name: publish # Build the Python package with uv and publish it to the self-hosted Gitea PyPI # registry on a version tag. Gated on lint + tests so a release can never ship # red. Publishing uses least-privilege Gitea Actions secrets; if they are absent # the job fails loudly instead of publishing anonymously. on: push: tags: - 'v*' jobs: # --------------------------------------------------------------------------- # 1. Lint: ruff + black + mypy (same gate as the other workflows). # --------------------------------------------------------------------------- lint: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.12" - name: Install dependencies run: | python -m pip install --upgrade pip pip install -r requirements-dev.txt - name: Run lint run: | ruff check src tests ruff format --check src tests black --check src tests mypy src # --------------------------------------------------------------------------- # 2. Test: pytest with coverage gate. # --------------------------------------------------------------------------- test: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.12" - name: Install dependencies run: | python -m pip install --upgrade pip pip install -r requirements-dev.txt - name: Run tests run: pytest --cov=aegis_gitea_mcp --cov-report=term-missing --cov-fail-under=80 # --------------------------------------------------------------------------- # 3. Build with uv and publish to the Gitea PyPI registry. # --------------------------------------------------------------------------- publish: needs: [lint, test] runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.12" - name: Set up uv uses: astral-sh/setup-uv@v5 - name: Require publish credentials shell: bash env: GITEA_PACKAGE_USER: ${{ secrets.GITEA_PACKAGE_USER }} GITEA_PACKAGE_TOKEN: ${{ secrets.GITEA_PACKAGE_TOKEN }} run: | if [ -z "${GITEA_PACKAGE_USER}" ] || [ -z "${GITEA_PACKAGE_TOKEN}" ]; then echo "::error::GITEA_PACKAGE_USER / GITEA_PACKAGE_TOKEN secrets are not set." >&2 echo "Configure a least-privilege PAT with write:package as Actions secrets." >&2 exit 1 fi - name: Build sdist + wheel shell: bash run: uv build - name: Upload build artifacts uses: actions/upload-artifact@v4 with: name: dist path: dist/* - name: Publish to Gitea PyPI registry shell: bash env: GITEA_PACKAGE_USER: ${{ secrets.GITEA_PACKAGE_USER }} GITEA_PACKAGE_TOKEN: ${{ secrets.GITEA_PACKAGE_TOKEN }} run: | uv publish \ --publish-url https://git.hiddenden.cafe/api/packages/Hiddenden/pypi \ --username "${GITEA_PACKAGE_USER}" \ --password "${GITEA_PACKAGE_TOKEN}" # Optional second step to also publish to public PyPI lives behind its own # secret. Intentionally left as a disabled stub — this pass does NOT push # to public PyPI. # # - name: Publish to public PyPI # if: ${{ secrets.PYPI_TOKEN != '' }} # shell: bash # env: # PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} # run: uv publish --username __token__ --password "${PYPI_TOKEN}"