fix(hooks): scope PreToolUse to mutating tools, drop PostToolUse capture #122
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| name: ${{ matrix.package }} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| # The root `ultan` plugin package (the runtime) and tools/ultan were | |
| # previously unguarded — added so quality runs on every package. | |
| - package: . | |
| python-version: "3.12" | |
| - package: daemon | |
| python-version: "3.10" | |
| - package: tools/search | |
| python-version: "3.10" | |
| - package: tools/ultan | |
| python-version: "3.12" | |
| defaults: | |
| run: | |
| working-directory: ${{ matrix.package }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: astral-sh/setup-uv@v6 | |
| with: | |
| enable-cache: true | |
| # The workspace root uv.lock is the only lockfile — member dirs | |
| # resolve against it (`uv sync --locked` from a member validates | |
| # the root lock), so it is the correct cache key for every job. | |
| cache-dependency-glob: uv.lock | |
| - name: Install dependencies | |
| run: uv sync --locked | |
| - name: Lint (ruff) | |
| run: uv run ruff check . | |
| - name: Format check (ruff) | |
| run: uv run ruff format --check . | |
| - name: Type check (pyright) | |
| run: uv run pyright | |
| - name: Tests (pytest) | |
| run: uv run pytest | |
| env: | |
| # The tools/search (and daemon) suites download embedding + | |
| # cross-encoder models from the HuggingFace Hub at test time. | |
| # Unauthenticated requests are rate-limited — a transient HTTP 429 | |
| # then fails the whole job with "couldn't connect to huggingface.co". | |
| # A token raises the per-account ceiling so CI stops flaking on it. | |
| # Optional secret: empty on forks / if unset, which just reverts to | |
| # the unauthenticated (rate-limited) behaviour — no hard dependency. | |
| HF_TOKEN: ${{ secrets.HF_TOKEN }} | |
| version-coherence: | |
| # Guard: plugin.json version, every workspace package version, and the | |
| # install-spec refs must agree (see scripts/check-version-coherence.sh). | |
| # Stops a half-bumped workspace or a drifted plugin.json install spec from | |
| # reaching `main`. | |
| name: version-coherence | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Check version coherence | |
| run: bash scripts/check-version-coherence.sh | |
| ci-success: | |
| # Single required check for branch protection. It goes green only when | |
| # every job above has succeeded, so protection on `main` can require | |
| # just this one context — adding/removing CI jobs never means editing | |
| # the protection settings. `if: always()` makes it run (and report | |
| # red) even when a needed job fails or is cancelled, so it can't be | |
| # skipped past a failing matrix. | |
| name: ci-success | |
| if: always() | |
| needs: [build, version-coherence] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Require all CI jobs to have passed | |
| run: | | |
| echo "build=${{ needs.build.result }} version-coherence=${{ needs.version-coherence.result }}" | |
| test "${{ needs.build.result }}" = "success" | |
| test "${{ needs.version-coherence.result }}" = "success" |