forging-blocks-org · gbrennon · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026
diff --git a/.github/actions/install-dependencies/action.yml b/.github/actions/install-dependencies/action.yml
@@ -0,0 +1,50 @@
+name: Install Dependencies
+description: A GitHub Action to set up Poetry and install project dependencies.
+
+inputs:
+  groups:
+    description: "Poetry groups to install (e.g., 'dev', 'docs', 'dev,docs')"
+    default: ""
+  with-git-cliff:
+    description: "Whether to install git-cliff"
+    default: "false"
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/setup-python@v5
+      with:
+        python-version: "3.14.3"
+
+    - name: Install Poetry
+      run: pip install poetry
+      shell: bash
+
+    - name: Configure Poetry
+      run: |
+        poetry config virtualenvs.create true
+        poetry config virtualenvs.in-project true
+      shell: bash
+
+    - name: Cache Poetry dependencies
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~/.cache/pypoetry
+          .venv
+        key: poetry-${{ runner.os }}-${{ hashFiles('**/poetry.lock') }}
+        restore-keys: |
+          poetry-${{ runner.os }}-
+
+    - name: Install dependencies
+      run: |
+        if [ -n "${{ inputs.groups }}" ]; then
+          poetry install --no-interaction --with "${{ inputs.groups }}"
+        else
+          poetry install --no-interaction
+        fi
+      shell: bash
+
+    - name: Install git-cliff
+      if: inputs.with-git-cliff == 'true'
+      uses: ./.github/actions/install-git-cliff
diff --git a/.github/actions/setup-lint-tools/action.yml b/.github/actions/setup-lint-tools/action.yml
@@ -0,0 +1,13 @@
+name: Setup Lint Tools
+description: A GitHub Action to install lint tools (yamllint, shellcheck).
+
+runs:
+  using: composite
+  steps:
+    - name: Install yamllint
+      run: pip install yamllint --break-system-packages
+      shell: bash
+
+    - name: Install shellcheck
+      run: pip install shellcheck-py --break-system-packages
+      shell: bash
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -17,6 +17,9 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Setup lint tools
+        uses: ./.github/actions/setup-lint-tools
+
       - name: Lint Workflow Files (YAML)
         uses: ibiqlik/action-yamllint@v3
         with:
@@ -29,22 +32,22 @@ jobs:
       - name: Lint Shell Scripts
         run: shellcheck --external-sources scripts/pipeline/*.sh
 
-      - name: Set up Poetry
-        uses: ./.github/actions/setup-poetry
-
-      - name: Install git-cliff
-        uses: ./.github/actions/install-git-cliff
-
       - name: Install dependencies
-        run: poetry install --no-interaction --with dev
+        uses: ./.github/actions/install-dependencies
+        with:
+          groups: dev
+          with-git-cliff: true
 
       - name: Validate Pipeline Env Contracts
+        if: github.actor != 'nektos/act'
         run: poetry run python scripts/pipeline/validate_env_contracts.py
 
       - name: Run CI checks
+        if: github.actor != 'nektos/act'
         run: poetry run poe ci:check
 
       - name: Run tests
+        if: github.actor != 'nektos/act'
         run: poetry run poe test
 
       - name: Extract Version
@@ -62,22 +65,17 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - name: Verify OIDC token is available
-        run: |
-          TOKEN=$(curl --silent --fail \
-            -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=pypi" \
-            | python3 -c "import sys,json; print(json.load(sys.stdin)['value'][:10])")
-          if [ -z "$TOKEN" ]; then
-            echo "OIDC token request failed" >&2
-            exit 1
-          fi
-          echo "OIDC token available"
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Validate OIDC Tokens
+        run: bash scripts/pipeline/validate_tokens.sh
 
   validate-publish:
     runs-on: ubuntu-latest
     needs: test
     if: github.event_name == 'pull_request'
+    environment: pypi
     permissions:
       id-token: write
     env:
@@ -102,7 +100,6 @@ jobs:
           PACKAGE_NAME: "forging-blocks"
           IMPORT_NAME: "forging_blocks"
           VERSION: "${{ needs.test.outputs.VERSION }}"
-          TEST_PYPY_TOKEN: "${{ env.TEST_PYPY_TOKEN }}"
         run: |
           chmod +x ./scripts/pipeline/validate_publish.sh
           ./scripts/pipeline/validate_publish.sh

diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
@@ -11,8 +11,18 @@ jobs:
   deploy-docs:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/actions/setup-poetry
-      - run: poetry install --no-interaction --with docs
-      - run: poetry run python scripts/generate_autodoc_pages.py
-      - run: poetry run mkdocs gh-deploy --force --clean
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        uses: ./.github/actions/install-dependencies
+        with:
+          groups: docs
+
+      - name: Generate Autodoc Pages
+        if: github.actor != 'nektos/act'
+        run: poetry run python scripts/generate_autodoc_pages.py
+
+      - name: Deploy to GitHub Pages
+        if: github.actor != 'nektos/act'
+        run: poetry run mkdocs gh-deploy --force --clean
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,40 @@
+name: Lint
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  lint-workflow-files:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup lint tools
+        uses: ./.github/actions/setup-lint-tools
+
+      - name: Lint Workflow Files (YAML)
+        uses: ibiqlik/action-yamllint@v3
+        with:
+          file_or_dir: .github/workflows/ .github/actions/
+          strict: true
+
+      - name: Lint Workflow Files (Actions)
+        uses: raven-actions/actionlint@v2
+
+  lint-shell-scripts:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup lint tools
+        uses: ./.github/actions/setup-lint-tools
+
+      - name: Lint Shell Scripts
+        run: shellcheck --external-sources scripts/pipeline/*.sh
diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml
@@ -0,0 +1,36 @@
+name: Prepare Release
+
+on:
+  pull_request:
+    types: [closed]
+
+permissions:
+  contents: write
+
+jobs:
+  prepare-release:
+    if: >
+      github.event.pull_request.merged == true &&
+      startsWith(github.event.pull_request.head.ref, 'release/v')
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      contents: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Prepare Release and Tagging
+        id: prep
+        env:
+          HEAD_REF: ${{ github.event.pull_request.head.ref }}
+        run: bash scripts/pipeline/prepare_release.sh
+
+      - name: Validate Release Version
+        env:
+          RELEASE_VERSION: ${{ steps.prep.outputs.version }}
+        run: bash scripts/pipeline/validate_release_version.sh
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
@@ -0,0 +1,35 @@
+name: Publish Release
+
+on:
+  pull_request:
+    types: [closed]
+
+permissions:
+  contents: write
+
+jobs:
+  publish-release:
+    if: >
+      github.event.pull_request.merged == true &&
+      startsWith(github.event.pull_request.head.ref, 'release/v')
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      contents: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install dependencies
+        uses: ./.github/actions/install-dependencies
+
+      - name: Build and validate artifacts
+        run: bash scripts/pipeline/validate_artifacts.sh
+
+      - name: Publish to PyPI
+        if: github.actor != 'nektos/act'
+        uses: pypa/gh-action-pypi-publish@v1.13.0
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -35,11 +35,8 @@ jobs:
           RELEASE_VERSION: ${{ steps.prep.outputs.version }}
         run: bash scripts/pipeline/validate_release_version.sh
 
-      - name: Set up Poetry
-        uses: ./.github/actions/setup-poetry
-
       - name: Install dependencies
-        run: poetry install --no-interaction
+        uses: ./.github/actions/install-dependencies
 
       - name: Build and validate artifacts
         run: bash scripts/pipeline/validate_artifacts.sh

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,40 @@
+name: Test
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    outputs:
+      VERSION: ${{ steps.get-version.outputs.VERSION }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        uses: ./.github/actions/install-dependencies
+        with:
+          groups: dev
+          with-git-cliff: true
+
+      - name: Validate Pipeline Env Contracts
+        if: github.actor != 'nektos/act'
+        run: poetry run python scripts/pipeline/validate_env_contracts.py
+
+      - name: Run CI checks
+        if: github.actor != 'nektos/act'
+        run: poetry run poe ci:check
+
+      - name: Run tests
+        if: github.actor != 'nektos/act'
+        run: poetry run poe test
+
+      - name: Extract Version
+        id: get-version
+        run: echo "VERSION=$(poetry version -s)" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/validate-artifacts.yml b/.github/workflows/validate-artifacts.yml
@@ -0,0 +1,24 @@
+name: Validate Artifacts
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  validate-artifacts:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        uses: ./.github/actions/install-dependencies
+        with:
+          groups: dev
+
+      - name: Build and Validate Artifacts
+        run: bash scripts/pipeline/validate_artifacts.sh
diff --git a/scripts/pipeline/act-release.sh b/scripts/pipeline/act-release.sh
@@ -35,11 +35,20 @@ cat > "$EVENT_FILE" <<EOF
 }
 EOF
 
+PODMAN_SOCK="${XDG_RUNTIME_DIR}/podman/podman.sock"
+
+if [[ ! -S "$PODMAN_SOCK" ]]; then
+  echo "Podman socket not found at $PODMAN_SOCK" >&2
+  echo "Start it with: systemctl --user start podman.socket" >&2
+  exit 1
+fi
+
 echo "Using head.ref: release/${VERSION}"
+echo "Using podman socket: $PODMAN_SOCK"
 
-act pull_request \
+DOCKER_HOST="unix://${PODMAN_SOCK}" act pull_request \
   -j release \
   -W "$REPO_ROOT/.github/workflows/release.yml" \
-  --container-daemon-socket "$XDG_RUNTIME_DIR/podman/podman.sock" \
+  --container-daemon-socket "$PODMAN_SOCK" \
   --secret-file "$REPO_ROOT/.secrets.act" \
   -e "$EVENT_FILE"
diff --git a/scripts/pipeline/validate_env_contracts.py b/scripts/pipeline/validate_env_contracts.py
@@ -96,6 +96,8 @@ def ok(self) -> bool:
         "HOME",
         "PATH",
         "ACT",
+        "ACTIONS_ID_TOKEN_REQUEST_TOKEN",
+        "ACTIONS_ID_TOKEN_REQUEST_URL",
     }
 )
-Original file line number
+Diff line change
@@ Expand Up / @@ -96,6 +96,8 @@ def ok(self) -> bool: @@
             "HOME",
             "PATH",
             "ACT",
+            "ACTIONS_ID_TOKEN_REQUEST_TOKEN",
+            "ACTIONS_ID_TOKEN_REQUEST_URL",
         }
     )
@@ Expand Down @@