fix issues (#78)

* fix issues

* fix issues

* fix issues

Author: bahmanzadeh

.github/workflows/dependabot-auto-merge.yml

@@ -12,8 +12,13 @@ permissions:
   contents: write
   pull-requests: write
 
+concurrency:
+  group: dependabot-auto-merge-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
 jobs:
   auto-merge:
+    name: dependabot-auto-merge
     if: github.actor == 'dependabot[bot]' && github.event.pull_request.draft == false
     runs-on: ubuntu-latest
     steps:
@@ -25,32 +30,70 @@ jobs:
 
       - name: Evaluate update type
         id: eligibility
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          HEAD_REF: ${{ github.event.pull_request.head.ref }}
+          UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }}
         run: |
-          update_type="${{ steps.metadata.outputs.update-type }}"
-          case "$update_type" in
-            version-update:semver-patch|version-update:semver-minor)
-              echo "eligible=true" >> "$GITHUB_OUTPUT"
-              ;;
-            *)
-              echo "eligible=false" >> "$GITHUB_OUTPUT"
-              ;;
-          esac
-          echo "update_type=$update_type" >> "$GITHUB_OUTPUT"
+          set -euo pipefail
+          update_type="${UPDATE_TYPE}"
+          eligible=false
+          reason=""
+
+          is_allowed_path() {
+            local path="$1"
+            [[ "${path}" =~ ^\.github/workflows/[^/]+\.ya?ml$ ]] || \
+              [[ "${path}" =~ ^\.github/actions/.+/action\.ya?ml$ ]]
+          }
+
+          if [[ "${HEAD_REF}" != dependabot/github_actions/* ]]; then
+            reason="Dependabot PR is not from the github-actions ecosystem (${HEAD_REF})."
+          else
+            mapfile -t files < <(gh pr view "${PR_NUMBER}" --repo "${GITHUB_REPOSITORY}" --json files --jq '.files[].path')
+            if [[ "${#files[@]}" -eq 0 ]]; then
+              reason="Dependabot PR has no changed files."
+            else
+              for path in "${files[@]}"; do
+                if ! is_allowed_path "${path}"; then
+                  reason="Changed file '${path}' is outside workflow automation scope."
+                  eligible=false
+                  break
+                fi
+              done
+
+              if [[ -z "${reason}" ]]; then
+                eligible=true
+              fi
+            fi
+          fi
+
+          echo "eligible=${eligible}" >> "$GITHUB_OUTPUT"
+          echo "update_type=${update_type}" >> "$GITHUB_OUTPUT"
+          echo "reason=${reason}" >> "$GITHUB_OUTPUT"
 
       - name: Auto-approve Dependabot update
+        if: steps.eligibility.outputs.eligible == 'true'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: gh pr review --approve "${{ github.event.pull_request.html_url }}"
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: gh pr review --approve "${PR_URL}"
 
       - name: Enable auto-merge
         if: steps.eligibility.outputs.eligible == 'true'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: gh pr merge --auto "${{ github.event.pull_request.html_url }}"
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: gh pr merge --auto --squash "${PR_URL}"
 
-      - name: Skip auto-merge for non patch/minor updates
+      - name: Skip auto-merge for non-workflow or non-github-actions updates
         if: steps.eligibility.outputs.eligible != 'true'
+        env:
+          DEPENDENCY_NAMES: ${{ steps.metadata.outputs.dependency-names }}
+          UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }}
+          REASON: ${{ steps.eligibility.outputs.reason }}
         run: |
           echo "Skipping auto-merge for Dependabot update."
-          echo "Dependency names: ${{ steps.metadata.outputs.dependency-names }}"
-          echo "Update type: ${{ steps.metadata.outputs.update-type }}"
+          echo "Dependency names: ${DEPENDENCY_NAMES}"
+          echo "Update type: ${UPDATE_TYPE}"
+          echo "Reason: ${REASON}"

.github/workflows/mysterybox-bridge-charts-ci.yml

@@ -5,12 +5,18 @@ on:
     paths:
       - "services/mysterybox-bridge/charts/**"
       - ".github/workflows/mysterybox-bridge-charts-ci.yml"
+  push:
+    branches: ["main"]
+    paths:
+      - "services/mysterybox-bridge/charts/**"
+      - ".github/workflows/mysterybox-bridge-charts-ci.yml"
+  workflow_dispatch:
 
 permissions:
   contents: read
 
 concurrency:
-  group: mysterybox-bridge-chart-lint-and-tests-${{ github.ref }}
+  group: mysterybox-bridge-chart-lint-and-tests-${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
@@ -31,9 +37,19 @@ jobs:
       - name: Set up chart-testing
         uses: helm/chart-testing-action@v2.8.0
 
-      - name: Run ct lint
+      - name: Run ct lint for changed charts
+        if: github.event_name == 'pull_request'
+        env:
+          TARGET_BRANCH: ${{ github.base_ref }}
+        run: |
+          set -euo pipefail
+          ct lint --config services/mysterybox-bridge/charts/ct.yaml --target-branch "${TARGET_BRANCH}"
+
+      - name: Run ct lint for all charts
+        if: github.event_name != 'pull_request'
         run: |
-          ct lint --config services/mysterybox-bridge/charts/ct.yaml --target-branch "${{ github.base_ref }}"
+          set -euo pipefail
+          ct lint --config services/mysterybox-bridge/charts/ct.yaml --all
 
   render-snapshots:
     name: mysterybox-bridge-render-snapshot-tests
@@ -42,11 +58,20 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
 
       - name: Set up Helm
         uses: azure/setup-helm@v4
         with:
           version: v3.15.4
 
       - name: Verify chart render snapshots
-        run: python3 services/mysterybox-bridge/charts/tests/all_tests.py
+        run: |
+          set -euo pipefail
+          python3 services/mysterybox-bridge/charts/tests/all_tests.py

.github/workflows/mysterybox-bridge-image.yml

@@ -1,12 +1,17 @@
 name: mysterybox-bridge-image
 
 on:
+  pull_request:
+    paths:
+      - "services/mysterybox-bridge/webhook/**"
+      - ".github/workflows/mysterybox-bridge-image.yml"
   push:
     branches: ["main"]
     tags:
       - "mysterybox-bridge-v*"
     paths:
       - "services/mysterybox-bridge/webhook/**"
+      - ".github/workflows/mysterybox-bridge-image.yml"
   workflow_dispatch:
     inputs:
       source_ref:
@@ -28,7 +33,7 @@ permissions:
   contents: read
 
 concurrency:
-  group: mysterybox-bridge-image-${{ github.ref }}
+  group: mysterybox-bridge-image-${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 env:
@@ -37,7 +42,7 @@ env:
 
 jobs:
   test:
-    name: lint-and-test
+    name: mysterybox-bridge-lint-and-test
     runs-on: ubuntu-latest
     defaults:
       run:
@@ -46,6 +51,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
+          fetch-depth: 0
           ref: ${{ inputs.source_ref || github.ref }}
 
       - name: Set up Python
@@ -55,25 +61,31 @@ jobs:
 
       - name: Install dependencies
         run: |
+          set -euo pipefail
           python -m pip install --upgrade pip
           pip install -e ".[dev]"
 
       - name: Lint
         run: python -m ruff check src tests
 
-      - name: Test
-        run: python -m pytest -q tests
+      - name: Unit tests
+        run: python -m pytest -q -m "not integration" tests/unit
+
+      - name: Integration smoke tests
+        run: python -m pytest -q -m integration tests/integration
 
   build-and-push:
-    name: build-and-push
+    name: mysterybox-bridge-build-and-push
     runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request'
     needs: [test]
     environment:
       name: mysterybox-image-publish
     steps:
       - name: Checkout
         uses: actions/checkout@v6
         with:
+          fetch-depth: 0
           ref: ${{ inputs.source_ref || github.ref }}
 
       - name: Authorize workflow_dispatch actor
@@ -110,11 +122,17 @@ jobs:
             exit 1
           fi
 
-          if [[ "${PUBLISH_LATEST}" == "true" && "${SOURCE_REF}" != "main" ]]; then
+          if [[ "${PUBLISH_LATEST}" == "true" && "${SOURCE_REF}" != "main" && "${SOURCE_REF}" != "refs/heads/main" ]]; then
             echo "::error::publish_latest=true is only allowed with source_ref=main"
             exit 1
           fi
 
+      - name: Resolve source commit
+        id: source
+        run: |
+          set -euo pipefail
+          echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4
 
@@ -155,7 +173,7 @@ jobs:
           EVENT_NAME: ${{ github.event_name }}
           REF_NAME: ${{ github.ref_name }}
           REF_TYPE: ${{ github.ref_type }}
-          SHA: ${{ github.sha }}
+          SHA: ${{ steps.source.outputs.sha }}
           RELEASE_VERSION: ${{ inputs.release_version }}
           PUBLISH_LATEST: ${{ inputs.publish_latest }}
         run: |
@@ -218,7 +236,7 @@ jobs:
             --arg event "${GITHUB_EVENT_NAME}" \
             --arg ref "${GITHUB_REF}" \
             --arg ref_name "${GITHUB_REF_NAME}" \
-            --arg sha "${GITHUB_SHA}" \
+            --arg sha "${{ steps.source.outputs.sha }}" \
             --arg digest "${IMAGE_DIGEST}" \
             --arg run_id "${GITHUB_RUN_ID}" \
             --arg run_attempt "${GITHUB_RUN_ATTEMPT}" \
@@ -255,7 +273,7 @@ jobs:
             echo "- Actor: \`${GITHUB_ACTOR}\`"
             echo "- Event: \`${GITHUB_EVENT_NAME}\`"
             echo "- Ref: \`${GITHUB_REF}\`"
-            echo "- Commit: \`${GITHUB_SHA}\`"
+            echo "- Commit: \`${{ steps.source.outputs.sha }}\`"
             echo "- Digest: \`${IMAGE_DIGEST}\`"
             echo ""
             echo "#### Tags"

.github/workflows/nebius-cxcli-ci.yml

@@ -5,31 +5,47 @@ on:
     paths:
       - "services/nebius-cxcli/**"
       - ".github/workflows/nebius-cxcli-ci.yml"
+      - ".github/workflows/nebius-cxcli-release.yml"
   push:
     branches: [main]
     paths:
       - "services/nebius-cxcli/**"
       - ".github/workflows/nebius-cxcli-ci.yml"
+      - ".github/workflows/nebius-cxcli-release.yml"
+  workflow_dispatch:
 
 permissions:
   contents: read
 
+concurrency:
+  group: nebius-cxcli-ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  test:
+  verify:
+    name: nebius-cxcli-ci
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: services/nebius-cxcli
     steps:
       - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
       - uses: actions/setup-python@v6
         with:
           python-version: "3.12"
       - name: Install dependencies
         run: |
+          set -euo pipefail
           python -m pip install --upgrade pip
           pip install -e ".[dev]"
       - name: Lint
         run: python -m ruff check src tests
       - name: Test
         run: python -m pytest -q
+      - name: Build wheel
+        run: |
+          set -euo pipefail
+          rm -rf build dist
+          python -m build --wheel