name: publish # Build the Python package with uv and publish it to the self-hosted Gitea PyPI # registry on a version tag. Gated on lint + tests so a release can never ship # red. Publishing reuses the existing REGISTRY_TOKEN package secret (the same one # docker.yml uses to push images); if it is absent the job fails loudly instead # of publishing anonymously. on: push: tags: - 'v*' jobs: # --------------------------------------------------------------------------- # 1. Lint: ruff + black + mypy (same gate as the other workflows). # --------------------------------------------------------------------------- lint: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.12" - name: Install dependencies run: | python -m pip install --upgrade pip pip install -r requirements-dev.txt - name: Run lint run: | ruff check src tests ruff format --check src tests black --check src tests mypy src # --------------------------------------------------------------------------- # 2. Test: pytest with coverage gate. # --------------------------------------------------------------------------- test: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.12" - name: Install dependencies run: | python -m pip install --upgrade pip pip install -r requirements-dev.txt - name: Run tests run: pytest --cov=aegis_gitea_mcp --cov-report=term-missing --cov-fail-under=80 # --------------------------------------------------------------------------- # 3. Build with uv and publish to the Gitea PyPI registry. # --------------------------------------------------------------------------- publish: needs: [lint, test] runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.12" - name: Set up uv uses: astral-sh/setup-uv@v5 - name: Require publish credentials shell: bash env: REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} run: | if [ -z "${REGISTRY_TOKEN}" ]; then echo "::error::REGISTRY_TOKEN secret is not set." >&2 echo "Configure a PAT with write:package as the REGISTRY_TOKEN Actions secret." >&2 exit 1 fi - name: Build sdist + wheel shell: bash run: uv build - name: Upload build artifacts uses: actions/upload-artifact@v4 with: name: dist path: dist/* - name: Publish to Gitea PyPI registry shell: bash env: # Reuse the existing package secret (same one docker.yml uses). The # token authenticates as its owning Gitea user, so GITHUB_ACTOR is the # username and the token is the password. REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} run: | uv publish \ --publish-url https://git.hiddenden.cafe/api/packages/Hiddenden/pypi \ --username "${GITHUB_ACTOR}" \ --password "${REGISTRY_TOKEN}" # Optional second step to also publish to public PyPI lives behind its own # secret. Intentionally left as a disabled stub — this pass does NOT push # to public PyPI. # # - name: Publish to public PyPI # if: ${{ secrets.PYPI_TOKEN != '' }} # shell: bash # env: # PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} # run: uv publish --username __token__ --password "${PYPI_TOKEN}"