Deployment¶
This page describes how VANE’s artefacts are built and published by continuous integration.
Continuous integration¶
Every push and pull request to main or develop runs the CI workflow:
Lint & type check — installs the package from its metadata (
pip install -e ".[dev]"), then runsruff check,ruff format --check, andmypy src/.Tests — installs
.[dev]and runspytestwith the coverage gate on Python 3.10, 3.11, and 3.12.PR review summary — posts a checklist of the check results on pull requests.
Documentation¶
The Docs workflow builds the Sphinx site with warnings treated as errors
(sphinx-build -W -b html docs docs/_build/html) on every push and pull request,
and uploads the built HTML as a workflow artifact. To build locally:
pip install -e ".[docs]"
sphinx-build -b html docs docs/_build/html
# open docs/_build/html/index.html
Package publishing¶
Pushing a vX.Y.Z tag triggers the Publish workflow’s build job, which
builds the wheel and source distribution (python -m build) and uploads them as a
workflow artifact. The PyPI upload runs only when the workflow is started manually
(workflow_dispatch) from the Actions tab, so tagging a release does not auto-upload
— the maintainer triggers the upload once PyPI trusted publishing is configured and
the release is intended. See Release checklist for the steps that lead up to a
tag.
Security scanning¶
The Security workflow runs static security analysis of the source with
bandit (gating on medium-or-higher severity findings) and an advisory dependency
vulnerability audit with pip-audit, on every push and pull request and on a
weekly schedule.