CI/CD & Infrastructure¶
CI pipeline (ci.yml)¶
Runs on every push to main and on pull requests.
| Job | What it does |
|---|---|
| lint | ruff check + ruff format --check |
| type-check | mypy in strict mode |
| test | pytest with coverage across Python 3.11, 3.12, 3.13. Uploads to Codecov on 3.12 |
| audit | pip-audit for known dependency vulnerabilities |
All jobs use astral-sh/setup-uv with dependency caching.
Workflows pin third-party and first-party GitHub Actions to immutable commit SHAs, and set an explicit uv version for reproducibility.
Docs deploy (docs.yml)¶
On push to main, builds the MkDocs site and deploys to GitHub Pages. just init-remote enables Pages automatically.
Standards enforcement¶
Commit messages and PR titles follow Conventional Commits:
feat: add user authentication
fix: resolve timeout in data loader
docs: update API reference
refactor: simplify config parsing
| Layer | Tool | Where |
|---|---|---|
| Commit messages (local) | commitizen pre-commit hook | Validates on git commit |
| Commit messages (CI) | cz check in commit-lint.yml |
Validates all commits in a PR |
| PR titles | action-semantic-pull-request in pr-title.yml |
Blocks merge if invalid |
| Issues | YAML form templates | Required fields, dropdowns |
Valid types: feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert.
Branch protection¶
just init-remote automatically configures branch protection on main:
-
Required status checks: lint, type-check, test (3.11/3.12/3.13), audit
-
Require up-to-date branches before merge
- Block force pushes and branch deletion
Publishing to PyPI (publish.yml)¶
Triggers on GitHub Releases using trusted publishers (no API tokens):
- Go to pypi.org → your project → Publishing → Add a new publisher
- Enter: repo
namitdeb739/python-template, workflowpublish.yml, environmentpypi - Create a GitHub Release: builds with
uv buildand publishes automatically