feature<gh-actions>: Initial commit with most of the groundwork (#52)

rflinnenbank · nicorikken · web-flow · commit d22a13df092d · 2025-11-09T14:48:25.000+01:00
* feature&lt;gh-actions&gt;: Initial commit with most of the groundwork

Co-authored-by: Nico Rikken &lt;nico.rikken@alliander.com&gt;
Signed-off-by: Raoul Linnenbank &lt;58594297+rflinnenbank@users.noreply.github.com&gt;
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,24 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    reviewers:
+      - "rflinnenbank"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      package-updates:
+        applies-to: version-updates
+        patterns: [ "*" ]
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    reviewers:
+      - "rflinnenbank"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/allowed-pr-sources-dev-release.yaml b/.github/workflows/allowed-pr-sources-dev-release.yaml
@@ -0,0 +1,26 @@
+name: Check if PR source branch is allowed for development or release branches
+
+on:
+  pull_request:
+    types: [ opened, reopened, synchronize, edited, ready_for_review ]
+    branches:
+      - development
+      - release/**
+
+jobs:
+  enforce:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check PR source branch
+        env:
+          HEAD_REF: ${{ github.head_ref }}
+        run: |
+          echo "Head branch: $HEAD_REF"
+          if [[ "$HEAD_REF" =~ ^feature/ || "$HEAD_REF" =~ ^dev/feature/ ]]; then
+            echo "✔ Allowed source branch."
+            exit 0
+          else
+            echo "❌ Disallowed source branch: $HEAD_REF"
+            echo "Only 'feature/*' or 'dev/feature/*' may open PRs into 'development' or 'release/*'."
+            exit 1
+          fi
diff --git a/.github/workflows/allowed-pr-sources-main.yaml b/.github/workflows/allowed-pr-sources-main.yaml
@@ -0,0 +1,28 @@
+name: Check if PR source branch is allowed for main branch
+
+on:
+  pull_request:
+    types: [ opened, reopened, synchronize, edited, ready_for_review ]
+    branches:
+      - main
+
+jobs:
+  enforce:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - name: Check PR source branch
+        env:
+          HEAD_REF: ${{ github.head_ref }}
+        run: |
+          echo "Head branch: $HEAD_REF"
+          if [[ "$HEAD_REF" == "development" || "$HEAD_REF" =~ ^release/ || "$HEAD_REF" =~ ^hotfix/ ]]; then
+            echo "✔ Allowed source branch."
+            exit 0
+          else
+            echo "❌ Disallowed source branch: $HEAD_REF"
+            echo "Only 'development', 'release/*', or 'hotfix/*' may open PRs into 'main'."
+            exit 1
+          fi
diff --git a/.github/workflows/gh-pages-deployment.yaml b/.github/workflows/gh-pages-deployment.yaml
@@ -0,0 +1,36 @@
+name: GitHub Pages Deployment
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'docs/**'
+      - 'gh-pages-deployment.yaml'
+      - 'README.md'
+  workflow_dispatch:
+permissions:
+  contents: write
+  pages: write
+jobs:
+  deploy-gh-pages:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Configure Git user
+        run: |
+          git config user.name github-actions[bot]
+          git config user.email 41898282+github-actions[bot]@users.noreply.github.com
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.MAIN_PYTHON_VERSION }}
+      - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV
+      - uses: actions/cache@v4
+        with:
+          key: mkdocs-material-${{ env.cache_id }}
+          path: ~/.cache
+          restore-keys: |
+            mkdocs-material-
+      - run: pip install mkdocs-material
+      - run: mkdocs gh-deploy --force
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
diff --git a/.github/workflows/pr-quality-gate.yaml.yml b/.github/workflows/pr-quality-gate.yaml.yml
@@ -0,0 +1,70 @@
+name: "PR Quality Gate: rc & main"
+
+on:
+  pull_request:
+    branches: [ rc, main ]
+    types: [ opened, synchronize, reopened, ready_for_review ]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+concurrency:
+  group: pr-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  precommit:
+    name: pre-commit
+    if: ${{ !github.event.pull_request.draft }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      # NOTE: point "uses:" to the DIRECTORY that contains action.yaml
+      # If your composite is at ./pre-commit/action.yaml, use "./pre-commit"
+      - name: Run pre-commit composite
+        uses: ./.github/workflows/pre-commit
+        with:
+          python-version: ${{ env.MAIN_PYTHON_VERSION }}
+
+  pytest:
+    name: pytest
+    if: ${{ !github.event.pull_request.draft }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ${{ fromJSON(env.SUPPORTED_PYTHON_VERSIONS) }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run pytest composite
+        uses: ./.github/workflows/pytest
+        with:
+          python-version: ${{ matrix.python-version }}
+
+  pytest-windows:
+    name: pytest (Windows, non-blocking)
+    if: ${{ !github.event.pull_request.draft }}
+    runs-on: windows-latest
+    continue-on-error: true
+    strategy:
+      matrix:
+        python-version: ${{ fromJSON(env.SUPPORTED_PYTHON_VERSIONS) }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run pytest composite
+        uses: ./.github/workflows/pytest
+        with:
+          python-version: ${{ matrix.python-version }}
+
+  sonarqube:
+    name: SonarQube
+    if: ${{ !github.event.pull_request.draft }}
+    runs-on: ubuntu-latest
+    needs: [ pytest ]        # starts only after pytest completes
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run SonarCloud composite
+        uses: ./.github/workflows/sonar
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.github/workflows/pre-commit/action.yaml b/.github/workflows/pre-commit/action.yaml
@@ -0,0 +1,36 @@
+name: Pre-commit
+description: Sets up Python and Poetry and runs pre-commit
+
+inputs:
+  python-version:
+    required: true
+    description: Python version used
+
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Setup Python
+      if: ${{ hashFiles('.pre-commit-config.yaml') != '' }}
+      uses: actions/setup-python@v3
+      with:
+        python-version: ${{ inputs.python-version }}
+
+    - name: Install Poetry
+      if: ${{ hashFiles('.pre-commit-config.yaml') != '' }}
+      run: pipx install --python python${{ inputs.python-version }} poetry
+      shell: bash
+
+    - name: Install pre-commit
+      if: ${{ hashFiles('.pre-commit-config.yaml') != '' }}
+      run: |
+        pip install pre-commit
+        pre-commit install
+      shell: bash
+
+    - name: Run pre-commit
+      if: ${{ hashFiles('.pre-commit-config.yaml') != '' }}
+      run: pre-commit run -a
+      shell: bash
diff --git a/.github/workflows/pytest/action.yaml b/.github/workflows/pytest/action.yaml
@@ -0,0 +1,28 @@
+name: 'PyTest'
+description: 'Run pytest with Poetry'
+inputs:
+  python-version:
+    required: true
+    description: 'Python version used.'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+    - name: Set up Python
+      uses: actions/setup-python@v3
+      with:
+        python-version: ${{ inputs.python-version }}
+    - name: Install Poetry
+      run: pipx install poetry
+    - name: Install dependencies
+      run: poetry install --with dev
+    - name: Run tests
+      run: poetry run pytest -m "not unstable and not online"
+    - name: Upload coverage.xml as artifact
+      uses: actions/upload-artifact@v3
+      if: ${{ hashFiles('coverage.xml') != '' }}
+      with:
+        name: coverage.xml
+        path: ./coverage.xml
diff --git a/.github/workflows/sonar/action.yaml b/.github/workflows/sonar/action.yaml
@@ -0,0 +1,28 @@
+name: SonarCloud Scan
+description: Runs SonarCloud scan with coverage artifact
+
+inputs:
+  GITHUB_TOKEN:
+    required: true
+    description: GitHub token
+  SONAR_TOKEN:
+    required: true
+    description: SonarCloud token
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - uses: actions/download-artifact@v5
+      with:
+        name: coverage.xml
+        path: ./
+
+    - name: SonarCloud Scan
+      uses: SonarSource/sonarcloud-github-action@master
+      env:
+        GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }}
+        SONAR_TOKEN: ${{ inputs.SONAR_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -666,3 +666,4 @@ src/weather_provider_sources/
 # All of IDEA really
 .idea/
 !/htmlcov/
+/.act_secrets.ini
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
