Sync feature/detections-api-integration with trustyai-explainability/NeMo-Guardrails:develop

Author: srikartondapu

.devcontainer/Dockerfile

@@ -1,6 +1,6 @@
 # See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.245.2/containers/python-3/.devcontainer/base.Dockerfile
 
-# [Choice] Python version (use -bullseye variants on local arm64/Apple Silicon): 3, 3.10, 3.9, 3.8, 3.7, 3.6, 3-bullseye, 3.10-bullseye, 3.9-bullseye, 3.8-bullseye, 3.7-bullseye, 3.6-bullseye, 3-buster, 3.10-buster, 3.9-buster, 3.8-buster, 3.7-buster, 3.6-buster
+# [Choice] Python version (use -bullseye variants on local arm64/Apple Silicon): 3, 3.13, 3.12, 3.11, 3.10, 3-bullseye, 3.13-bullseye, 3.12-bullseye, 3.11-bullseye, 3.10-bullseye, 3-buster, 3.13-buster, 3.12-buster, 3.11-buster, 3.10-buster
 ARG VARIANT="3.10-bullseye"
 FROM mcr.microsoft.com/vscode/devcontainers/python:0-${VARIANT}
 

.devcontainer/devcontainer.json

@@ -6,7 +6,7 @@
 		"dockerfile": "Dockerfile",
 		"context": "..",
 		"args": {
-			// Update 'VARIANT' to pick a Python version: 3, 3.10, 3.9, 3.8, 3.7, 3.6
+			// Update 'VARIANT' to pick a Python version: 3, 3.13, 3.12, 3.11, 3.10
 			// Append -bullseye or -buster to pin to an OS version.
 			// Use -bullseye variants on local on arm64/Apple Silicon.
 			"VARIANT": "3.10-bullseye",

.github/workflows/_test.yml

@@ -23,6 +23,11 @@ on:
         required: false
         default: false
         type: boolean
+      with-coverage:
+        description: "Whether to run tests with coverage reporting"
+        required: false
+        default: false
+        type: boolean
 
 defaults:
   run:
@@ -89,8 +94,23 @@ jobs:
             poetry install --with dev
           fi
 
-      - name: Run pre-commit hooks
-        run: poetry run make pre_commit
+      - name: Run pytest with coverage
+        if: inputs.with-coverage
+        run: poetry run pytest --cov=nemoguardrails tests/ --cov-report=xml:coverage.xml -v
 
-      - name: Run pytest
+      - name: Run pytest without coverage
+        if: inputs.with-coverage == false
         run: poetry run pytest -v
+
+      - name: Upload coverage to Codecov
+        if: inputs.with-coverage
+        uses: codecov/codecov-action@v5
+        with:
+          directory: ./coverage/reports/
+          env_vars: PYTHON
+          fail_ci_if_error: true
+          files: ./coverage.xml
+          flags: python
+          name: codecov-umbrella
+          token: ${{ secrets.CODECOV_TOKEN }}
+          verbose: true

.github/workflows/docs-build.yaml

@@ -74,7 +74,7 @@ jobs:
                   path: pr/
 
     store-html:
-        if: github.event_name == 'push' && github.repository_owner == 'NVIDIA'
+        if: github.event_name == 'push' && github.repository_owner == 'NVIDIA-NeMo'
         needs: [build-docs]
         runs-on: ubuntu-latest
         steps:

.github/workflows/full-tests.yml

@@ -19,7 +19,7 @@ jobs:
     strategy:
       matrix:
         os: [Windows, macOS] # exclude Ubuntu as it is available in pr-tests
-        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
         include:
           - os: Windows
             image: windows-2022

.github/workflows/latest-deps-tests.yml

@@ -9,13 +9,13 @@ jobs:
   latest-deps-tests-matrix:
     strategy:
       matrix:
-        os: [Ubuntu]
-        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
+        os: [Ubuntu, macOS, Windows]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
         include:
           - os: Ubuntu
             image: ubuntu-latest
           - os: macOS
-            image: macos-15
+            image: macos-latest
           - os: Windows
             image: windows-latest
       fail-fast: false

.github/workflows/lint.yml

@@ -0,0 +1,54 @@
+name: Lint
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - develop
+  workflow_dispatch:
+
+env:
+  POETRY_VERSION: 1.8.2
+  PYTHON_VERSION: "3.11"
+
+jobs:
+  lint:
+    name: Lint Code
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Get full Python version
+        id: full-python-version
+        run: echo "version=$(python -c "import sys; print('-'.join(str(v) for v in sys.version_info))")" >> $GITHUB_OUTPUT
+
+      - name: Bootstrap poetry
+        run: |
+          curl -sSL https://install.python-poetry.org | POETRY_VERSION=${{ env.POETRY_VERSION }} python -
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Configure poetry
+        run: poetry config virtualenvs.in-project true
+
+      - name: Set up cache
+        uses: actions/cache@v4
+        id: cache
+        with:
+          path: .venv
+          key: venv-${{ runner.os }}-${{ steps.full-python-version.outputs.version }}-${{ hashFiles('**/poetry.lock') }}
+
+      - name: Ensure cache is healthy
+        if: steps.cache.outputs.cache-hit == 'true'
+        run: timeout 10s poetry run pip --version || rm -rf .venv
+
+      - name: Install dependencies
+        run: poetry install --with dev
+
+      - name: Run pre-commit hooks
+        run: poetry run make pre_commit

.github/workflows/pr-tests-skip.yml

@@ -0,0 +1,14 @@
+name: Skip PR Tests
+
+on:
+  pull_request:
+    paths:
+      - "**/*.md"
+      - ".github/**"
+
+jobs:
+  pr-tests-summary:
+    name: PR Tests Summary
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "Tests skipped (no code changes)"

.github/workflows/pr-tests.yml

@@ -1,28 +1,30 @@
 name: PR Tests
 
 on:
-  push:
-
   pull_request:
-    # we don't ignore markdkowns to run pre-commits
     paths-ignore:
+      - "**/*.md"
       - ".github/**"
 
 jobs:
   pr-tests-matrix:
     strategy:
       matrix:
         os: [Ubuntu]
-        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
         include:
           - os: Ubuntu
             image: ubuntu-latest
+          - python-version: "3.11"
+            with-coverage: true
       fail-fast: false
     uses: ./.github/workflows/_test.yml
+    secrets: inherit
     with:
       os: ${{ matrix.os }}
       image: ${{ matrix.image }}
       python-version: ${{ matrix.python-version }}
+      with-coverage: ${{ matrix.with-coverage || false }}
   pr-tests-summary:
     name: PR Tests Summary
     needs: pr-tests-matrix

.github/workflows/publish-pypi-approval.yml

@@ -0,0 +1,119 @@
+name: Publish to PyPI (with Approval)
+
+on:
+  workflow_run:
+    workflows: ["Build and Test Distribution"]
+    types:
+      - completed
+
+jobs:
+  publish-pypi:
+    if: github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi-production
+      url: https://pypi.org/project/nemoguardrails/
+    permissions:
+      contents: write
+      id-token: write
+
+    steps:
+      - name: Detect version tag from workflow event
+        id: version
+        run: |
+          HEAD_BRANCH="${{ github.event.workflow_run.head_branch }}"
+
+          echo "Workflow triggered by: $HEAD_BRANCH"
+
+          if [[ "$HEAD_BRANCH" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            TAG_NAME="$HEAD_BRANCH"
+            VERSION="${TAG_NAME#v}"
+
+            echo "version=${VERSION}" >> $GITHUB_OUTPUT
+            echo "tag=${TAG_NAME}" >> $GITHUB_OUTPUT
+            echo "artifact_name=${TAG_NAME}-build" >> $GITHUB_OUTPUT
+
+            echo "✅ Detected version tag: $TAG_NAME"
+            echo "   Version: $VERSION"
+            echo "   Artifact: ${TAG_NAME}-build"
+          else
+            echo "❌ Not triggered by a version tag: $HEAD_BRANCH"
+            echo "This workflow should only run for version tags (vX.Y.Z)"
+            exit 1
+          fi
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.version.outputs.tag }}
+          fetch-depth: 0
+
+      - name: Validate version matches tag
+        run: |
+          VERSION_IN_FILE=$(grep '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/')
+          TAG_VERSION="${{ steps.version.outputs.version }}"
+          if [ "$VERSION_IN_FILE" != "$TAG_VERSION" ]; then
+            echo "❌ Version mismatch: pyproject.toml=$VERSION_IN_FILE, tag=$TAG_VERSION"
+            exit 1
+          fi
+          echo "✅ Version validated: $VERSION_IN_FILE matches tag $TAG_VERSION"
+
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ steps.version.outputs.artifact_name }}
+          path: dist
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          repository: ${{ github.repository }}
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: List files
+        run: ls -la dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          verbose: true
+          packages-dir: dist/
+          attestations: true
+
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          TAG_NAME="${{ steps.version.outputs.tag }}"
+
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+          CHANGELOG_SECTION=$(awk -v version="${{ steps.version.outputs.version }}" '
+            /^## \[/ {
+              if (found) exit
+              if ($0 ~ "\\[" version "\\]") {
+                found=1
+                next
+              }
+            }
+            found && /^## \[/ { exit }
+            found { print }
+          ' CHANGELOG.md || echo "No changelog entry found for this version.")
+
+          echo "$CHANGELOG_SECTION" > release_notes.md
+
+          if gh release view "$TAG_NAME" --repo ${{ github.repository }} >/dev/null 2>&1; then
+            echo "ℹ️ Release $TAG_NAME already exists, skipping creation"
+          else
+            if gh release create "$TAG_NAME" \
+              --draft \
+              --title "$TAG_NAME" \
+              --notes-file release_notes.md \
+              --repo ${{ github.repository }}; then
+              echo "✅ Release $TAG_NAME created successfully"
+            else
+              echo "❌ Failed to create release $TAG_NAME" >&2
+              rm -f release_notes.md
+              exit 1
+            fi
+          fi
+
+          rm -f release_notes.md