Phase 7: GitHub Actions CI with cibuildwheel and trusted-publisher

Five-job pipeline driven by .github/workflows/ci.yml, following the
pylu/pydgq pattern with wlsqm-specific adjustments:

  1. lint (ubuntu-latest):
     - ruff check . --ignore SIM103 (blocking)
     - ruff check . --select SIM103 || true (advisory, non-blocking)
     - cython-lint on every .pyx and .pxd, non-blocking (|| true)
       so that advisory drift in the Cython layer does not block merges.

  2. test (needs: lint) matrix: {linux, macOS, windows} x Python 3.11-3.14
     - On macOS, `brew install libomp` before the build so meson's
       `dependency('openmp', required: false)` can find it. If it still
       cannot, the build falls back to serial (via the required:false
       arg) and tests still pass.
     - `pip install meson-python meson ninja Cython numpy scipy pytest`
       then `pip install --no-build-isolation -e .` then `pytest tests/ -v`.

  3. build-wheels (needs: test) matrix: {linux, macOS, windows}
     - pypa/cibuildwheel@v3.4. Config lives in pyproject.toml
       ([tool.cibuildwheel]) from Phase 2: build cp311 through cp314,
       skip 32-bit and musllinux, test-requires numpy+scipy+pytest,
       test-command `pytest {project}/tests -v`, and the macOS
       before-all that does `brew install libomp`.
     - Wheels uploaded as `wheels-${{ matrix.os }}` artifacts.

  4. sdist (needs: test) on ubuntu-latest:
     - `python -m build --sdist` (the build backend is meson-python and
       the sdist already ships the .pxd files so downstream cimport
       users can build against it — verified locally).
     - Uploaded as `sdist` artifact.

  5. publish (needs: build-wheels + sdist) on refs/tags/v*:
     - Environment `pypi` with `id-token: write` permission, using the
       pypa/gh-action-pypi-publish@release/v1 trusted-publisher action.
     - No PyPI API token stored as a GitHub secret; the job mints a
       short-lived OIDC token via the trusted-publisher mechanism.

External setup still required (documented in the brief, needs to be
done on PyPI's side before the first tag push):
  - Log in to pypi.org, register the `wlsqm` package name if not taken,
    go to Publishing settings, add a trusted publisher with:
      - Repository: Technologicat/python-wlsqm
      - Workflow: ci.yml
      - Environment: pypi
  - On GitHub, create the `pypi` environment for this repo.

Dev-dep changes (pyproject.toml + pdm.lock):
  - Add `build` so `python -m build --sdist` works locally for pre-
    release sanity checks, matching the CI sdist step.
  - Add `pyyaml` so that .github/workflows/*.yml can be validated from
    the dev venv without a separate install.

Verified locally: ruff clean (blocking + SIM103), cython-lint clean,
pytest 57/57 green, `python -m build --sdist` produces a self-contained
wlsqm-1.0.0.tar.gz including every .pyx/.pxd and meson.build.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Technologicat

.github/workflows/ci.yml

@@ -0,0 +1,127 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+    tags: ["v*"]
+  pull_request:
+    branches: [master]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.14"
+
+      - name: Install linters
+        run: pip install ruff cython-lint
+
+      - name: Lint Python with ruff
+        run: ruff check . --ignore SIM103
+      - name: Lint advisories (non-blocking)
+        run: ruff check . --select SIM103 || true
+
+      - name: Lint Cython
+        run: >
+          cython-lint
+          wlsqm/fitter/defs.pyx wlsqm/fitter/defs.pxd
+          wlsqm/fitter/infra.pyx wlsqm/fitter/infra.pxd
+          wlsqm/fitter/impl.pyx wlsqm/fitter/impl.pxd
+          wlsqm/fitter/polyeval.pyx wlsqm/fitter/polyeval.pxd
+          wlsqm/fitter/interp.pyx wlsqm/fitter/interp.pxd
+          wlsqm/fitter/simple.pyx wlsqm/fitter/simple.pxd
+          wlsqm/fitter/expert.pyx
+          wlsqm/utils/lapackdrivers.pyx wlsqm/utils/lapackdrivers.pxd
+          wlsqm/utils/ptrwrap.pyx wlsqm/utils/ptrwrap.pxd
+          || true
+
+  test:
+    needs: lint
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        python-version: ["3.11", "3.12", "3.13", "3.14"]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      # Apple Clang does not ship an OpenMP runtime; install libomp so that
+      # meson's `dependency('openmp', required: false)` can find it. If meson
+      # still cannot discover it the build falls back to serial and the tests
+      # still pass, but installing libomp keeps the macOS runner on the same
+      # parallel code path as Linux/Windows whenever possible.
+      - name: Install libomp (macOS)
+        if: runner.os == 'macOS'
+        run: brew install libomp
+
+      - name: Install build and test dependencies
+        run: pip install meson-python meson ninja Cython numpy scipy pytest
+
+      - name: Install wlsqm
+        run: pip install --no-build-isolation -e .
+
+      - name: Run tests
+        run: pytest tests/ -v
+
+  build-wheels:
+    needs: test
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+      - uses: actions/checkout@v6
+
+      # cibuildwheel config lives in pyproject.toml ([tool.cibuildwheel]) —
+      # build list, skip list, test-requires, test-command, and the macOS
+      # before-all that installs libomp.
+      - uses: pypa/cibuildwheel@v3.4
+
+      - uses: actions/upload-artifact@v7
+        with:
+          name: wheels-${{ matrix.os }}
+          path: wheelhouse/*.whl
+
+  sdist:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.14"
+      - run: pip install build
+      - run: python -m build --sdist
+      - uses: actions/upload-artifact@v7
+        with:
+          name: sdist
+          path: dist/*.tar.gz
+
+  publish:
+    if: startsWith(github.ref, 'refs/tags/v')
+    needs: [build-wheels, sdist]
+    runs-on: ubuntu-latest
+    # Requires the `pypi` environment to be configured on GitHub with a
+    # trusted publisher for this repo + workflow + environment. No API token
+    # stored as a secret; the job mints a short-lived OIDC token instead.
+    environment: pypi
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v8
+        with:
+          path: dist/
+          merge-multiple: true
+
+      - uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: dist/

pdm.lock

@@ -141,4 +141,9 @@ dev = [
     "meson-python>=0.17",
     "meson",
     "ninja",
+    # For local pre-release sanity checks: `python -m build --sdist`
+    # exercises the same sdist path that CI runs on tag push.
+    "build",
+    # For validating .github/workflows/*.yml during local dev (not used at runtime).
+    "pyyaml>=6.0.3",
 ]