ci: run unit/integration/security tests on push and PR

Add a Tests workflow (separate from publish.yml) that runs the offline pytest suite on push and pull_request across Python 3.9/3.11/3.13, with unit, integration, and security tests as separate steps. Live tests stay skipped (RUN_LIVE_TESTS unset), so no proot or network access is required.
2026-06-19 07:35:29 +00:00 · 2026-06-07 00:53:15 +00:00
parent 722ef50d8b
commit 221df3a645
1 changed files with 49 additions and 0 deletions
@@ -0,0 +1,49 @@
+name: Tests
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: tests-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    name: Test suite (Python ${{ matrix.python-version }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        # Cover the floor and the latest of the supported range
+        # (pyproject: requires-python = ">=3.9").
+        python-version: ['3.9', '3.11', '3.13']
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'pip'
+          cache-dependency-path: pyproject.toml
+
+      - name: Install package with test extra
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e '.[test]'
+
+      # The offline suite needs neither proot nor network access; the opt-in
+      # live tests stay skipped because RUN_LIVE_TESTS is unset.
+      - name: Unit tests
+        run: python -m pytest tests/unit
+
+      - name: Integration tests
+        run: python -m pytest tests/integration
+
+      - name: Security tests
+        run: python -m pytest tests/security