ci: add GitHub Actions workflow for lint, type-check, and tests

[dinakars777]

Summary

Adds a CI pipeline (ci.yml) that runs on every PR and push to main. The repo currently only has a publish.yml for PyPI releases — there are no automated checks on PRs today.

What this adds

Job	What it does
Lint	ruff check + ruff format --check on src/ and tests/
Type check	mypy in strict mode against src/syrin/
Tests	pytest across Python 3.11, 3.12, 3.13 with coverage report
Build	python -m build + twine check to validate the package artifact

Design decisions

• Concurrency control: Stale workflow runs on the same branch are automatically cancelled to save CI minutes
• fail-fast: false: All Python versions run to completion so we catch version-specific failures in a single run
• Build gates on all checks: The build validation job only runs after lint, type-check, and tests all pass
• Unit tests only: Scoped to tests/unit/ to avoid requiring API keys or external services in CI

Summary by CodeRabbit

• Chores
  • Added an automated CI pipeline to enforce code style and linting, validate type safety, run tests across multiple Python versions, and verify distribution artifacts to improve reliability and release quality.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 433071a3-ccb2-43f3-91e8-d8690b6283ec

📥 Commits

Reviewing files that changed from the base of the PR and between 3fe02fd and 98b90f7.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ci.yml

---

📝 Walkthrough

Walkthrough

Added a GitHub Actions CI workflow that runs on pushes and pull requests to main, performing linting, type-checking, unit tests across Python 3.11–3.13, and package build/validation with sequential job dependencies and concurrency controls.

Changes

Cohort / File(s)

Summary

CI Workflow \.github/workflows/ci.yml

New workflow defining four jobs: lint (Python 3.12, pinned ruff, runs ruff check and ruff format --check over src/, tests/, examples/), type-check (Python 3.12, installs dev editable package, pinned mypy, runs mypy src/syrin/), test (matrix: Python 3.11/3.12/3.13, installs .[dev], runs pytest tests/unit/ with coverage for syrin), and build (Python 3.12, installs pinned build and twine, builds sdist/wheel, runs twine check dist/*). Configures minimal contents: read, workflow-level concurrency with cancel-in-progress: true, and job ordering via needs dependencies.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 I hopped into CI with a clipboard and quill,
Linted the carrots, typed every sill,
Tests hopped along in three Python lands,
Built tidy packages with careful rabbit hands. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and specifically summarizes the main change: adding a GitHub Actions CI workflow for lint, type-check, and tests. It directly reflects the primary objective of introducing automated CI/CD checks.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

25-27: Avoid floating tool installs in CI steps.

pip install ruff/mypy/build/twine without pinned versions makes runs non-reproducible and prone to sudden breakage. Prefer pinned versions (or a dedicated CI constraints file) and install via python -m pip.

Suggested stabilization pattern

-      - name: Install ruff
-        run: pip install ruff
+      - name: Install ruff
+        run: python -m pip install "ruff==<pinned-version>"
...
-      - name: Install dependencies
-        run: |
-          pip install -e ".[dev]"
-          pip install mypy
+      - name: Install dependencies
+        run: |
+          python -m pip install -e ".[dev]"
+          python -m pip install "mypy==<pinned-version>"
...
-      - name: Install build tools
-        run: pip install build twine
+      - name: Install build tools
+        run: python -m pip install "build==<pinned-version>" "twine==<pinned-version>"

Also applies to: 45-49, 87-88

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 25 - 27, The CI step that runs "pip
install ruff" uses an unpinned floating install and should be changed to use
reproducible installs: replace "pip install ruff" with "python -m pip install
ruff==<pin>" (or reference a constraints file / requirements-ci.txt) and pin
versions for the other similar install steps that install mypy/build/twine;
ensure all pip invocations use "python -m pip" and either explicit == pins or a
single constraints file to stabilize the workflow.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Line 13: The workflow is missing explicit least-privilege permissions; update
the CI workflow YAML to add a top-level permissions block (after the on:
section) and set permissions: contents: read so the job uses only repository
contents read access; ensure the block is placed at the top level of the file
(not under jobs:) and formatted as a sibling to jobs and on so the workflow
receives the restricted permissions.
- Around line 29-32: The CI currently runs the Ruff commands only on "src/" and
"tests/"; update the two steps that invoke "ruff check" and "ruff format
--check" so they include "examples/" as well (i.e., run "ruff check src/ tests/
examples/" and "ruff format --check src/ tests/ examples/") so the workflow's
use of ruff matches the project's pyproject.toml source list.
- Around line 19-23: Replace mutable action tags with full commit SHAs for all
GitHub Actions usages to improve supply-chain security: change uses:
actions/checkout@v4 and uses: actions/setup-python@v5 (and any other occurrences
of actions/*@<major>) to their pinned commit SHAs and add a trailing comment
with the human-readable tag (e.g.,
actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v4 and
actions/setup-python@61a6322f88fd7d61794de7596e2081cba2d92cc4 # v5); ensure you
update every action reference (actions/checkout, actions/setup-python, etc.)
consistently across the workflow file.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 25-27: The CI step that runs "pip install ruff" uses an unpinned
floating install and should be changed to use reproducible installs: replace
"pip install ruff" with "python -m pip install ruff==<pin>" (or reference a
constraints file / requirements-ci.txt) and pin versions for the other similar
install steps that install mypy/build/twine; ensure all pip invocations use
"python -m pip" and either explicit == pins or a single constraints file to
stabilize the workflow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9c3b3afe-f7b7-4a94-99db-767872ee2e94

📥 Commits

Reviewing files that changed from the base of the PR and between 1c02dcf and 3fe02fd.

📒 Files selected for processing (1)

• .github/workflows/ci.yml