align-CI

.github/workflows/python-package.yml

@@ -1,29 +1,28 @@
 name: Python package test
 
 on:
+  schedule:
+    - cron: '0 8 * * 1,4'  
   push:
     branches: [main]
-    paths-ignore:
-      - "docs/**"
+    tags: ['*']
   pull_request:
-    branches: [main]
-    paths-ignore:
-      - "docs/**"
-  schedule:
-    - cron: '0 8 * * 1,4'
+    branches: ['**']
   workflow_call:
     inputs:
       override-deps-artifact:
         description: "Name of artifact containing updated lockfiles"
         required: false
-        type: string    
+        type: string
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   lint:
     name: "📝 Pre-commit / Code Quality"
     runs-on: ubuntu-latest
-    # Skip linting when triggered by the Sync Workflow (it just updated locks)
-    if: github.event_name != 'workflow_call'
     steps:
       - uses: actions/checkout@v4
       - name: ⚡ Install uv
@@ -36,9 +35,6 @@ jobs:
   setup:
       name: "🏗️ Build Py${{ matrix.python-version }}"
       needs: lint
-      if: |
-        always() && 
-        (needs.lint.result == 'success' || needs.lint.result == 'skipped')
       runs-on: ubuntu-latest
       strategy:
         matrix:
@@ -48,7 +44,7 @@ jobs:
         - uses: actions/checkout@v4
 
         - name: 📥 Apply Dependency Overrides
-          if: "${{ inputs.override-deps-artifact != '' }}"
+          if: "${{ inputs.override-deps-artifact != '' && inputs.override-deps-artifact != 'null' }}"
           uses: actions/download-artifact@v4
           with:
             name: ${{ inputs.override-deps-artifact }}
@@ -184,7 +180,9 @@ jobs:
           fi
 
           uv tool install coverage
-          mv all-results/.coverage* .
+          if ls all-results/.coverage* 1> /dev/null 2>&1; then
+            mv all-results/.coverage* .
+          fi
 
           cat <<EOF > .coveragerc
           [run]
@@ -199,18 +197,19 @@ jobs:
           echo "Merging coverage files with path remapping..."
           # 2️⃣ COMBINE & REPORT
           # We use the rcfile to ensure the mapping is applied during the merge
-          uv tool run coverage combine --rcfile=.coveragerc
+          uv tool run coverage combine --append --rcfile=.coveragerc || echo "No extra coverage files to combine."
 
           # ENFORCE 85% (or your chosen threshold)
-          OUTPUT=$(uv tool run coverage report --show-missing --fail-under=85 2>&1) || EXIT_CODE=$?
+          REPORT_OUTPUT=$(uv tool run coverage report --show-missing --fail-under=85 2>&1)
+          EXIT_CODE=$?
 
-          echo "$OUTPUT"
+          echo "$REPORT_OUTPUT"
 
           echo '```' >> $GITHUB_STEP_SUMMARY
-          echo "$OUTPUT" >> $GITHUB_STEP_SUMMARY
+          echo "$REPORT_OUTPUT" >> $GITHUB_STEP_SUMMARY
           echo '```' >> $GITHUB_STEP_SUMMARY
 
-          if [ "${EXIT_CODE:-0}" -ne 0 ]; then
+          if [ $EXIT_CODE -ne 0 ]; then
             echo "❌ **Coverage Failed:** Python 3.13 coverage is below 85%." >> $GITHUB_STEP_SUMMARY
             exit $EXIT_CODE
           else

.github/workflows/sync-dependencies.yml

@@ -3,16 +3,17 @@ name: sync-dependencies
 on:
   schedule:
     - cron: '0 0 * * *'
-  workflow_dispatch:
-  pull_request:
-    paths:
-      - "pyproject.toml"
-      - "uv.lock"
   push:
     branches: [main]
+    tags: ['*']
+    paths:
+      - "pyproject.toml"
+      - "uv.lock"    
+  pull_request:
     paths:
       - "pyproject.toml"
       - "uv.lock"
+  workflow_dispatch:  
 
 jobs:
   sync-and-prepare:
@@ -74,32 +75,36 @@ jobs:
 
             echo "### ✅ Everything is Up-to-Date" >> $GITHUB_STEP_SUMMARY
             echo "No changes detected in \`uv.lock\`." >> $GITHUB_STEP_SUMMARY
-            echo "💤 **Action:** Skipping tests and PR creation." >> $GITHUB_STEP_SUMMARY
+            if [ "${{ github.event_name }}" == "pull_request" ] || [ "${{ startsWith(github.ref, 'refs/tags/') }}" == "true" ]; then
+              echo "🚀 **Action:** Standard tests will verify the state." >> $GITHUB_STEP_SUMMARY
+            else
+              echo "💤 **Action:** Skipping tests and PR creation." >> $GITHUB_STEP_SUMMARY
+            fi
           fi
 
       - name: 📤 Upload Updated Deps
         if: steps.check.outputs.changed == 'true'
         uses: actions/upload-artifact@v4
         with:
           name: updated-deps
+          retention-days: 1
           path: |
             uv.lock
             conda/meta.yaml
 
   run-tests:
     needs: sync-and-prepare
-    if: needs.sync-and-prepare.outputs.sync_needed == 'true'
     uses: ./.github/workflows/python-package.yml
     with:
-      override-deps-artifact: updated-deps
+      override-deps-artifact: ${{ needs.sync-and-prepare.outputs.sync_needed == 'true' && 'updated-deps' || 'null' }}
     secrets: inherit
 
   finalize:
     needs: [sync-and-prepare, run-tests]
     if: |
       always() && 
-      needs.run-tests.result == 'success' &&
-      needs.sync-and-prepare.outputs.sync_needed == 'true'
+      needs.sync-and-prepare.outputs.sync_needed == 'true' &&
+      (needs.run-tests.result == 'success' || needs.run-tests.result == 'skipped' )
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -109,6 +114,7 @@ jobs:
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.ref || github.ref }}
+          token: ${{ secrets.MAPCHETE_PAT_CONTAINER_IMAGES_TOKEN }}
 
       - name: 📥 Download Verified Artifacts
         uses: actions/download-artifact@v4
@@ -131,7 +137,7 @@ jobs:
         if: github.event_name != 'pull_request'
         uses: peter-evans/create-pull-request@v7
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.MAPCHETE_PAT_CONTAINER_IMAGES_TOKEN }}
           commit-message: "chore: update uv.lock and conda recipe"
           title: "chore(deps): sync uv and conda"
           body: |