Ci pipeline enhancements

.github/workflows/ci.yml

@@ -19,8 +19,77 @@ permissions:
   contents: read
 
 jobs:
+  test:
+    name: Test Python ${{ matrix.python-version }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12"]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+
+      - name: Set up Python ${{ matrix.python-version }}
+        run: uv python install ${{ matrix.python-version }}
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt, clippy
+
+      - name: Install dependencies
+        run: |
+          uv sync --dev
+          uv run maturin develop
+
+      - name: Run Rust tests
+        run: cargo test --verbose
+
+      - name: Run Python tests
+        run: uv run pytest --verbose --tb=short
+
+  lint:
+    name: Code Quality
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+
+      - name: Set up Python
+        run: uv python install 3.12
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt, clippy
+
+      - name: Install dependencies
+        run: |
+          uv sync --dev
+          uv run maturin develop
+
+      - name: Check Rust formatting
+        run: cargo fmt --all -- --check
+
+      - name: Run Rust clippy
+        run: cargo clippy --all-targets --all-features -- -D warnings
+
+      - name: Check Python formatting
+        run: uv run ruff format --check .
+
+      - name: Run Python linting
+        run: uv run ruff check .
   linux:
     runs-on: ${{ matrix.platform.runner }}
+    needs: [test, lint]
     strategy:
       matrix:
         platform:
@@ -56,6 +125,7 @@ jobs:
 
   windows:
     runs-on: ${{ matrix.platform.runner }}
+    needs: [test, lint]
     strategy:
       matrix:
         platform:
@@ -83,6 +153,7 @@ jobs:
 
   macos:
     runs-on: ${{ matrix.platform.runner }}
+    needs: [test, lint]
     strategy:
       matrix:
         platform:
@@ -109,6 +180,7 @@ jobs:
 
   sdist:
     runs-on: ubuntu-latest
+    needs: [test, lint]
     steps:
       - uses: actions/checkout@v4
       - name: Build sdist

.github/workflows/security.yml

@@ -0,0 +1,61 @@
+name: Security
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+  schedule:
+    # Run weekly security scans
+    - cron: '0 2 * * 1'
+  workflow_dispatch:
+
+jobs:
+  security:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Rust security audit
+        uses: rustsec/audit-check@v1.4.1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+
+      - name: Set up Python
+        run: uv python install 3.12
+
+      - name: Install dependencies
+        run: uv sync --dev
+
+      - name: Run Python security scan
+        run: |
+          uv add --dev safety
+          uv run safety check --ignore 70612
+        continue-on-error: true  # Don't fail CI on security advisories, just report
+
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3

examples/basic.py

@@ -1,4 +1,5 @@
 import cel
+
 expressions = [
     "1 + 2",
     "1 > 2",
@@ -20,5 +21,4 @@
 
 for ex in expressions:
     result = cel.evaluate(ex)
-    print(ex, '=>', result, type(result))
-
+    print(ex, "=>", result, type(result))

pyproject.toml

@@ -42,3 +42,60 @@ dev-dependencies = [
     "ruff>=0.12.7",
     "mypy>=1.17.1",
 ]
+
+[tool.ruff]
+target-version = "py311"
+line-length = 100
+extend-exclude = [
+    ".venv",
+    "target",
+    "__pycache__",
+]
+
+[tool.ruff.lint]
+select = [
+    "E",   # pycodestyle errors
+    "W",   # pycodestyle warnings
+    "F",   # pyflakes
+    "I",   # isort
+    "B",   # flake8-bugbear
+    "C4",  # flake8-comprehensions
+]
+ignore = [
+    "E501", # line too long (handled by formatter)
+    "F403", # star imports (needed for Rust extension)
+    "F405", # undefined from star imports (expected with Rust extension)
+    "F401", # unused imports (CLI module imported for side effects)
+    "RUF001", # ambiguous unicode characters (intentional in tests)
+]
+
+[tool.ruff.format]
+quote-style = "double"
+indent-style = "space"
+
+[tool.mypy]
+python_version = "3.11"
+warn_return_any = true
+warn_unused_configs = true
+disallow_untyped_defs = true
+check_untyped_defs = true
+warn_redundant_casts = true
+warn_unused_ignores = true
+show_error_codes = true
+namespace_packages = true
+exclude = [
+    "tests/",
+    ".venv/",
+    "target/",
+]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+python_files = ["test_*.py"]
+python_classes = ["Test*"]
+python_functions = ["test_*"]
+addopts = [
+    "--strict-markers",
+    "--strict-config",
+    "--verbose",
+]

python/cel/__init__.py

@@ -1,9 +1,8 @@
 # Import the Rust extension
-from .cel import *
-
-# Import CLI functionality  
+# Import CLI functionality
 from . import cli
+from .cel import *
 
 __doc__ = cel.__doc__
 if hasattr(cel, "__all__"):
-    __all__ = cel.__all__
+    __all__ = cel.__all__

python/cel/__main__.py

@@ -6,4 +6,4 @@
 from .cli import cli_entry
 
 if __name__ == "__main__":
-    cli_entry()
+    cli_entry()