python@v6 + with: + python-version: '3.13' + + - name: Install uv and set the python version + uses: astral-sh/setup-uv@v7 + with: + version: 0.9.18 + python-version: 3.13 + + - name: Install airflow-dbt-python with uv + run: uv sync --no-dev + + - name: Build airflow-dbt-python with uv + run: uv build + + - name: Set prerelease variable + run: echo "IS_PRERELEASE=$(if $(uv version --short | grep -qP '^[0-9]+\.[0-9]+\.[0-9]+$'); then echo 'false'; else echo 'true'; fi)" >> $GITHUB_ENV + + - name: Set release git tag + run: echo "RELEASE_TAG=${{ github.ref_name }}" >> $GITHUB_ENV + + - name: Check tag matches package version + run: if [[ "$(uv version --short)" == ${RELEASE_TAG/v/} ]]; then exit 0; else exit 1; fi + + - name: Release new tag + uses: softprops/action-gh-release@v1 + with: + prerelease: ${{ fromJSON(env.IS_PRERELEASE) }} + token: ${{ secrets.GH_DEPLOY_TOKEN }} + files: | + dist/* diff --git a/.github/workflows/docs_pages.yaml b/.github/workflows/docs_pages.yaml index 5773bd2..dc93a90 100644 --- a/.github/workflows/docs_pages.yaml +++ b/.github/workflows/docs_pages.yaml @@ -9,19 +9,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@master + uses: actions/checkout@v6 with: fetch-depth: 0 - - name: Set up Python '3.12' - uses: actions/setup-python@v5.4.0 + - name: Set up Python '3.13' + uses: actions/setup-python@v6 with: - python-version: '3.12' + python-version: '3.13' - name: Install uv and set the python version - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@v7 with: - version: 0.7.2 + version: 0.9.18 python-version: ${{ matrix.python-version }} - name: Install airflow-dbt-python with uv diff --git a/.github/workflows/pypi_deploy.yaml b/.github/workflows/pypi_deploy.yaml index 0f745f6..e3dd3df 100644 --- a/.github/workflows/pypi_deploy.yaml +++ b/.github/workflows/pypi_deploy.yaml @@ -7,15 +7,15 @@ jobs: deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.2.2 - - uses: actions/setup-python@v5.4.0 + - uses: actions/checkout@v6 + - uses: actions/setup-python@v6 with: python-version: '3.13' - name: Install uv and set the python version - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@v7 with: - version: 0.7.2 + version: 0.9.18 python-version: 3.13 - name: Install airflow-dbt-python with uv diff --git a/.github/workflows/tagged_release.yml b/.github/workflows/tagged_release.yml deleted file mode 100644 index 2202250..0000000 --- a/.github/workflows/tagged_release.yml +++ /dev/null @@ -1,60 +0,0 @@ -name: Tagged release - -on: - push: - tags: - - "v*" - -jobs: - gh_tagged_release: - runs-on: ubuntu-latest - steps: - - name: Wait for CI - uses: fountainhead/action-wait-for-check@v1.2.0 - id: wait-for-ci - with: - token: ${{ secrets.GH_DEPLOY_TOKEN }} - checkName: CI - # Wait for one hour - timeoutSeconds: 3600 - intervalSeconds: 60 - - - name: Fail if CI failed - if: steps.wait-for-ci.outputs.conclusion != 'success' - run: | - echo "CI failed or didn't complete in time" - exit 1 - - - uses: actions/checkout@v4.2.2 - - uses: actions/setup-python@v5.4.0 - with: - python-version: '3.12' - - - name: Install uv and set the python version - uses: astral-sh/setup-uv@v5 - with: - version: 0.7.2 - python-version: 3.12 - - - name: Install airflow-dbt-python with uv - run: uv sync --no-dev - - - name: Build airflow-dbt-python with uv - run: uv build - - - name: Set prerelease variable - run: echo "IS_PRERELEASE=$(if $(uv version --short | grep -qP '^[0-9]+\.[0-9]+\.[0-9]+$'); then echo 'false'; else echo 'true'; fi)" >> $GITHUB_ENV - - - name: Set release git tag - run: echo "RELEASE_TAG=${{ github.ref_name }}" >> $GITHUB_ENV - - - name: Check tag matches package version - run: if [[ "$(uv version --short)" == ${RELEASE_TAG/v/} ]]; then exit 0; else exit 1; fi - - - name: Release new tag - uses: softprops/action-gh-release@v1 - with: - prerelease: ${{ fromJSON(env.IS_PRERELEASE) }} - token: ${{ secrets.GH_DEPLOY_TOKEN }} - files: | - dist/* From f250fade753eae957dde24145b3ed74b8b16c894 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Far=C3=ADas=20Santana?= Date: Sat, 27 Dec 2025 16:38:35 +0100 Subject: [PATCH 2/6] fix: Get latest from setup-uv --- .github/workflows/ci.yaml | 9 ++++----- .github/workflows/docs_pages.yaml | 1 - .github/workflows/pypi_deploy.yaml | 1 - 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2f6fe16..8cc9d60 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -62,6 +62,7 @@ jobs: hub.getdbt.com:443 github.com:80 github.com:443 + release-assets.githubusercontent.com:443 gitlab.com:22 gitlab.com:80 gitlab.com:443 @@ -91,7 +92,6 @@ jobs: - name: Install uv and set the python version uses: astral-sh/setup-uv@v7 with: - version: 0.9.18 python-version: ${{ matrix.python-version }} - name: Install Airflow & dbt @@ -144,6 +144,7 @@ jobs: allowed-endpoints: > files.pythonhosted.org:443 github.com:443 + release-assets.githubusercontent.com:443 api.github.com:443 pypi.org:443 @@ -155,7 +156,6 @@ jobs: - name: Install uv and set the python version uses: astral-sh/setup-uv@v7 with: - version: 0.9.18 python-version: ${{ matrix.python-version }} - name: Install airflow-dbt-python with uv @@ -199,10 +199,10 @@ jobs: maxColorRange: 90 valColorRange: ${{ env.total }} - deploy: + release: runs-on: ubuntu-latest needs: test - if: startsWith(github.ref, 'refs/tags/v') + if: github.ref_type == 'tag' steps: - uses: actions/checkout@v6 - uses: actions/setup-python@v6 @@ -212,7 +212,6 @@ jobs: - name: Install uv and set the python version uses: astral-sh/setup-uv@v7 with: - version: 0.9.18 python-version: 3.13 - name: Install airflow-dbt-python with uv diff --git a/.github/workflows/docs_pages.yaml b/.github/workflows/docs_pages.yaml index dc93a90..c5ab28f 100644 --- a/.github/workflows/docs_pages.yaml +++ b/.github/workflows/docs_pages.yaml @@ -21,7 +21,6 @@ jobs: - name: Install uv and set the python version uses: astral-sh/setup-uv@v7 with: - version: 0.9.18 python-version: ${{ matrix.python-version }} - name: Install airflow-dbt-python with uv diff --git a/.github/workflows/pypi_deploy.yaml b/.github/workflows/pypi_deploy.yaml index e3dd3df..52c96eb 100644 --- a/.github/workflows/pypi_deploy.yaml +++ b/.github/workflows/pypi_deploy.yaml @@ -15,7 +15,6 @@ jobs: - name: Install uv and set the python version uses: astral-sh/setup-uv@v7 with: - version: 0.9.18 python-version: 3.13 - name: Install airflow-dbt-python with uv From 4d6c73d655dae5b2666031c62303d182e66bab52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Far=C3=ADas=20Santana?= Date: Sat, 27 Dec 2025 23:44:35 +0100 Subject: [PATCH 3/6] feat: Use harden runner everywhere (audit first) --- .github/workflows/ci.yaml | 11 +++++++ .github/workflows/docs_pages.yaml | 51 ++++++++++++++++++------------ .github/workflows/pypi_deploy.yaml | 11 +++++++ 3 files changed, 53 insertions(+), 20 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8cc9d60..cf31a03 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -204,6 +204,17 @@ jobs: needs: test if: github.ref_type == 'tag' steps: + - name: Harden Runner + uses: step-security/harden-runner@v2.14.0 + with: + egress-policy: audit + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + release-assets.githubusercontent.com:443 + api.github.com:443 + pypi.org:443 + - uses: actions/checkout@v6 - uses: actions/setup-python@v6 with: diff --git a/.github/workflows/docs_pages.yaml b/.github/workflows/docs_pages.yaml index c5ab28f..8188887 100644 --- a/.github/workflows/docs_pages.yaml +++ b/.github/workflows/docs_pages.yaml @@ -8,28 +8,39 @@ jobs: build-docs: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v6 - with: - fetch-depth: 0 + - name: Harden Runner + uses: step-security/harden-runner@v2.14.0 + with: + egress-policy: audit + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + release-assets.githubusercontent.com:443 + api.github.com:443 + pypi.org:443 - - name: Set up Python '3.13' - uses: actions/setup-python@v6 - with: - python-version: '3.13' + - name: Checkout + uses: actions/checkout@v6 + with: + fetch-depth: 0 - - name: Install uv and set the python version - uses: astral-sh/setup-uv@v7 - with: - python-version: ${{ matrix.python-version }} + - name: Set up Python '3.13' + uses: actions/setup-python@v6 + with: + python-version: '3.13' - - name: Install airflow-dbt-python with uv - run: uv sync --all-extras --group docs + - name: Install uv and set the python version + uses: astral-sh/setup-uv@v7 + with: + python-version: ${{ matrix.python-version }} - - name: Install Graphviz - run: sudo apt-get install graphviz + - name: Install airflow-dbt-python with uv + run: uv sync --all-extras --group docs - - name: Build documentation - run: | - cd docs/ - uv run python -m sphinx -T -b dirhtml -d _build/doctrees . html + - name: Install Graphviz + run: sudo apt-get install graphviz + + - name: Build documentation + run: | + cd docs/ + uv run python -m sphinx -T -b dirhtml -d _build/doctrees . html diff --git a/.github/workflows/pypi_deploy.yaml b/.github/workflows/pypi_deploy.yaml index 52c96eb..cba65ad 100644 --- a/.github/workflows/pypi_deploy.yaml +++ b/.github/workflows/pypi_deploy.yaml @@ -7,6 +7,17 @@ jobs: deploy: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2.14.0 + with: + egress-policy: audit + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + release-assets.githubusercontent.com:443 + api.github.com:443 + pypi.org:443 + - uses: actions/checkout@v6 - uses: actions/setup-python@v6 with: From b0703f48741d8c5d7acca3d2fe353d326008dce3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Far=C3=ADas=20Santana?= Date: Sat, 27 Dec 2025 23:46:48 +0100 Subject: [PATCH 4/6] chore: Update names of all job steps --- .github/workflows/ci.yaml | 23 +++++++++++++++-------- .github/workflows/docs_pages.yaml | 2 +- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index cf31a03..cea5ad1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -82,14 +82,15 @@ jobs: sudo apt-get update sudo apt-get install --yes --no-install-recommends postgresql - - uses: actions/checkout@v6 + - name: Checkout + uses: actions/checkout@v6 - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} - - name: Install uv and set the python version + - name: Install uv uses: astral-sh/setup-uv@v7 with: python-version: ${{ matrix.python-version }} @@ -148,12 +149,15 @@ jobs: api.github.com:443 pypi.org:443 - - uses: actions/checkout@v6 - - uses: actions/setup-python@v7 + - name: Checkout + uses: actions/checkout@v6 + + - name: Set up Python '3.13' + uses: actions/setup-python@v7 with: python-version: '3.13' - - name: Install uv and set the python version + - name: Install uv uses: astral-sh/setup-uv@v7 with: python-version: ${{ matrix.python-version }} @@ -215,12 +219,15 @@ jobs: api.github.com:443 pypi.org:443 - - uses: actions/checkout@v6 - - uses: actions/setup-python@v6 + - name: Checkout + uses: actions/checkout@v6 + + - name: Set up Python '3.13' + uses: actions/setup-python@v6 with: python-version: '3.13' - - name: Install uv and set the python version + - name: Install uv uses: astral-sh/setup-uv@v7 with: python-version: 3.13 diff --git a/.github/workflows/docs_pages.yaml b/.github/workflows/docs_pages.yaml index 8188887..bea1ffc 100644 --- a/.github/workflows/docs_pages.yaml +++ b/.github/workflows/docs_pages.yaml @@ -29,7 +29,7 @@ jobs: with: python-version: '3.13' - - name: Install uv and set the python version + - name: Install uv uses: astral-sh/setup-uv@v7 with: python-version: ${{ matrix.python-version }} From 38b86996a39c112fab043d2e4b0a4b04cc8dc7ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Far=C3=ADas=20Santana?= Date: Sun, 28 Dec 2025 12:22:36 +0100 Subject: [PATCH 5/6] fix: Remove 3.1.0 for now --- .github/workflows/ci.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index cea5ad1..0752661 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -38,7 +38,9 @@ jobs: - '3.1.5' # GCP Cloud Composer latest as of 2025-12-27 # See: https://docs.cloud.google.com/composer/docs/composer-versions - - '3.1.0' + # TODO: Uncomment once 'SUPERVISOR_COMMS' import bug is figured out + # This is fixed in later versions of Airflow. + # - '3.1.0' # AWS MWAA latest as of 2025-12-27 # See: https://docs.aws.amazon.com/mwaa/latest/userguide/airflow-versions.html - '3.0.6' From 6444045ad916fa1def1b59b198948b3c70c482cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Far=C3=ADas=20Santana?= Date: Sun, 28 Dec 2025 15:53:27 +0100 Subject: [PATCH 6/6] fix: Use correct setup-python version --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0752661..cc46dc8 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -155,7 +155,7 @@ jobs: uses: actions/checkout@v6 - name: Set up Python '3.13' - uses: actions/setup-python@v7 + uses: actions/setup-python@v6 with: python-version: '3.13'