Skip to content

Modernize packaging, tooling, and CI#60

Open
splch wants to merge 8 commits into
mainfrom
modernize-packaging
Open

Modernize packaging, tooling, and CI#60
splch wants to merge 8 commits into
mainfrom
modernize-packaging

Conversation

@splch

@splch splch commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Summary

Modernizes both packages off setup.py to a uv workspace with current tooling, plus CI and release automation. No library behavior changes beyond supporting current cirq.

  • Packaging: pyproject.toml + uv workspace (replaces setup.py/requirements.txt); Python floor raised to 3.11; both packages now ship py.typed.
  • Dependencies: cirq/cirq-google bumped to >=1.6,<2 (new gates wrapped); dropped unused astor and pytype.
  • Tooling: ruff (lint + format) replaces black + pylint; ty type-checking as a blocking gate; 99% coverage gate. Config consolidated into pyproject.toml.
  • CI: rewritten on uv with SHA-pinned actions (lint, type-check, test on 3.11-3.13, pip-audit); added a tag-driven release workflow using PyPI Trusted Publishing.
  • Hygiene: CHANGELOG.md, SECURITY.md, Dependabot, and issue/PR templates.

Test plan

uv run pytest (285 pass, 99% coverage), uv run ruff check, uv run ruff format --check, and uv run ty check all green.

Note: each PyPI project needs its trusted publisher configured before the first OIDC release.

splch added 4 commits June 5, 2026 11:47
- Replace setup.py and requirements.txt with PEP 621 pyproject.toml for
  both packages, grouped under a uv workspace with a committed uv.lock.
- Raise the Python floor to 3.11 (required by cirq 1.6) and add py.typed
  markers so the type hints ship to downstreams.
- Drop unused runtime deps (astor, pytype) and the pre-3.8
  typing-extensions guard; ship a per-package LICENSE.
- Bump cirq and cirq-google to >=1.6,<2 and wrap the gates 1.6 added
  (UniformSuperpositionGate; google WillowGate, AnalogDetuneQubit,
  AnalogDetuneCouplerOnly); exclude new google and testing gates from
  the gate-mirror test.
- Replace black and pylint with ruff (lint + format); consolidate all
  tool config into the root pyproject.
- Apply ruff autofixes: import sorting and PEP 585/604 typing across
  both packages.
- Add ty type checking, scoped to source and advisory in CI for now.
- Add a 99% pytest coverage gate (migrated from ci/.coveragerc).
- Rewrite CI on uv with SHA-pinned actions, least-privilege
  permissions, concurrency, and a 3.11-3.13 matrix.
- Add a pre-commit config and a modern CONTRIBUTING.md.
- Remove the superseded ci/ scripts and configs.
- Exclude testing_samples.py from ruff to preserve its
  line-number-sensitive tests.
Resolve all 75 ty diagnostics so type-checking can become a required CI
job (drop continue-on-error).

Real fixes:
- Annotate build()/_build() func params as types.FunctionType so the
  __globals__/__closure__/__code__ accesses and the _BuildTransformer
  call resolve; add the importlib.util import and assert the loaded spec
  is not None before use.
- Guard cirq_blqs_op __str__ with getattr for __name__, which a
  functools.partial factory does not have (previously a latent error).
- Annotate the wait() sympy parameters as Expr rather than Basic to
  match cirq.
- Drop the dead pre-3.8 typing_extensions Protocol fallback in both
  protocols modules now that the floor is 3.11.

Scoped ty config (documented in pyproject):
- Exclude tests, sample programs, and notebooks from type-checking.
- Ignore unresolved-attribute/not-subscriptable in the build-rewrite
  modules, which manipulate gast's untyped dynamic AST nodes.
- Ignore unresolved-attribute in the cirq gate module, where cirq
  assigns gate constants dynamically (covered by the gate-mirror tests).
Complete the modernization with release automation and project files:

- release.yml: tag-triggered publishing via PyPI Trusted Publishing (OIDC,
  no tokens). Per-package tags (blqs-v* and blqs-cirq-v*) since the two
  distributions version independently; the job verifies the tag matches the
  package's _version.py and builds only that package with uv.
- CI: add a pip-audit job that audits the resolved dependency set.
- CHANGELOG.md (Keep a Changelog) and SECURITY.md.
- Dependabot for the github-actions and uv ecosystems.
- Issue forms and a pull request template.

All GitHub Actions are pinned to commit SHAs.
@cla-bot cla-bot Bot added the cla-signed label Jun 5, 2026
@splch splch self-assigned this Jun 5, 2026

@antalszava antalszava left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very cool changes! 🙌 A few minor comments and some minor adjustments may be required, otherwise lgtm 💯

Comment thread .github/ISSUE_TEMPLATE/bug_report.yml Outdated
Comment thread .github/ISSUE_TEMPLATE/bug_report.yml Outdated
id: versions
attributes:
label: Versions
description: Output of `python -c "import blqs; print(blqs.__version__)"` (and cirq if relevant) plus your Python version.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(minor:)
-(and cirq if relevant) plus your Python version. short code could be added for these too

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

definitely, i added code formatting for the cirq and python version bits too :)

url: https://github.com/ionq/blqs/security/advisories/new
about: Please report security issues privately, not as a public issue.
- name: Question or discussion
url: https://github.com/ionq/blqs/discussions

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

afaik this has to be turned on in the Settings of the repo - it doesn't exist atm.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch! discussions has to be enabled in the repo settings so i'll ask. if we'd rather not turn it on i can point this at issues instead

Comment thread .github/ISSUE_TEMPLATE/feature_request.yml Outdated
Comment thread .github/ISSUE_TEMPLATE/feature_request.yml Outdated
Comment thread .github/workflows/blqs-ci.yml Outdated
strategy:
fail-fast: false
matrix:
python-version: ["3.11", "3.12", "3.13"]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why no 3.14?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

turns out there's no reason anymore, cirq supports 3.14 now and the tests pass on it. i added it to the matrix :)

with:
enable-cache: true
- run: uv sync
- run: uv run ty check

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(minor:) why is this a separate step from lint?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just so lint and type errors fail as separate checks (and they run in parallel). i'm happy to fold them into one job if you'd prefer!

Comment thread SECURITY.md
Please do not open a public issue for security vulnerabilities.

Report privately through GitHub's
[private vulnerability reporting](https://github.com/ionq/blqs/security/advisories/new)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

page not found error on the link

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah yeah, that page 404s until private vulnerability reporting is enabled in the settings. i'll ask for that too, and the email fallback works in the meantime

Comment thread blqs/blqs/_ast.py

for old, new in zip(walk_ast(annotated_ast), walk_ast(new_ast)):
if hasattr(old, "original_lineno"):
for old, new in zip(walk_ast(annotated_ast), walk_ast(new_ast), strict=False):

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why was strict=False set here?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the bare zip predates this PR, ruff just makes the choice explicit now. and it turns out strict=False is needed since the two walks can differ in length... strict=True actually breaks tests. i added a comment noting that :)

elif [[ "$tag" == blqs-v* ]]; then
pkg="blqs"; dir="blqs"; ver="${tag#blqs-v}"
else
echo "::error::Unrecognized tag '$tag'"; exit 1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this error now abort the entire workflow? i.e., will no tags be published to PyPi?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no just that tag's run. each tag kicks off its own workflow and the check runs before anything is built or published, so a bad tag can't block the other package. this branch is really just a guard, the tag filters make it unreachable

splch and others added 4 commits June 10, 2026 11:15
Co-authored-by: antalszava <antalszava@gmail.com>
blqs-cirq's published wheel declared an unbounded `blqs` requirement (the
workspace source is stripped from built artifacts), letting any future
breaking blqs release satisfy old blqs-cirq installs. CI's unconditional
cancel-in-progress also canceled the in-flight main run when merges landed
back-to-back, leaving commits never-green.
- Format-check notebooks again (dropped with black[jupyter]); linting them
  stays off since demo code is deliberately loose.
- Replace the file-wide ty unresolved-attribute override on gates.py with
  per-line ignores on the 11 dynamically-assigned cirq constants, restoring
  type coverage for the rest of the file.
- Document why ty excludes *_test.py (the dynamic DSL produces ~300
  structural false positives there).
- Drop the dead "coverage: ignore" token and its eight no-op markers
  (coverage unchanged: 99.09%).
- Repoint blqs/README's deleted requirements.txt link at pyproject.toml.
- Have dependabot keep the pre-commit ruff rev in step with uv.lock.
- Upgrade locked cryptography to 49.0.0, past GHSA-537c-gmf6-5ccf, so the
  audit job passes again.
- Test on Python 3.14 in CI and add the 3.14 classifier to both packages.
- Format the version commands in the bug report template as code.
- Document why gast_to_ast's zip must not be strict.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants