Skip to content

Comments

Add automated release pipeline for scanner#11

Merged
mgoldsborough merged 4 commits intomainfrom
chore/scanner-publish-workflow
Feb 20, 2026
Merged

Add automated release pipeline for scanner#11
mgoldsborough merged 4 commits intomainfrom
chore/scanner-publish-workflow

Conversation

@mgoldsborough
Copy link
Contributor

@mgoldsborough mgoldsborough commented Feb 19, 2026

Summary

  • Consolidate scanner version to single source of truth (pyproject.toml) — __init__.py and scanner.py now derive version via importlib.metadata, Dockerfile uses SCANNER_VERSION build arg
  • Add scanner-publish.yml: tag-triggered pipeline that verifies (ruff, ty, pytest), publishes to PyPI via trusted publishing (OIDC), and builds + pushes Docker image to ghcr.io/nimblebraininc/mpak-scanner
  • Document release process in README and CLAUDE.md
  • Add mpak.dev badge to README

Test plan

  • uv run ruff check src/ tests/ — clean
  • uv run ruff format --check src/ tests/ — clean
  • uv run ty check src/ — clean
  • uv run pytest -m "not e2e" — 114 passed
  • Merge, tag scanner-v0.2.4, verify publish pipeline runs end-to-end

@mgoldsborough
Add automated release pipeline for scanner
f507377 
- Consolidate version to single source of truth (pyproject.toml)
  - __init__.py and scanner.py now derive version via importlib.metadata
  - Dockerfile uses SCANNER_VERSION build arg
- Add scanner-publish.yml: tag-triggered pipeline
  - Verify (ruff, ty, pytest)
  - Publish to PyPI via trusted publishing (OIDC)
  - Build and push Docker image to ghcr.io/nimblebraininc/mpak-scanner
- Document release process in README and CLAUDE.md
- Add mpak.dev badge to README
JoeCardoso13
JoeCardoso13 approved these changes Feb 19, 2026
View reviewed changes
Copy link
Collaborator

@JoeCardoso13 JoeCardoso13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Solid PR — clean CI/CD pipeline with OIDC trusted publishing, proper version derivation from git tags, and a well-structured multi-stage Dockerfile. Three minor nits below, none blocking.

MINOR-1 — Dockerfile ARG default will become stale
(apps/scanner/Dockerfile)

CI always passes --build-arg SCANNER_VERSION=... from the git tag, so releases are correct. But the hardcoded default:

ARG SCANNER_VERSION=0.2.6

means anyone running docker build apps/scanner locally without --build-arg will silently install 0.2.6 even after future bumps. This is an improvement over the old fully-hardcoded pip install line, but the default will drift — slightly undermining the "single source of truth" claim.

MINOR-2 — Duplicate importlib.metadata calls
(apps/scanner/src/mpak_scanner/__init__.py, apps/scanner/src/mpak_scanner/scanner.py)

Both files independently call importlib.metadata.version("mpak-scanner") with identical try/except fallback to "0.0.0". They'll always return the same value. scanner.py could simply do:

from mpak_scanner import __version__ as SCANNER_VERSION

instead of duplicating the pattern.

NIT-3 — Release step instructions inconsistent between README.md and CLAUDE.md
(apps/scanner/README.md, apps/scanner/CLAUDE.md)

README (steps 3–4) separates "commit and push" from "tag and push" into two distinct steps. CLAUDE.md (step 3) combines commit, tag, and push into a single step. Neither is wrong, but the inconsistency could confuse contributors following one doc vs the other.

JoeCardoso13
JoeCardoso13 approved these changes Feb 19, 2026
View reviewed changes
Copy link
Collaborator

@JoeCardoso13 JoeCardoso13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Solid PR — clean CI/CD pipeline with OIDC trusted publishing, proper version derivation from git tags, and a well-structured multi-stage Dockerfile. Three minor nits below, none blocking.

MINOR-1 — Dockerfile ARG default will become stale
(apps/scanner/Dockerfile)

CI always passes --build-arg SCANNER_VERSION=... from the git tag, so releases are correct. But the hardcoded default:

ARG SCANNER_VERSION=0.2.6

means anyone running docker build apps/scanner locally without --build-arg will silently install 0.2.6 even after future bumps. This is an improvement over the old fully-hardcoded pip install line, but the default will drift — slightly undermining the "single source of truth" claim.

MINOR-2 — Duplicate importlib.metadata calls
(apps/scanner/src/mpak_scanner/__init__.py, apps/scanner/src/mpak_scanner/scanner.py)

Both files independently call importlib.metadata.version("mpak-scanner") with identical try/except fallback to "0.0.0". They'll always return the same value. scanner.py could simply do:

from mpak_scanner import __version__ as SCANNER_VERSION

instead of duplicating the pattern.

NIT-3 — Release step instructions inconsistent between README.md and CLAUDE.md
(apps/scanner/README.md, apps/scanner/CLAUDE.md)

README (steps 3–4) separates "commit and push" from "tag and push" into two distinct steps. CLAUDE.md (step 3) combines commit, tag, and push into a single step. Neither is wrong, but the inconsistency could confuse contributors following one doc vs the other.

@mgoldsborough mgoldsborough merged commit 041cf08 into main Feb 20, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JoeCardoso13 JoeCardoso13 JoeCardoso13 approved these changes

@shwetank-dev shwetank-dev Awaiting requested review from shwetank-dev

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mgoldsborough @JoeCardoso13