ci: add GitHub Actions workflows for phase-1 readiness

[w7-mgfcode]

Summary

• Add schema-validation.yml for migration drift detection and downgrade/upgrade cycle testing
• Add dependency-check.yml for weekly pip-audit vulnerability scanning with SARIF output
• Add phase-snapshot.yml for audit snapshots on phase-* branches with annotated tags
• Add cd-release.yml for automated semantic versioning releases via release-please

Test plan

• Verify schema-validation triggers on model/migration changes
• Trigger dependency-check manually via workflow_dispatch
• Push to phase-0 branch to test phase-snapshot
• Merge to main to test cd-release (creates release PR)

🤖 Generated with Claude Code

Summary by Sourcery

Add CI workflows for schema validation, security scanning, phase snapshotting, and automated releases.

Build:

• Configure release-please manifest and config files to drive automated release versioning and changelog generation.

CI:

• Introduce schema validation workflow to check Alembic migrations, detect schema drift, and verify downgrade/upgrade cycles on relevant code changes.
• Add scheduled and manually-triggerable dependency security scan workflow using pip-audit with SARIF reporting and artifacts.
• Create phase snapshot workflow for phase-* branches to run full validation, generate audit artifacts, and push annotated snapshot tags.
• Add CD release workflow integrating release-please to automate semantic versioning releases and Python package build/upload.

Summary by CodeRabbit

• Chores
  • Established automated release pipeline to streamline package versioning and publication
  • Configured weekly security vulnerability scanning for dependencies with detailed reports
  • Implemented database schema validation to ensure data model consistency
  • Added comprehensive CI/CD workflow documentation with visual process diagrams

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[sourcery-ai]

Reviewer's Guide

Adds a set of GitHub Actions workflows to support phase-branch audit snapshots, schema validation with migration drift detection, weekly dependency vulnerability scanning, and automated semantic-release-style CD via release-please, wired around a uv-based Python toolchain and Postgres test DBs.

Sequence diagram for CD release creation and packaging

sequenceDiagram
  actor Dev
  participant GitHub
  participant ReleaseWorkflow as Release_please_workflow
  participant BuildWorkflow as Build_package_workflow
  participant ReleasePlease as release_please_action
  participant GHReleases as GitHub_Releases

  Dev->>GitHub: Push commit to main
  GitHub->>ReleaseWorkflow: Trigger CD Release workflow

  ReleaseWorkflow->>ReleasePlease: Run release-please-action with config/manifest
  ReleasePlease-->>ReleaseWorkflow: Outputs release_created, tag_name, version

  alt Release created
    ReleaseWorkflow-->>BuildWorkflow: needs release-please with release_created == true
    GitHub->>BuildWorkflow: Start build-package job

    BuildWorkflow->>GitHub: Checkout repository at tag_name
    BuildWorkflow->>BuildWorkflow: Install uv, Python, build dependency
    BuildWorkflow->>BuildWorkflow: Build distribution artifacts (dist/*)
    BuildWorkflow->>GHReleases: Upload dist/* to release tag
    BuildWorkflow->>GitHub: Upload dist/ as workflow artifact
  else No release created
    ReleaseWorkflow-->>Dev: No new release (no changes or already released)
  end

Loading

Flow diagram for Phase Snapshot workflow jobs

flowchart TD
  Trigger["Push to phase-* branch"] --> ValidateJob

  subgraph ValidateJob["Job: validate (Full Validation)"]
    V1["Checkout code"] --> V2["Start Postgres pgvector service"]
    V2 --> V3["Install uv and Python 3.12"]
    V3 --> V4["uv sync dependencies (dev + extras)"]
    V4 --> V5["Lint: ruff check + format --check"]
    V5 --> V6["Type check: mypy app/ and pyright app/"]
    V6 --> V7["Run migrations: alembic upgrade head"]
    V7 --> V8["Run tests: pytest -v"]

    V5 -->|lint_status| ValidateOutputs
    V6 -->|typecheck_status| ValidateOutputs
    V7 -->|migration_status| ValidateOutputs
    V8 -->|test_status| ValidateOutputs
  end

  ValidateOutputs["Expose job outputs: lint/typecheck/test/migration statuses"] --> SnapshotJob

  subgraph SnapshotJob["Job: create-snapshot (Audit Snapshot)"]
    S1["Checkout code with full history"] --> S2["Install uv and Python 3.12"]
    S2 --> S3["Extract phase number from branch name"]
    S3 --> S4["Generate snapshot metadata (timestamp, SHAs, tag name)"]
    S4 --> S5["Collect audit data: audit-data.json and requirements-frozen.txt"]
    S5 --> S6["Generate SNAPSHOT-REPORT.md"]
    S6 --> S7["Upload audit artifact (1 year retention)"]
    S7 --> S8["Create annotated git tag and push"]
    S8 --> S9["Write GitHub Actions summary"]
  end

  ValidateJob -->|needs validate| SnapshotJob

Loading

Flow diagram for Schema Validation workflow

flowchart TD
  TriggerPush["Push affecting alembic/models/database"] --> SchemaJob
  TriggerPR["PR affecting alembic/models/database"] --> SchemaJob

  subgraph SchemaJob["Job: schema-validation (Validate Database Schema)"]
    S1["Checkout code"] --> S2["Start Postgres pgvector schema DB"]
    S2 --> S3["Install uv and Python 3.12"]
    S3 --> S4["uv sync dependencies (dev + extras)"]

    S4 --> S5["Fresh DB migration test: alembic upgrade head"]
    S5 --> S6["Check migration chain: alembic heads single head enforcement"]
    S6 --> S7["Schema drift detection: alembic check"]
    S7 --> S8["Downgrade/upgrade cycle: downgrade -1 then upgrade head and compare revisions"]
    S8 --> S9["Generate schema report in GitHub summary (history + current)"]
  end

Loading

Flow diagram for Dependency Security Check workflow

flowchart TD
  TriggerCron["Weekly schedule (Sun 00:00 UTC)"] --> ScanJob
  TriggerManual["workflow_dispatch with fail_on_severity"] --> ScanJob

  subgraph ScanJob["Job: vulnerability-scan (Python Vulnerability Scan)"]
    D1["Checkout code"] --> D2["Install uv and Python 3.12"]
    D2 --> D3["uv sync dependencies (dev + extras)"]
    D3 --> D4["Install pip-audit via uv pip"]

    D4 --> D5["Export requirements from uv lock to requirements-audit.txt"]
    D5 --> D6["Run pip-audit JSON, write audit-results.json (non-failing)"]
    D6 --> D7["Run pip-audit SARIF, write audit-results.sarif (non-failing)"]

    D7 --> D8["Upload SARIF to GitHub Security tab"]
    D6 --> D9["Upload JSON audit artifact and requirements-audit.txt"]

    D9 --> D10["Analyze vulnerabilities using jq, write summary and has_vulnerabilities output"]
    D10 --> D11["Fail job if has_vulnerabilities true and threshold met"]
  end

Loading

Flow diagram for CD Release workflow

flowchart TD
  TriggerMain["Push to main"] --> ReleaseJob

  subgraph ReleaseJob["Job: release-please"]
    R1["Run googleapis/release-please-action"] --> R2["Read release-please-config.json and .release-please-manifest.json"]
    R2 --> R3["Create or update Release PR and Git tag"]
    R3 --> R4["Set outputs: release_created, tag_name, version, upload_url"]
  end

  ReleaseJob -->|release_created == 'true'| BuildJob

  subgraph BuildJob["Job: build-package"]
    B1["Checkout code at released tag"] --> B2["Install uv and Python 3.12"]
    B2 --> B3["Install build dependency via uv pip"]
    B3 --> B4["Build Python package: python -m build (dist/*)"]
    B4 --> B5["Upload artifacts to GitHub Release using gh release upload"]
    B5 --> B6["Upload dist/ as Actions artifact"]
    B6 --> B7["Generate GitHub summary with tag, version, and artifact listing"]
  end

Loading

File-Level Changes

Change	Details	Files
Introduce phase-* branch snapshot workflow that runs full validation, produces audit artifacts, and tags the commit.	Trigger on pushes to phase-* branches with concurrency control and shared env for Python, uv, and snapshot database URL Add validate job that provisions a pgvector Postgres service, installs dependencies with uv, then runs lint (ruff), type checks (mypy, pyright), Alembic migrations, and pytest tests, exposing each step outcome as job outputs Add create-snapshot job that depends on validation, extracts the phase number from the branch, generates snapshot metadata (timestamp, SHAs, tag name), and collects audit data into JSON and requirements snapshot Generate a human-readable markdown snapshot report, upload audit artifacts with 1-year retention, create an annotated Git tag summarizing validation results, and append a run summary to the Actions job summary	.github/workflows/phase-snapshot.yml
Add weekly dependency security scanning workflow using pip-audit with SARIF and JSON outputs.	Trigger workflow weekly via cron and manually via workflow_dispatch with a configurable fail_on_severity input, and enforce concurrency per ref Set up uv-managed Python environment and install project dependencies plus pip-audit Run pip-audit twice: once to emit JSON results and once to emit SARIF, exporting requirements from the uv lockfile Upload SARIF results to GitHub Security and JSON plus requirements as artifacts, then analyze the JSON to summarize vulnerabilities and optionally fail the job when vulnerabilities are present at or above the chosen severity threshold (approximated as any vulnerability for high/critical)	.github/workflows/dependency-check.yml
Add schema validation workflow to guard Alembic migrations and ORM models against drift and migration issues.	Trigger on pushes and PRs that touch alembic migrations, model modules, or the database core, using concurrency and a dedicated schema test database URL Provision a pgvector Postgres service and install dependencies with uv in a Python 3.12 environment Run a fresh migration to head to ensure full migration chain applies cleanly Verify there is a single Alembic head to detect branched migration history, fail if multiple heads are present Use alembic check to detect schema drift between models and the database, failing with guidance if drift is found Perform a downgrade/upgrade cycle test to verify migration reversibility and revision consistency Emit a schema validation report into the Actions job summary including Alembic history and current state	.github/workflows/schema-validation.yml
Introduce CD workflow that uses release-please to manage semantic versioning releases and build Python packages on new releases.	Trigger on pushes to main with concurrency disabled from cancelling in-progress runs for the same ref Run release-please GitHub Action with repo-specific config and manifest files, exposing whether a release was created and associated tag/version outputs Conditionally build the Python package only when a release is created, checking out the release tag and using uv to set up Python and install build tooling Build distributions via python -m build, upload built artifacts to the corresponding GitHub Release via gh release upload, and store them as Actions artifacts with versioned names Generate a release summary in the Actions job summary, including tag, artifact listing, and release link	.github/workflows/cd-release.yml release-please-config.json .release-please-manifest.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

This pull request introduces a comprehensive CI/CD infrastructure layer consisting of four new GitHub Actions workflows for release automation, dependency vulnerability scanning, phase-based snapshot auditing, and database schema validation. It also adds release-please configuration for version management and accompanying documentation with workflow diagrams.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/cd-release.yml, .github/workflows/dependency-check.yml, .github/workflows/phase-snapshot.yml, .github/workflows/schema-validation.yml	Four new workflow files: CD Release (release-please + package build/upload on main push), Dependency Security Check (weekly vulnerability scanning with JSON/SARIF audit outputs), Phase Snapshot (validation + audit snapshot generation on phase-* branches), and Schema Validation (Alembic migration and drift detection on schema-related changes).
Release Configuration release-please-config.json, .release-please-manifest.json	Release management configuration: defines Python release type for forecastlabai package with changelog and pyproject.toml tracking; manifest initializes version at 0.1.0.
Workflow Documentation & Diagrams docs/github/diagrams/README.md, docs/github/diagrams/cd-release-*.md, docs/github/diagrams/dependency-check-flow.md, docs/github/diagrams/phase-snapshot-flow.md, docs/github/diagrams/schema-validation-flow.md	Documentation index and five Mermaid diagrams visualizing workflow triggers, jobs, steps, and decision logic for release, dependency checks, phase snapshots, and schema validation.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 Workflows now dance in the GitHub light,
Release and validation running right,
Snapshots and schemas in harmony blend,
From push to production, a trusty friend! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and concisely summarizes the main objective: adding GitHub Actions workflows for phase-1 readiness, which matches the changeset's primary purpose.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• In dependency-check.yml, the fail_on_severity input and severity-threshold logic don’t actually vary behavior by severity (pip-audit has no severity data and the job fails on any vulnerability for high/critical), so consider either simplifying the interface or explicitly encoding the intended mapping (e.g., fail on any vuln vs. only those with fixes) to avoid a misleading configuration knob.
• In dependency-check.yml’s Analyze vulnerabilities step, the CRITICAL_COUNT variable is computed but never used, and the jq filter is more complex than needed given the current logic—either wire this into the decision to fail the job or remove it to keep the script minimal and easier to maintain.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `dependency-check.yml`, the `fail_on_severity` input and severity-threshold logic don’t actually vary behavior by severity (pip-audit has no severity data and the job fails on any vulnerability for `high`/`critical`), so consider either simplifying the interface or explicitly encoding the intended mapping (e.g., fail on any vuln vs. only those with fixes) to avoid a misleading configuration knob.
- In `dependency-check.yml`’s Analyze vulnerabilities step, the `CRITICAL_COUNT` variable is computed but never used, and the jq filter is more complex than needed given the current logic—either wire this into the decision to fail the job or remove it to keep the script minimal and easier to maintain.

## Individual Comments

### Comment 1
<location> `.github/workflows/dependency-check.yml:105-114` </location>
<code_context>
+          SEVERITY_THRESHOLD="${{ github.event.inputs.fail_on_severity || 'high' }}"
</code_context>

<issue_to_address>
**issue (bug_risk):** The `fail_on_severity` input is effectively ignored for `low` and `medium` and only applied for `high`/`critical`.

Because `has_vulnerabilities` is only set when `SEVERITY_THRESHOLD` is `high` or `critical`, `low` and `medium` are effectively no-ops: the job will never fail for those values regardless of `TOTAL_VULNS`, which contradicts the idea of a minimum severity threshold.

Since pip-audit only exposes `TOTAL_VULNS`, consider treating any nonzero count as exceeding the configured threshold:
- If `fail_on_severity` is `low`, fail when `TOTAL_VULNS > 0`.
- Apply the same behavior for `medium`, `high`, and `critical`, or at least explicitly handle `low`/`medium` so they’re not silently ignored.
</issue_to_address>

### Comment 2
<location> `.github/workflows/dependency-check.yml:62-67` </location>
<code_context>
+      - name: Install pip-audit
+        run: uv pip install pip-audit
+
+      - name: Run pip-audit (JSON output)
+        id: audit_json
+        continue-on-error: true
+        run: |
+          # Export requirements from uv lock file
+          uv export --format requirements-txt --all-extras > requirements-audit.txt
+
+          # Run pip-audit with JSON output for artifact
+          uv run pip-audit \
+            --requirement requirements-audit.txt \
+            --format json \
</code_context>

<issue_to_address>
**suggestion (bug_risk):** Running pip-audit with `|| true` and `continue-on-error: true` makes failures indistinguishable from a clean run.

Using both `continue-on-error: true` and `|| true` prevents you from telling “no vulnerabilities” apart from “pip-audit never ran” via exit codes.

Since the next step checks for `audit-results.json`, consider keeping only one mechanism. For example, drop `|| true` but keep `continue-on-error: true` so the workflow continues while still exposing a failed audit in the step outcome and via the missing results file.

```suggestion
          uv run pip-audit \
            --requirement requirements-audit.txt \
            --format json \
            --output audit-results.json \
            --desc on
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[w7-mgfcode]

Thanks for the thorough review @sourcery-ai! I've addressed all comments in commit 3cdc593:

Changes made:

1. Simplified fail_on_severity → fail_on_vulnerabilities (boolean)

   • Since pip-audit doesn't provide severity data, the severity threshold was misleading
   • New boolean input is honest about what it controls: fail on any vulnerability or just report

2. Removed unused CRITICAL_COUNT variable

   • Cleaned up the jq logic to only compute what's actually used

3. Removed redundant || true from pip-audit commands

   • continue-on-error: true already allows the workflow to proceed
   • Exit code is now preserved in step outcome for better observability
   • Added explicit error when audit-results.json is missing to distinguish "no vulnerabilities" from "pip-audit failed"

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/phase-snapshot.yml:
- Around line 170-172: Replace the placeholder echo (echo "" >>
audit-output/audit-data.json) with real file-statistics collection: either
remove the placeholder line, or implement commands to compute and store stats
(e.g., count files by type, total file count, total size) and write them to a
proper output (e.g., audit-output/file-stats.txt or append a JSON object into
audit-output/audit-data.json); update the step in phase-snapshot.yml so the
command producing stats runs in the same workspace and ensures output file(s)
are created and committed to the audit-output directory.

🧹 Nitpick comments (3)

.github/workflows/schema-validation.yml (1)

69-76: Consider refining head count logic.

The grep -c "^[a-f0-9]" counts lines matching the pattern, but alembic heads output format may vary. If Alembic outputs heads on separate lines, this works correctly. However, using wc -l after filtering might be more explicit.

♻️ Optional refinement

-          HEAD_COUNT=$(echo "$HEADS" | grep -c "^[a-f0-9]" || true)
+          HEAD_COUNT=$(echo "$HEADS" | grep -E "^[a-f0-9]+" | wc -l)

.github/workflows/cd-release.yml (1)

63-66: Consider using uv run for consistency.

Other steps use uv run to execute Python commands, but here python -m build is called directly. While this should work after uv python install, using uv run ensures the correct Python environment is used.

♻️ Suggested refinement

       - name: Build package
         run: |
-          python -m build
+          uv run python -m build
           ls -la dist/

docs/github/diagrams/README.md (1)

17-38: Add language identifier to fenced code block.

The markdownlint tool flagged the missing language specifier. Adding text or plaintext improves accessibility and silences the linter.

Suggested fix

-```
+```text
 ┌─────────────────────────────────────────────────────────────────┐

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Incomplete "File statistics" section.

The comment suggests file statistics should be collected, but the implementation only appends an empty line. This appears to be an incomplete placeholder.

Suggested fix: Either remove the placeholder or implement file statistics

-          # File statistics
-          echo "" >> audit-output/audit-data.json

Or implement actual file statistics collection if intended:

# File statistics (append to a separate file to keep JSON valid)
echo "Total files: $(find . -type f -name '*.py' | wc -l)" > audit-output/file-stats.txt

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# File statistics
	echo "" >> audit-output/audit-data.json

🤖 Prompt for AI Agents

In @.github/workflows/phase-snapshot.yml around lines 170 - 172, Replace the
placeholder echo (echo "" >> audit-output/audit-data.json) with real
file-statistics collection: either remove the placeholder line, or implement
commands to compute and store stats (e.g., count files by type, total file
count, total size) and write them to a proper output (e.g.,
audit-output/file-stats.txt or append a JSON object into
audit-output/audit-data.json); update the step in phase-snapshot.yml so the
command producing stats runs in the same workspace and ensures output file(s)
are created and committed to the audit-output directory.