This directory contains comprehensive GitHub Actions workflows for the Microsoft MCP project, providing automated testing, security scanning, releases, and maintenance.
Triggers: Push to main/develop/feature branches, Pull Requests Duration: ~15-20 minutes Purpose: Comprehensive testing and quality assurance
Jobs:
- Code Quality & Security: Linting (ruff), formatting, type checking (mypy), security audit
- Tests: Multi-platform testing (Ubuntu, macOS, Windows) with Python 3.12/3.13
- Email Framework Tests: Specialized testing for email template system
- Build: Package building and validation
- Deployment Check: Version bump validation for main branch
Key Features:
- ✅ Multi-OS and multi-Python version testing
- ✅ Comprehensive caching strategy for dependencies
- ✅ Security scanning with pip-audit
- ✅ Code coverage reporting with Codecov integration
- ✅ Artifact uploads for debugging and analysis
Triggers: Git tags (v*.*.*), Manual dispatch
Duration: ~20-30 minutes
Purpose: Automated version releases and publishing
Jobs:
- Validate Release: Version format and conditions validation
- Pre-Release Tests: Full CI pipeline execution before release
- Build Release: Package building with changelog generation
- GitHub Release: Automated GitHub release creation
- PyPI Publishing: Automated package publishing to PyPI
- Post-Release: Development version preparation and notifications
Key Features:
- ✅ Semantic version validation
- ✅ Automated changelog generation
- ✅ PyPI publishing with trusted publishing (OIDC)
- ✅ Pre-release vs stable release handling
- ✅ Automatic development version bumping
Triggers: Daily schedule, Push to main, Pull Requests, Manual Duration: ~15-25 minutes Purpose: Comprehensive security analysis
Jobs:
- Dependency Scan: pip-audit and Safety vulnerability checking
- SAST Analysis: Bandit security linting and Semgrep analysis
- CodeQL Analysis: GitHub's semantic code analysis
- Secret Scanning: TruffleHog and gitleaks secret detection
- License Check: License compatibility verification
- Security Summary: Consolidated security status reporting
Key Features:
- ✅ Multiple security scanning tools integration
- ✅ SARIF report uploads for GitHub Security tab
- ✅ License compliance checking
- ✅ Automated vulnerability reporting
Triggers: Weekly schedule (Sunday 3 AM UTC), Manual dispatch Duration: ~10-20 minutes Purpose: Automated repository maintenance
Jobs:
- Dependency Updates: Automated dependency version updates
- Actions Updates: GitHub Actions version updates
- Cache Cleanup: Old cache cleanup for storage optimization
- Health Check: Repository health assessment and metrics
Key Features:
- ✅ Automated PR creation for updates
- ✅ Compatibility testing before updates
- ✅ Repository health monitoring
- ✅ Maintenance recommendations
Triggers: Pull Request events Duration: ~10-15 minutes Purpose: PR quality validation and automation
Features:
- ✅ PR structure validation (title format, description quality)
- ✅ Changed files analysis and categorization
- ✅ Automated labeling and size assessment
- ✅ Code quality quick checks
- ✅ Breaking changes detection
- ✅ Security quick scan for potential secrets
Triggers: Workflow completions, Issues, PRs, Releases Duration: ~2-5 minutes Purpose: Status tracking and notifications
Features:
- ✅ Workflow status notifications
- ✅ PR lifecycle tracking
- ✅ Issue auto-triaging and labeling
- ✅ Release announcements
- ✅ Daily status summaries
PYTHON_VERSION: "3.12" # Primary Python version
CACHE_VERSION: "v1" # Cache invalidation control# GitHub (automatically provided)
GITHUB_TOKEN: <automatic> # Repository access
# PyPI Publishing (for releases)
# Configure at: https://pypi.org/manage/account/publishing/
# Uses OIDC trusted publishing - no manual token needed
# Optional: External integrations
SLACK_WEBHOOK_URL: <optional> # Slack notifications
CODECOV_TOKEN: <optional> # Enhanced Codecov integrationThe workflows implement a sophisticated caching strategy:
- UV Dependencies: Cached by OS, Python version, and lock file hash
- Multi-level Cache Keys: Primary + fallback restore keys
- Job-specific Caches: Different cache keys for build, test, security jobs
- Automatic Cleanup: Weekly cache cleanup to optimize storage
- Minimal Permissions: Each workflow uses least-privilege permissions
- Token Security: OIDC trusted publishing for PyPI (no long-lived tokens)
- Secret Scanning: Multiple tools for detecting leaked credentials
- SARIF Integration: Security results integrate with GitHub Security tab
- Dependency Auditing: Regular vulnerability scanning
Add these badges to your README for visibility:
[](https://github.com/elyxlz/microsoft-mcp/actions/workflows/ci.yml)
[](https://github.com/elyxlz/microsoft-mcp/actions/workflows/security.yml)
[](https://codecov.io/gh/elyxlz/microsoft-mcp)- Actions Usage: Monitor workflow run times and costs
- Success Rates: Track workflow reliability
- Security Alerts: Review security tab regularly
- Artifact Storage: Monitor artifact storage usage
| Workflow | Push | PR | Schedule | Manual | Tags |
|---|---|---|---|---|---|
| CI Pipeline | ✅ | ✅ | ❌ | ✅ | ❌ |
| Release | ❌ | ❌ | ❌ | ✅ | ✅ |
| Security | Main only | ✅ | Daily | ✅ | ❌ |
| Maintenance | ❌ | ❌ | Weekly | ✅ | ❌ |
| PR Validation | ❌ | ✅ | ❌ | ❌ | ❌ |
| Notifications | Via workflow_run | ✅ | ❌ | ❌ | ❌ |
- Merge to main: All changes go through PR validation
- Version bump: Update version in
pyproject.toml - Create tag:
git tag v1.2.3 && git push origin v1.2.3 - Automated pipeline: Release workflow handles the rest
- Go to Actions → Release Pipeline
- Click Run workflow
- Enter version number (e.g.,
1.2.3) - Choose if it's a pre-release
- Click Run workflow
- GitHub Release: Changelog and source archives
- PyPI Package: Installable wheel and source distribution
- Artifacts: Build artifacts for debugging
- Fork & Branch: Create feature branch
- Local Testing: Run
uv run pytestlocally - Create PR: Automated validation runs
- Address Feedback: Respond to reviews and checks
- Merge: Maintainer merges after approval
- Review PRs: Use automated validation insights
- Security Review: Check security scan results weekly
- Dependencies: Review automated dependency update PRs
- Releases: Tag releases when ready
- Monitoring: Review workflow analytics monthly
- Create new
.ymlfile in.github/workflows/ - Follow existing patterns for structure
- Add appropriate permissions and timeouts
- Test thoroughly on feature branch
- Test Changes: Always test on feature branch first
- Documentation: Update this README if needed
- Permissions: Review security implications
- Notifications: Consider impact on team notifications
- Development: Use feature branch testing
- Staging: Main branch represents staging environment
- Production: Tags trigger production releases
- GitHub Actions Documentation
- UV Package Manager
- Ruff Linter Configuration
- PyPI Trusted Publishing
- Codecov Integration
Workflow fails on dependency installation
- Check UV cache configuration
- Verify
pyproject.tomlsyntax - Review dependency conflicts
Security scans reporting false positives
- Review
.github/workflows/security.ymlconfiguration - Add exceptions to Bandit configuration in
pyproject.toml - Update security tool versions
Release workflow fails
- Verify version format (must be semantic versioning)
- Check PyPI trusted publishing configuration
- Review release permissions
Tests fail in CI but pass locally
- Check environment variable configuration
- Review OS-specific test conditions
- Verify test isolation
- Check workflow logs: Detailed error information
- Review this documentation: Common solutions
- Search existing issues: Similar problems may be documented
- Create new issue: Use issue templates for bug reports
This CI/CD pipeline is designed to be robust, secure, and maintainable. Regular reviews and updates ensure it continues to serve the project's needs effectively.