ci: add comprehensive GitHub Actions CI/CD pipeline

Murat Kaan Meral · Containerized Agent · commit a2040af726e0 · 2026-01-28T16:25:50.000Z
- Add test-lint.yml workflow for unit tests and linting
  - Test matrix: Python 3.10-3.13 on Linux, Windows, macOS
  - Comprehensive linting with ruff
- Add pr-and-push.yml for automated PR and main branch checks
  - Concurrency control to prevent duplicate runs
  - Automatic test and lint on PR events
- Add pypi-publish-on-release.yml for automated PyPI deployment
  - Uses PyPI Trusted Publisher for secure release
  - Validates version format before publishing
- Add PULL_REQUEST_TEMPLATE.md for standardized PR submissions
- Update dependabot.yml with pip and GitHub Actions monitoring
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,35 @@
+## Description
+
+<!-- Provide a detailed description of the changes in this PR -->
+
+## Related Issues
+
+<!-- Link to related issues using #issue-number format -->
+
+## Type of Change
+
+<!-- Choose one of the following types of changes, delete the rest -->
+
+Bug fix
+New Feature
+Breaking change
+Documentation update
+Other (please describe):
+
+## Testing
+
+How have you tested the change?
+
+- [ ] I ran `hatch run prepare`
+- [ ] All tests pass locally
+
+## Checklist
+- [ ] I have read the CONTRIBUTING document
+- [ ] I have added any necessary tests that prove my fix is effective or my feature works
+- [ ] I have updated the documentation accordingly
+- [ ] My changes generate no new warnings
+- [ ] Any dependent changes have been merged and published
+
+----
+
+By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -7,10 +7,14 @@ updates:
     open-pull-requests-limit: 100
     commit-message:
       prefix: ci
+    groups:
+      dev-dependencies:
+        patterns:
+          - "pytest"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "daily"
     open-pull-requests-limit: 100
     commit-message:
-      prefix: ci
+      prefix: ci
diff --git a/.github/workflows/pr-and-push.yml b/.github/workflows/pr-and-push.yml
@@ -3,7 +3,7 @@ name: Pull Request and Push Action
 on:
   pull_request:  # Safer than pull_request_target for untrusted code
     branches: [ main ]
-    types: [opened, synchronize, reopened, ready_for_review, review_requested, review_request_removed]
+    types: [opened, synchronize, reopened, ready_for_review]
   push:
     branches: [ main ]  # Also run on direct pushes to main
 concurrency:
@@ -16,4 +16,4 @@ jobs:
     permissions:
       contents: read
     with:
-      ref: ${{ github.event.pull_request.head.sha || github.sha }}
+      ref: ${{ github.event.pull_request.head.sha || github.sha }}
diff --git a/.github/workflows/pypi-publish-on-release.yml b/.github/workflows/pypi-publish-on-release.yml
@@ -22,37 +22,37 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.10'
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.10'
 
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install hatch twine
-      - name: Validate version
-        run: |
-          version=$(hatch version)
-          if [[ $version =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-              echo "Valid version format"
-              exit 0
-          else
-              echo "Invalid version format"
-              exit 1
-          fi
-      - name: Build
-        run: |
-          hatch build
-      - name: Store the distribution packages
-        uses: actions/upload-artifact@v4
-        with:
-          name: python-package-distributions
-          path: dist/
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install hatch twine
+    - name: Validate version
+      run: |
+        version=$(hatch version)
+        if [[ $version =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "Valid version format"
+            exit 0
+        else
+            echo "Invalid version format"
+            exit 1
+        fi
+    - name: Build
+      run: |
+        hatch build
+    - name: Store the distribution packages
+      uses: actions/upload-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
 
   deploy:
     name: Upload release to PyPI
@@ -70,10 +70,10 @@ jobs:
       id-token: write
 
     steps:
-      - name: Download all the dists
-        uses: actions/download-artifact@v4
-        with:
-          name: python-package-distributions
-          path: dist/
-      - name: Publish distribution 📦 to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+    - name: Download all the dists
+      uses: actions/download-artifact@v4
+      with:
+        name: python-package-distributions
+        path: dist/
+    - name: Publish distribution 📦 to PyPI
+      uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/.github/workflows/test-lint.yml b/.github/workflows/test-lint.yml
@@ -1,4 +1,4 @@
-name: Lint
+name: Test and Lint
 
 on:
   workflow_call:
@@ -8,6 +8,65 @@ on:
         type: string
 
 jobs:
+  unit-test:
+    name: Unit Tests - Python ${{ matrix.python-version }} - ${{ matrix.os-name }}
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+       include:
+        # Linux
+        - os: ubuntu-latest
+          os-name: 'linux'
+          python-version: "3.10"
+        - os: ubuntu-latest
+          os-name: 'linux'
+          python-version: "3.11"
+        - os: ubuntu-latest
+          os-name: 'linux'
+          python-version: "3.12"
+        - os: ubuntu-latest
+          os-name: 'linux'
+          python-version: "3.13"
+        # Windows
+        - os: windows-latest
+          os-name: 'windows'
+          python-version: "3.10"
+        - os: windows-latest
+          os-name: 'windows'
+          python-version: "3.11"
+        - os: windows-latest
+          os-name: 'windows'
+          python-version: "3.12"
+        - os: windows-latest
+          os-name: 'windows'
+          python-version: "3.13"
+        # MacOS - latest only; not enough runners for macOS
+        - os: macos-latest
+          os-name: 'macOS'
+          python-version: "3.13"
+      fail-fast: true
+    runs-on: ${{ matrix.os }}
+    env:
+      LOG_LEVEL: DEBUG
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}  # Explicitly define which commit to check out
+          persist-credentials: false  # Don't persist credentials for subsequent actions
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: |
+          pip install --no-cache-dir hatch
+      - name: Run Unit tests
+        id: tests
+        run: hatch test tests --cover
+        continue-on-error: false
+
   lint:
     name: Lint
     runs-on: ubuntu-latest
@@ -32,5 +91,5 @@ jobs:
 
       - name: Run lint
         id: lint
-        run: hatch run lint
-        continue-on-error: false
+        run: hatch run test-lint
+        continue-on-error: false
