Skip to content

Integrations separate CI workflows #1100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
p1c2u merged 8 commits into from
Feb 17, 2026
Merged

Integrations separate CI workflows #1100

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
711d62b
Integrations separate CI workflows
p1c2u Feb 17, 2026
2d72e1a
Integration reusable workflow
p1c2u Feb 17, 2026
5bce5d4
Add small things
p1c2u Feb 17, 2026
20e714e
Github output fix
p1c2u Feb 17, 2026
80aa54b
Permissions fix
p1c2u Feb 17, 2026
78b5fc6
One integration workflow
p1c2u Feb 17, 2026
2b50cfb
Workflows naming normalization
p1c2u Feb 17, 2026
66973df
Integrations versions tighten
p1c2u Feb 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions .github/workflows/build-docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,54 +1,55 @@
name: Build documentation
name: CI / Docs

on:
push:
pull_request:
types: [opened, synchronize]

jobs:
build:
docs_build:
name: "Build"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6

- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.10"

- name: Get full Python version
id: full-python-version
run: echo ::set-output name=version::$(python -c "import sys; print('-'.join(str(v) for v in sys.version_info))")
run: python -c "import sys; print(f\"version={'-'.join(str(v) for v in sys.version_info)}\")" >> "$GITHUB_OUTPUT"

- name: Set up poetry
uses: Gr1N/setup-poetry@v9
with:
poetry-version: "2.3.1"

- name: Configure poetry
run: poetry config virtualenvs.in-project true

- name: Set up cache
uses: actions/cache@v5
id: cache
with:
path: .venv
key: venv-${{ steps.full-python-version.outputs.version }}-${{ hashFiles('**/poetry.lock') }}

- name: Ensure cache is healthy
if: steps.cache.outputs.cache-hit == 'true'
run: timeout 10s poetry run pip --version || rm -rf .venv

- name: Install dependencies
run: poetry install --with docs

- name: Build documentation
run: |
poetry run python -m mkdocs build --clean --site-dir ./_build/html --config-file mkdocs.yml

- uses: actions/upload-artifact@v6
name: Upload docs as artifact
with:
name: docs-html
path: './_build/html'
if-no-files-found: error

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
111 changes: 111 additions & 0 deletions .github/workflows/integration-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
name: CI / Integrations / Tests

on:
push:
pull_request:
types: [opened, synchronize]

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read
id-token: write

jobs:
integration_matrix:
name: "${{ matrix.target.label }} / py${{ matrix.python-version }}"
runs-on: ubuntu-latest
strategy:
matrix:
target:
- integration: aiohttp
spec: ">=3.8,<4.0"
label: "aiohttp-3.x"
- integration: aiohttp
spec: ">=3.11,<4.0"
label: "aiohttp-3.11+"
- integration: django
spec: ">=4.0,<5.0"
label: "django-4.x"
- integration: django
spec: ">=5.0,<6.0"
label: "django-5.x"
- integration: falcon
spec: ">=4.0,<5.0"
label: "falcon-4.x"
- integration: fastapi
spec: ">=0.111,<0.120"
label: "fastapi-0.11x"
- integration: fastapi
spec: ">=0.120,<0.129"
label: "fastapi-0.12x"
- integration: flask
spec: ">=2.0,<3.0"
label: "flask-2.x"
- integration: flask
spec: ">=3.0,<4.0"
label: "flask-3.x"
- integration: requests
spec: ""
label: "requests-default"
- integration: starlette
spec: ">=0.40.0,<0.50.0"
label: "starlette-0.4x"
- integration: starlette
spec: ">=0.50.0,<0.60.0"
label: "starlette-0.5x"
- integration: werkzeug
spec: ""
label: "werkzeug-default"
python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
fail-fast: false
steps:
- uses: actions/checkout@v6

- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python-version }}

- name: Get full Python version
id: full-python-version
run: python -c "import sys; print(f\"version={'-'.join(str(v) for v in sys.version_info)}\")" >> "$GITHUB_OUTPUT"

- name: Set up poetry
uses: Gr1N/setup-poetry@v9
with:
poetry-version: "2.3.1"

- name: Configure poetry
run: poetry config virtualenvs.in-project true

- name: Set up cache
uses: actions/cache@v5
id: cache
with:
path: .venv
key: venv-${{ steps.full-python-version.outputs.version }}-${{ hashFiles('**/poetry.lock') }}

- name: Ensure cache is healthy
if: steps.cache.outputs.cache-hit == 'true'
run: timeout 10s poetry run pip --version || rm -rf .venv

- name: Install dependencies
run: poetry install --all-extras

- name: Install framework variant
if: matrix.target.spec != ''
run: poetry run pip install "${{ matrix.target.integration }}${{ matrix.target.spec }}"

- name: Test
env:
PYTEST_ADDOPTS: "--color=yes"
run: poetry run pytest tests/integration/contrib/${{ matrix.target.integration }}

- name: Upload coverage
uses: codecov/codecov-action@v5
with:
flags: integration,${{ matrix.target.integration }},${{ matrix.target.label }},py${{ matrix.python-version }}
name: integration-${{ matrix.target.integration }}-${{ matrix.target.label }}-py${{ matrix.python-version }}
5 changes: 3 additions & 2 deletions .github/workflows/python-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# This workflow will upload a Python Package using Twine when a release is created
# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries

name: Publish python packages
name: CI / Publish

on:
workflow_dispatch:
Expand All @@ -10,7 +10,8 @@ on:
- published

jobs:
publish:
publish_pypi:
name: "PyPI"
runs-on: ubuntu-latest
permissions:
id-token: write
Expand Down
16 changes: 8 additions & 8 deletions .github/workflows/python-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,106 +1,106 @@
# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions

name: Test python code
name: CI / Core / Tests

on:
push:
pull_request:
types: [opened, synchronize]

jobs:
test:
name: "Tests"
core_tests:
name: "py${{ matrix.python-version }}"
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
fail-fast: false
steps:
- uses: actions/checkout@v6

- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python-version }}

- name: Get full Python version
id: full-python-version
run: echo ::set-output name=version::$(python -c "import sys; print('-'.join(str(v) for v in sys.version_info))")
run: python -c "import sys; print(f\"version={'-'.join(str(v) for v in sys.version_info)}\")" >> "$GITHUB_OUTPUT"

- name: Set up poetry
uses: Gr1N/setup-poetry@v9
with:
poetry-version: "2.3.1"

- name: Configure poetry
run: poetry config virtualenvs.in-project true

- name: Set up cache
uses: actions/cache@v5
id: cache
with:
path: .venv
key: venv-${{ steps.full-python-version.outputs.version }}-${{ hashFiles('**/poetry.lock') }}

- name: Ensure cache is healthy
if: steps.cache.outputs.cache-hit == 'true'
run: timeout 10s poetry run pip --version || rm -rf .venv

- name: Install dependencies
run: poetry install --all-extras

- name: Test
env:
PYTEST_ADDOPTS: "--color=yes"
run: poetry run pytest
run: poetry run pytest --ignore=tests/integration/contrib

- name: Static type check
run: poetry run mypy

- name: Check dependencies
run: poetry run deptry .

- name: Upload coverage
uses: codecov/codecov-action@v5

static-checks:
name: "Static checks"
static_checks:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 16 hours ago

In general, you should explicitly declare permissions for the workflow or for each job, granting only the minimal access required. For this workflow, both jobs (core_tests and static_checks) only need to read the repository contents and use external services (PyPI, Codecov). They do not appear to need any write access to the GitHub API. The best fix is to add a top-level permissions block that applies to all jobs, setting contents: read. This documents intent and ensures the token cannot be used to modify repository contents even if defaults are broad, without changing any existing functionality.

Concretely, in .github/workflows/python-test.yml, add a new root-level permissions: mapping, aligned with name: and on:, for example on a new line after name: CI / Core / Tests. The content should be:

permissions:
  contents: read

No other imports, steps, or job definitions need to change.

Suggested changeset 1
.github/workflows/python-test.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/python-test.yml b/.github/workflows/python-test.yml
--- a/.github/workflows/python-test.yml
+++ b/.github/workflows/python-test.yml
@@ -2,6 +2,8 @@
 # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
 
 name: CI / Core / Tests
+permissions:
+  contents: read
 
 on:
   push:
EOF
@@ -2,6 +2,8 @@
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions

name: CI / Core / Tests
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
name: "Core / Static Checks"
runs-on: ubuntu-latest
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v6

- name: "Setup Python"
uses: actions/setup-python@v6
with:
python-version: "3.10"

- name: Get full Python version
id: full-python-version
run: echo ::set-output name=version::$(python -c "import sys; print('-'.join(str(v) for v in sys.version_info))")
run: python -c "import sys; print(f\"version={'-'.join(str(v) for v in sys.version_info)}\")" >> "$GITHUB_OUTPUT"

- name: Set up poetry
uses: Gr1N/setup-poetry@v9
with:
poetry-version: "2.3.1"

- name: Configure poetry
run: poetry config virtualenvs.in-project true

- name: Set up cache
uses: actions/cache@v5
id: cache
with:
path: .venv
key: venv-${{ steps.full-python-version.outputs.version }}-${{ hashFiles('**/poetry.lock') }}

- name: Ensure cache is healthy
if: steps.cache.outputs.cache-hit == 'true'
run: timeout 10s poetry run pip --version || rm -rf .venv

- name: Install dependencies
run: poetry install

- name: Run static checks
run: poetry run pre-commit run -a

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
Loading
Loading