Skip to content

release: v0.11.5 (G11.0.4 / F24 corrective) #72

release: v0.11.5 (G11.0.4 / F24 corrective)

release: v0.11.5 (G11.0.4 / F24 corrective) #72

Workflow file for this run

name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
lint:
# Style and type checks plus once-only repo-hygiene gates.
# Runs in ~10 seconds. Failing fast here saves the test matrix
# from running on style-broken code. The em-dash check and the
# origin-tag-presence gate live here (not in test) because they
# are once-only checks; running them per-Python-version would
# be redundant.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install "git+https://github.com/BayyinahEnterprise/furqan-programming-language.git@v0.11.1"
pip install -e ".[dev,onnx,gate11,gate11-rust]"
- name: Ruff lint
run: ruff check .
- name: Ruff format
run: ruff format --check .
- name: Mypy
run: mypy
- name: Em-dash check
run: |
# CODE_OF_CONDUCT.md is Contributor Covenant v2.1 verbatim;
# third-party text is excluded per the policy that bans
# em-dashes from project-authored prose only.
if LC_ALL=C.UTF-8 grep -rPn --exclude=CODE_OF_CONDUCT.md '[\x{2013}\x{2014}]' src/ tests/ README.md CHANGELOG.md pyproject.toml; then
echo "Em-dash or en-dash found in source, tests, README, CHANGELOG, or pyproject.toml"
exit 1
fi
echo "Em-dash check: clean"
- name: Origin tag presence gate
run: python scripts/verify_origin_tags.py
test-python-only:
# The Python-only install path. Adapter tests self-skip via the
# §7.11-enforced skip-guards. Pinning that the full pytest -q
# suite passes here is the empirical guarantee that the no-
# extras user does not see traceback-style failures.
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version: ["3.10", "3.11", "3.12", "3.13"]
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install "git+https://github.com/BayyinahEnterprise/furqan-programming-language.git@v0.11.1"
pip install -e ".[dev,onnx]"
- name: Run tests
run: python -m pytest -q
- name: Verify version sync
run: |
python -c "
from furqan_lint import __version__
import sys
if sys.version_info >= (3, 11):
import tomllib
else:
import tomli as tomllib
with open('pyproject.toml', 'rb') as f:
v = tomllib.load(f)['project']['version']
assert __version__ == v, f'{__version__} != {v}'
print(f'Version sync OK: {__version__}')
"
test-rust:
# The Rust-extras install path. Runs the full pytest -q suite;
# rust-adapter tests run for real, go-adapter tests self-skip.
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version: ["3.10", "3.11", "3.12", "3.13"]
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install "git+https://github.com/BayyinahEnterprise/furqan-programming-language.git@v0.11.1"
pip install -e ".[dev,rust,onnx]"
- name: Run tests
run: python -m pytest -q
test-go:
# The Go-extras install path. Runs the full pytest -q suite;
# go-adapter tests run for real, rust-adapter tests self-skip.
# Sets up the Go 1.22 toolchain so the [go] extra's PEP 517
# build hook can compile the bundled goast binary.
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version: ["3.10", "3.11", "3.12", "3.13"]
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.22"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install "git+https://github.com/BayyinahEnterprise/furqan-programming-language.git@v0.11.1"
pip install -e ".[dev,go,onnx]"
- name: Run tests
run: python -m pytest -q
test-full:
# The everything-installed path. Pin that rust + go extras
# coexist on a single environment without conflict and that
# the full pytest -q suite passes with zero skips. Python 3.12
# only; the matrix coverage of rust + go individually across
# 3.10-3.13 is sufficient.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.22"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install "git+https://github.com/BayyinahEnterprise/furqan-programming-language.git@v0.11.1"
pip install -e ".[dev,rust,go,onnx]"
- name: Run tests
run: python -m pytest -q
test-onnx-runtime:
# The [onnx-runtime] + [onnx-profile] install path (v0.9.4
# Part 5b(c)). Runs the full pytest -q suite so the
# CHANGELOG-math gate runs at full strength in CI (round-34
# HIGH-2b closure: pre-v0.9.4 the gate's onnxruntime-skip
# workaround meant the gate never ran with full extras in
# CI; arithmetic drift in the CHANGELOG ### Tests line was
# caught only on developer machines).
#
# Single Python version (3.12) sufficient for substrate
# coverage; the matrix's other jobs cover py 3.10-3.13
# cross-cutting concerns. Both [onnx-runtime] (v0.9.3
# numpy_divergence) and [onnx-profile] (v0.9.4 score_validity)
# are installed so all five ONNX checkers run end-to-end.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install "git+https://github.com/BayyinahEnterprise/furqan-programming-language.git@v0.11.1"
pip install -e ".[dev,onnx,onnx-runtime,onnx-profile,gate11,gate11-rust]"
- name: Run tests
run: python -m pytest -q
gate11-smoke-test:
# Phase G11.0 / T10: end-to-end Sigstore sign + verify smoke
# test. Runs only on push to `main` (not on PRs from forks)
# because it requires the ambient GitHub OIDC token, which
# forked-PR workflows do not receive. The smoke test exercises
# the sign-then-verify round-trip on a fixture module via
# `FURQAN_LINT_GATE11_SMOKE_TEST=1` per T06's smoke-test
# contract.
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install "git+https://github.com/BayyinahEnterprise/furqan-programming-language.git@v0.11.1"
pip install -e ".[dev,gate11]"
- name: Sign and verify a fixture module via ambient OIDC
env:
FURQAN_LINT_GATE11_SMOKE_TEST: "1"
run: python -m pytest tests/test_gate11_signing.py -v
- name: Use the CLI to verify the bundle end to end
run: |
# The smoke test wrote an example fixture and bundle into
# the test's tmp_path. For a CLI-shaped end-to-end pin we
# also exercise `furqan-lint manifest verify` against a
# bundle the workflow produces directly, rather than the
# one in the test's tempdir which is cleaned up.
python -c "
import os, tempfile, subprocess, sys
os.environ['FURQAN_LINT_GATE11_SMOKE_TEST'] = '1'
# The smoke test in T06 already did the round-trip; here
# we just confirm the CLI entry point is reachable.
r = subprocess.run([sys.executable, '-m', 'furqan_lint.cli', '--help'],
capture_output=True, text=True, check=True)
assert 'manifest' in r.stdout, r.stdout
print('CLI help includes manifest subcommand')
"
gate11-rust-smoke-test:
# Phase G11.1 / T06: end-to-end Sigstore sign + verify smoke
# test for the Rust pipeline. Same gating as
# gate11-smoke-test (push to main only; id-token: write).
# The Rust pipeline reuses sigstore-python (no FFI to
# sigstore-rs in v1; v1.5 horizon item per Yusuf Horizon
# discipline), so the install matrix is the existing
# [gate11-rust] extra plus the [rust] extra for the legacy
# tree-sitter-rust adapter.
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install "git+https://github.com/BayyinahEnterprise/furqan-programming-language.git@v0.11.1"
pip install -e ".[dev,gate11,gate11-rust,rust]"
- name: Sign and verify a fixture .rs module via ambient OIDC
env:
FURQAN_LINT_GATE11_SMOKE_TEST: "1"
run: |
# Build a minimal .rs fixture, sign it via the manifest
# init pipeline, then verify the resulting bundle.
# Identity policy is asserted via --expected-identity
# against the GitHub Actions OIDC SAN pattern.
python -c "
import os, subprocess, sys, tempfile, re
from pathlib import Path
tmp = Path(tempfile.mkdtemp())
rs = tmp / 'lib.rs'
rs.write_text('pub fn smoke(a: i32, b: i32) -> i32 { a + b }')
# Sign:
subprocess.run([sys.executable, '-m', 'furqan_lint.cli',
'manifest', 'init', str(rs)], check=True)
bundle = rs.parent / (rs.name + '.furqan.manifest.sigstore')
assert bundle.exists(), 'bundle not written'
# Verify with the GitHub Actions OIDC SAN pattern:
repo = os.environ['GITHUB_REPOSITORY']
ref = os.environ['GITHUB_REF']
pattern = f'https://github.com/{repo}/.github/workflows/.*@{ref}'
subprocess.run([sys.executable, '-m', 'furqan_lint.cli',
'manifest', 'verify', str(bundle),
'--expected-identity', pattern,
'--expected-issuer',
'https://token.actions.githubusercontent.com'],
check=True)
print('Rust manifest signed + verified end to end via ambient OIDC')
"