Modernize packaging, tooling, and CI#60
Conversation
- Replace setup.py and requirements.txt with PEP 621 pyproject.toml for both packages, grouped under a uv workspace with a committed uv.lock. - Raise the Python floor to 3.11 (required by cirq 1.6) and add py.typed markers so the type hints ship to downstreams. - Drop unused runtime deps (astor, pytype) and the pre-3.8 typing-extensions guard; ship a per-package LICENSE. - Bump cirq and cirq-google to >=1.6,<2 and wrap the gates 1.6 added (UniformSuperpositionGate; google WillowGate, AnalogDetuneQubit, AnalogDetuneCouplerOnly); exclude new google and testing gates from the gate-mirror test.
- Replace black and pylint with ruff (lint + format); consolidate all tool config into the root pyproject. - Apply ruff autofixes: import sorting and PEP 585/604 typing across both packages. - Add ty type checking, scoped to source and advisory in CI for now. - Add a 99% pytest coverage gate (migrated from ci/.coveragerc). - Rewrite CI on uv with SHA-pinned actions, least-privilege permissions, concurrency, and a 3.11-3.13 matrix. - Add a pre-commit config and a modern CONTRIBUTING.md. - Remove the superseded ci/ scripts and configs. - Exclude testing_samples.py from ruff to preserve its line-number-sensitive tests.
Resolve all 75 ty diagnostics so type-checking can become a required CI job (drop continue-on-error). Real fixes: - Annotate build()/_build() func params as types.FunctionType so the __globals__/__closure__/__code__ accesses and the _BuildTransformer call resolve; add the importlib.util import and assert the loaded spec is not None before use. - Guard cirq_blqs_op __str__ with getattr for __name__, which a functools.partial factory does not have (previously a latent error). - Annotate the wait() sympy parameters as Expr rather than Basic to match cirq. - Drop the dead pre-3.8 typing_extensions Protocol fallback in both protocols modules now that the floor is 3.11. Scoped ty config (documented in pyproject): - Exclude tests, sample programs, and notebooks from type-checking. - Ignore unresolved-attribute/not-subscriptable in the build-rewrite modules, which manipulate gast's untyped dynamic AST nodes. - Ignore unresolved-attribute in the cirq gate module, where cirq assigns gate constants dynamically (covered by the gate-mirror tests).
Complete the modernization with release automation and project files: - release.yml: tag-triggered publishing via PyPI Trusted Publishing (OIDC, no tokens). Per-package tags (blqs-v* and blqs-cirq-v*) since the two distributions version independently; the job verifies the tag matches the package's _version.py and builds only that package with uv. - CI: add a pip-audit job that audits the resolved dependency set. - CHANGELOG.md (Keep a Changelog) and SECURITY.md. - Dependabot for the github-actions and uv ecosystems. - Issue forms and a pull request template. All GitHub Actions are pinned to commit SHAs.
antalszava
left a comment
There was a problem hiding this comment.
Very cool changes! 🙌 A few minor comments and some minor adjustments may be required, otherwise lgtm 💯
| id: versions | ||
| attributes: | ||
| label: Versions | ||
| description: Output of `python -c "import blqs; print(blqs.__version__)"` (and cirq if relevant) plus your Python version. |
There was a problem hiding this comment.
(minor:)
-(and cirq if relevant) plus your Python version. short code could be added for these too
There was a problem hiding this comment.
definitely, i added code formatting for the cirq and python version bits too :)
| url: https://github.com/ionq/blqs/security/advisories/new | ||
| about: Please report security issues privately, not as a public issue. | ||
| - name: Question or discussion | ||
| url: https://github.com/ionq/blqs/discussions |
There was a problem hiding this comment.
afaik this has to be turned on in the Settings of the repo - it doesn't exist atm.
There was a problem hiding this comment.
good catch! discussions has to be enabled in the repo settings so i'll ask. if we'd rather not turn it on i can point this at issues instead
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| python-version: ["3.11", "3.12", "3.13"] |
There was a problem hiding this comment.
turns out there's no reason anymore, cirq supports 3.14 now and the tests pass on it. i added it to the matrix :)
| with: | ||
| enable-cache: true | ||
| - run: uv sync | ||
| - run: uv run ty check |
There was a problem hiding this comment.
(minor:) why is this a separate step from lint?
There was a problem hiding this comment.
just so lint and type errors fail as separate checks (and they run in parallel). i'm happy to fold them into one job if you'd prefer!
| Please do not open a public issue for security vulnerabilities. | ||
|
|
||
| Report privately through GitHub's | ||
| [private vulnerability reporting](https://github.com/ionq/blqs/security/advisories/new) |
There was a problem hiding this comment.
ah yeah, that page 404s until private vulnerability reporting is enabled in the settings. i'll ask for that too, and the email fallback works in the meantime
|
|
||
| for old, new in zip(walk_ast(annotated_ast), walk_ast(new_ast)): | ||
| if hasattr(old, "original_lineno"): | ||
| for old, new in zip(walk_ast(annotated_ast), walk_ast(new_ast), strict=False): |
There was a problem hiding this comment.
the bare zip predates this PR, ruff just makes the choice explicit now. and it turns out strict=False is needed since the two walks can differ in length... strict=True actually breaks tests. i added a comment noting that :)
| elif [[ "$tag" == blqs-v* ]]; then | ||
| pkg="blqs"; dir="blqs"; ver="${tag#blqs-v}" | ||
| else | ||
| echo "::error::Unrecognized tag '$tag'"; exit 1 |
There was a problem hiding this comment.
does this error now abort the entire workflow? i.e., will no tags be published to PyPi?
There was a problem hiding this comment.
no just that tag's run. each tag kicks off its own workflow and the check runs before anything is built or published, so a bad tag can't block the other package. this branch is really just a guard, the tag filters make it unreachable
Co-authored-by: antalszava <antalszava@gmail.com>
blqs-cirq's published wheel declared an unbounded `blqs` requirement (the workspace source is stripped from built artifacts), letting any future breaking blqs release satisfy old blqs-cirq installs. CI's unconditional cancel-in-progress also canceled the in-flight main run when merges landed back-to-back, leaving commits never-green.
- Format-check notebooks again (dropped with black[jupyter]); linting them stays off since demo code is deliberately loose. - Replace the file-wide ty unresolved-attribute override on gates.py with per-line ignores on the 11 dynamically-assigned cirq constants, restoring type coverage for the rest of the file. - Document why ty excludes *_test.py (the dynamic DSL produces ~300 structural false positives there). - Drop the dead "coverage: ignore" token and its eight no-op markers (coverage unchanged: 99.09%). - Repoint blqs/README's deleted requirements.txt link at pyproject.toml. - Have dependabot keep the pre-commit ruff rev in step with uv.lock.
- Upgrade locked cryptography to 49.0.0, past GHSA-537c-gmf6-5ccf, so the audit job passes again. - Test on Python 3.14 in CI and add the 3.14 classifier to both packages. - Format the version commands in the bug report template as code. - Document why gast_to_ast's zip must not be strict.
Summary
Modernizes both packages off
setup.pyto a uv workspace with current tooling, plus CI and release automation. No library behavior changes beyond supporting current cirq.pyproject.toml+ uv workspace (replacessetup.py/requirements.txt); Python floor raised to 3.11; both packages now shippy.typed.cirq/cirq-googlebumped to>=1.6,<2(new gates wrapped); dropped unusedastorandpytype.ruff(lint + format) replaces black + pylint;tytype-checking as a blocking gate; 99% coverage gate. Config consolidated intopyproject.toml.CHANGELOG.md,SECURITY.md, Dependabot, and issue/PR templates.Test plan
uv run pytest(285 pass, 99% coverage),uv run ruff check,uv run ruff format --check, anduv run ty checkall green.Note: each PyPI project needs its trusted publisher configured before the first OIDC release.