omneval-devloop 0.0.1__tar.gz

omneval_devloop-0.0.1/.github/workflows/build-agent-base-image.yml

@@ -0,0 +1,53 @@
+name: Build Agent Base Image
+
+# Builds and publishes ghcr.io/omneval/devloop-agent-base — the shared toolchain
+# base for all per-project agent images (OpenHands SDK, Temporal SDK, git, gh,
+# kubectl, flux).
+#
+# Triggers (continuous / main only):
+#   - push to main   → sha-<short>-<epoch> + latest tags (SDK unpinned = latest)
+#   - pull_request   → build + test only (no push)
+#
+# Release (semver) builds run in release.yml, which pins omneval-devloop to the
+# tag version and waits for the PyPI publish first. This workflow deliberately
+# omits a tag trigger so the two never race.
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+concurrency:
+  group: build-agent-base-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  test:
+    name: entrypoint tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: "0.9.11"
+
+      - name: Run entrypoint tests
+        working-directory: images/agent-base
+        run: uv run --with pytest --with pytest-asyncio pytest -q
+
+  build_and_push:
+    name: Build and push agent-base to GHCR
+    needs: test
+    # Grant the package-push scope the reusable workflow needs; the repo default
+    # token is capped at packages: read.
+    permissions:
+      packages: write
+      contents: read
+    uses: ./.github/workflows/build-image.yml
+    with:
+      image_name: devloop-agent-base
+      docker_context: './images/agent-base'
+      dockerfile: './images/agent-base/Dockerfile'
+    secrets: inherit

omneval_devloop-0.0.1/.github/workflows/build-image.yml

@@ -0,0 +1,111 @@
+name: Build and Push Image
+
+# Reusable workflow called by the per-image publish workflows and by the release
+# orchestrator (release.yml). Handles checkout (workflow_run SHA pinning), GHCR
+# auth, tag computation, metadata extraction, and the build/push step.
+#
+# The caller's github context flows through, so github.event_name and
+# github.event.workflow_run.* are evaluated correctly here even though
+# this workflow is triggered via workflow_call.
+#
+# SDK-embedding images pass build_args (SDK_VERSION) and wait_for_pypi so the
+# pinned SDK is published before the image that bakes it is built.
+
+on:
+  workflow_call:
+    inputs:
+      image_name:
+        description: 'Short image name (e.g. devloop-poller); appended to ghcr.io/omneval/'
+        required: true
+        type: string
+      docker_context:
+        description: 'Docker build context path (relative to repo root)'
+        required: true
+        type: string
+      dockerfile:
+        description: 'Path to the Dockerfile (relative to repo root)'
+        required: true
+        type: string
+      build_args:
+        description: 'Newline-separated KEY=value build args (e.g. SDK_VERSION=0.0.2)'
+        required: false
+        type: string
+        default: ''
+      wait_for_pypi:
+        description: 'If set ("pkg==version"), poll PyPI until that release is queryable before building'
+        required: false
+        type: string
+        default: ''
+
+jobs:
+  build_and_push:
+    name: Build and push ${{ inputs.image_name }}
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+        with:
+          # For workflow_run, build the exact commit whose CI just passed.
+          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || '' }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Wait for the pinned SDK to appear on PyPI
+        if: inputs.wait_for_pypi != ''
+        run: |
+          pkg_ver='${{ inputs.wait_for_pypi }}'
+          name="${pkg_ver%%==*}"
+          ver="${pkg_ver##*==}"
+          url="https://pypi.org/pypi/${name}/${ver}/json"
+          echo "Waiting for ${pkg_ver} at ${url}"
+          for i in $(seq 1 40); do
+            code=$(curl -s -o /dev/null -w '%{http_code}' "$url")
+            if [ "$code" = "200" ]; then
+              echo "Found ${pkg_ver} on PyPI (attempt $i)"
+              exit 0
+            fi
+            echo "Attempt $i/40: ${pkg_ver} not on PyPI yet (HTTP $code); retrying in 15s"
+            sleep 15
+          done
+          echo "ERROR: ${pkg_ver} did not appear on PyPI within ~10 minutes"
+          exit 1
+
+      - name: Compute sha-<short>-<epoch> tag
+        id: shatag
+        run: echo "value=sha-$(git rev-parse --short=7 HEAD)-$(date +%s)" >> "$GITHUB_OUTPUT"
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/omneval/${{ inputs.image_name }}
+          # sha/latest track the rolling main line (workflow_run after CI, or a
+          # direct push to main). type=semver emits only on tag refs, which is
+          # the release path, so it needs no explicit enable guard.
+          tags: |
+            type=raw,value=${{ steps.shatag.outputs.value }},enable=${{ github.event_name == 'workflow_run' || github.ref == 'refs/heads/main' }}
+            type=raw,value=latest,enable=${{ github.event_name == 'workflow_run' || github.ref == 'refs/heads/main' }}
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: Build and push ${{ inputs.image_name }} image
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ inputs.docker_context }}
+          file: ${{ inputs.dockerfile }}
+          build-args: ${{ inputs.build_args }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

omneval_devloop-0.0.1/.github/workflows/ci.yml

@@ -0,0 +1,30 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # Full history + tags so hatch-vcs can resolve the package version
+          # when uv sync builds the local project.
+          fetch-depth: 0
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: "0.9.11"
+
+      - name: Install dependencies
+        run: uv sync --all-groups
+
+      - name: Lint
+        run: uv run ruff check src/ tests/
+
+      - name: Test
+        run: uv run pytest

omneval_devloop-0.0.1/.github/workflows/publish-devloop-chart.yml

@@ -0,0 +1,30 @@
+name: Lint Devloop Helm Chart
+
+# Validates the devloop Helm chart on pull requests. Packaging and publishing the
+# chart as an OCI artifact to ghcr.io/omneval/charts/devloop happens in
+# release.yml on a v* tag.
+
+on:
+  pull_request:
+
+jobs:
+  lint:
+    name: Package and lint chart
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.14.0
+
+      - name: Package chart
+        id: package
+        run: |
+          helm package charts/devloop/ -u -d .cr-release-packages
+          echo "chart=$(ls .cr-release-packages/devloop-*.tgz)" >> "$GITHUB_OUTPUT"
+
+      - name: Lint chart
+        run: helm lint ${{ steps.package.outputs.chart }}

omneval_devloop-0.0.1/.github/workflows/publish-discord-bot-image.yml

@@ -0,0 +1,58 @@
+name: Publish Discord Bot Image
+
+# Builds and publishes ghcr.io/omneval/devloop-discord-bot — the Discord <-> Temporal
+# bridge for Phase Gates and changelog posts.
+#
+# Triggers (continuous / main only):
+#   - workflow_run after "CI" succeeds on main → sha-<short>-<epoch> + latest tags
+#   - pull_request                             → build + test only (no push)
+#
+# Depending on CI (rather than push to main directly) ensures the image is never
+# pushed against a broken devloop package. Release (semver) builds run in
+# release.yml; this workflow has no tag trigger so the two never race.
+
+on:
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+  pull_request:
+
+concurrency:
+  group: publish-discord-bot-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  test:
+    name: discord-bot tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || '' }}
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: "0.9.11"
+
+      - name: Run tests
+        working-directory: images/discord-bot
+        run: uv run pytest -q
+
+  build_and_push:
+    name: Build and push discord-bot to GHCR
+    needs: test
+    if: >-
+      github.event_name == 'pull_request' ||
+      (github.event_name == 'workflow_run' &&
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.head_branch == 'main')
+    permissions:
+      packages: write
+      contents: read
+    uses: ./.github/workflows/build-image.yml
+    with:
+      image_name: devloop-discord-bot
+      docker_context: './images/discord-bot'
+      dockerfile: './images/discord-bot/Dockerfile'
+    secrets: inherit

omneval_devloop-0.0.1/.github/workflows/publish-poller-image.yml

@@ -0,0 +1,59 @@
+name: Publish Poller Image
+
+# Builds and publishes ghcr.io/omneval/devloop-poller — the GitHub issue poller
+# that detects `agent-ready`-labeled issues and forwards them to the Temporal
+# Orchestration Worker webhook to start a Dev Loop.
+#
+# Triggers (continuous / main only):
+#   - workflow_run after "CI" succeeds on main → sha-<short>-<epoch> + latest tags
+#   - pull_request                             → build + test only (no push)
+#
+# Depending on CI (rather than push to main directly) ensures the image is never
+# pushed against a broken devloop package. Release (semver) builds run in
+# release.yml; this workflow has no tag trigger so the two never race.
+
+on:
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+  pull_request:
+
+concurrency:
+  group: publish-poller-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  test:
+    name: poller tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || '' }}
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: "0.9.11"
+
+      - name: Run tests
+        working-directory: images/poller
+        run: uv run pytest -q
+
+  build_and_push:
+    name: Build and push poller to GHCR
+    needs: test
+    if: >-
+      github.event_name == 'pull_request' ||
+      (github.event_name == 'workflow_run' &&
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.head_branch == 'main')
+    permissions:
+      packages: write
+      contents: read
+    uses: ./.github/workflows/build-image.yml
+    with:
+      image_name: devloop-poller
+      docker_context: '.'
+      dockerfile: './images/poller/Dockerfile'
+    secrets: inherit

omneval_devloop-0.0.1/.github/workflows/publish-temporal-worker-image.yml

@@ -0,0 +1,41 @@
+name: Publish Temporal Worker Image
+
+# Builds and publishes ghcr.io/omneval/devloop-temporal-worker — the reference
+# Temporal Orchestration Worker that installs omneval-devloop and registers the
+# Dev Loop + Summarization workflows.
+#
+# Triggers (continuous / main only):
+#   - workflow_run after "CI" succeeds on main → sha-<short>-<epoch> + latest tags
+#   - pull_request                             → build only (no push)
+#
+# Release (semver) builds run in release.yml, which pins the SDK to the tag and
+# waits for the PyPI publish first; this workflow has no tag trigger so the two
+# never race. On main the SDK is installed unpinned (latest release).
+
+on:
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+  pull_request:
+
+concurrency:
+  group: publish-temporal-worker-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  build_and_push:
+    name: Build and push temporal-worker to GHCR
+    if: >-
+      github.event_name == 'pull_request' ||
+      (github.event_name == 'workflow_run' &&
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.head_branch == 'main')
+    permissions:
+      packages: write
+      contents: read
+    uses: ./.github/workflows/build-image.yml
+    with:
+      image_name: devloop-temporal-worker
+      docker_context: './images/temporal-worker'
+      dockerfile: './images/temporal-worker/Dockerfile'
+    secrets: inherit

omneval_devloop-0.0.1/.github/workflows/release.yml

@@ -0,0 +1,170 @@
+name: Release
+
+# Single orchestrator for a tagged release. Pushing a v* tag drives the whole
+# release as one job DAG, so ordering is structural (needs:) instead of a race
+# between independent workflows:
+#
+#   test ─┬─> pypi ─> sdk-images (agent-base, temporal-worker)   [pinned SDK]
+#         ├─> chart                                              [parallel]
+#         └─> images (discord-bot, poller)                       [parallel, no SDK]
+#
+# The git tag is the single source of truth: hatch-vcs derives the SDK version
+# from it (e.g. v0.0.2 -> 0.0.2), the PyPI release carries that version, the
+# Docker images are tagged with the same semver, and the SDK pinned into the
+# SDK-embedding images is exactly that release — so an image tagged 0.0.2 can
+# never contain SDK 0.0.1. sdk-images both `needs: pypi` and wait for the release
+# to be queryable on PyPI before building.
+#
+# The continuous (main) path is unchanged and lives elsewhere: ci.yml runs the
+# SDK suite, and the per-image publish-*-image.yml workflows publish sha/latest
+# after CI succeeds.
+
+on:
+  push:
+    tags: ['v*']
+
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  meta:
+    name: Resolve release version
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.v.outputs.version }}
+    steps:
+      # v0.0.2 -> 0.0.2; used to pin the SDK and to poll PyPI.
+      - id: v
+        run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
+
+  test:
+    name: SDK test suite
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # Full history + tags so hatch-vcs can resolve the version.
+          fetch-depth: 0
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: "0.9.11"
+
+      - name: Install dependencies
+        run: uv sync --all-groups
+
+      - name: Lint
+        run: uv run ruff check src/ tests/
+
+      - name: Test
+        run: uv run pytest
+
+  pypi:
+    name: Build and publish to PyPI
+    needs: test
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # hatch-vcs reads the tag from git history to version the build.
+          fetch-depth: 0
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: "0.11.18"
+
+      - name: Build package
+        run: uv build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  chart:
+    name: Package and push Helm chart
+    needs: test
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.14.0
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Package chart
+        id: package
+        run: |
+          helm package charts/devloop/ -u -d .cr-release-packages
+          echo "chart=$(ls .cr-release-packages/devloop-*.tgz)" >> "$GITHUB_OUTPUT"
+
+      - name: Lint chart
+        run: helm lint ${{ steps.package.outputs.chart }}
+
+      - name: Push chart to GHCR
+        run: helm push ${{ steps.package.outputs.chart }} oci://ghcr.io/omneval/charts
+
+  images:
+    name: Build ${{ matrix.image_name }}
+    needs: test
+    # A job calling a reusable workflow must grant the permissions that workflow
+    # needs; otherwise the token is capped at the repo default (packages: read).
+    permissions:
+      packages: write
+      contents: read
+    strategy:
+      matrix:
+        include:
+          - image_name: devloop-discord-bot
+            docker_context: './images/discord-bot'
+            dockerfile: './images/discord-bot/Dockerfile'
+          - image_name: devloop-poller
+            docker_context: '.'
+            dockerfile: './images/poller/Dockerfile'
+    uses: ./.github/workflows/build-image.yml
+    with:
+      image_name: ${{ matrix.image_name }}
+      docker_context: ${{ matrix.docker_context }}
+      dockerfile: ${{ matrix.dockerfile }}
+    secrets: inherit
+
+  sdk-images:
+    name: Build ${{ matrix.image_name }}
+    # Only build after the pinned SDK is published; the reusable workflow also
+    # waits for it to be queryable on PyPI before building.
+    needs: [test, meta, pypi]
+    permissions:
+      packages: write
+      contents: read
+    strategy:
+      matrix:
+        include:
+          - image_name: devloop-agent-base
+            docker_context: './images/agent-base'
+            dockerfile: './images/agent-base/Dockerfile'
+          - image_name: devloop-temporal-worker
+            docker_context: './images/temporal-worker'
+            dockerfile: './images/temporal-worker/Dockerfile'
+    uses: ./.github/workflows/build-image.yml
+    with:
+      image_name: ${{ matrix.image_name }}
+      docker_context: ${{ matrix.docker_context }}
+      dockerfile: ${{ matrix.dockerfile }}
+      build_args: SDK_VERSION=${{ needs.meta.outputs.version }}
+      wait_for_pypi: omneval-devloop==${{ needs.meta.outputs.version }}
+    secrets: inherit