This directory contains the CI/CD workflows for the SAP Cloud SDK for Python.

The CI pipeline is split into three independent workflows for optimal performance and security:

Trigger: pull_request (runs on all PRs) Purpose: Fast feedback on code style and type safety Jobs:

• lint - Ruff linter checks
• format - Ruff formatter checks
• typecheck - ty type checker

Parallelization: All jobs run in parallel (~1-2 min total)

Security:

• Uses pull_request trigger (read-only by default)
• ✅ SAFE: Only runs static analysis tools (no code execution)
• ❌ NO secrets or write permissions

Fork-friendly: Contributors get immediate feedback on code quality checks.

Trigger: pull_request (runs on all PRs) Purpose: Run tests and report coverage Jobs:

• test - Unit tests with coverage reporting

Permissions:

• contents: read - Read-only access

Security:

• Uses pull_request trigger (read-only)
• Coverage visible in workflow summary

Trigger: pull_request (requires approval for fork PRs) Purpose: Build and verify distribution packages Jobs:

• build - Creates wheel and source distributions

Artifacts:

• Uploads built packages for 7 days

Fork PR opened
    ↓
┌─────────────────────────────────────────┐
│  checks.yaml (auto-runs)                │
│  ├─ lint (parallel)                     │
│  ├─ format (parallel)                   │
│  └─ typecheck (parallel)                │
└─────────────────────────────────────────┘
    ↓ (1-2 min)
    ✓ Quick feedback to contributor

    ↓ (Runs in parallel)

┌─────────────────────────────────────────┐
│  test.yaml (auto-runs)                  │
│  └─ test (with coverage)                │
└─────────────────────────────────────────┘
    ↓ (3-5 min)

    ↓ (Maintainer clicks "Approve and run")

┌─────────────────────────────────────────┐
│  build.yaml (requires approval)         │
│  └─ build (package creation)            │
└─────────────────────────────────────────┘
    ↓ (1-2 min)

    ✓ All checks passed, ready to merge

• Immediate feedback on code style and tests
• Faster iteration - fix issues quickly
• Clear separation of concerns in CI status

• Parallel execution - faster CI overall (~3-5 min vs ~8-10 min)
• Security - limited permissions for all workflows
• Selective approval - only approve build jobs

The build.yaml workflow requires approval because it:

• Creates distribution packages
• May access secrets in the future (e.g., PyPI tokens)

Run checks locally before pushing:

# Lint
uv run ruff check .

# Format
uv run ruff format .

# Type check
uv run ty check .

# Tests
uv run pytest -m "not integration"

# Build
uv build

1. checks.yaml/test.yaml not running: Check if Actions are enabled in repository settings
2. build.yaml not running: Requires manual approval for fork PRs - look for "Approve and run" button

This means fork PR workflows are disabled in repository settings:

1. Go to Settings → Actions → General
2. Enable "Fork pull request workflows from outside collaborators"
3. Select "Require approval for first-time contributors"

• GitHub Actions: Events that trigger workflows
• Keeping your GitHub Actions secure
• Using pull_request_target safely