Installation & CI
Overview
Section titled “Overview”The autosre repository enforces code quality and deployment safety through a combination of a local installer, pre-push git hooks, and GitHub Actions workflows. The installer (install.sh) bootstraps the Python environment and CLI, while the pre-push hook ensures that local development mirrors the CI pipeline’s linting, formatting, and testing standards before code is shared. Additionally, a specific guard within the hook prevents accidental pushes of non-release branches to the public repository, maintaining a clean release history.
System Installer
Section titled “System Installer”The install.sh script provides a non-interactive or interactive bootstrap for the autosre CLI and its dependencies 1. It requires Python 3.14+ and kubectl (though kubectl is noted as required for the k3s stack deployment rather than the CLI itself). The script detects the execution environment, automatically enabling non-interactive mode if standard input or output is not a terminal.
Key steps in the installation process include:
- Validating the Python version (major 3, minor 14+).
- Installing
clickandhttpxvia pip. - Installing the
autosrepackage in editable mode (-e .). - Running
autosre setup. - Optionally setting up local web research MCP servers if the
claudeCLI is detected.
Upon completion, the script provides quick-start commands such as autosre k3s up, autosre start, and autosre test. In interactive mode, it prompts the user to scale vLLM up immediately.
Git Hooks for CI Parity
Section titled “Git Hooks for CI Parity”The repository includes a pre-push hook located in .githooks/pre-push 2. This hook serves two primary purposes: ensuring CI parity locally and guarding the public release repository.
CI Parity Gate
Section titled “CI Parity Gate”The hook runs the exact same test lanes defined in the GitHub Actions CI workflow against the local .venv. This ensures that a successful local push implies a successful CI run. The lanes executed are:
ruff checkonautosre/andtests/.ruff format --checkonautosre/andtests/.mypyonautosre/.pytestontests/(ignoringtests/integration).
If any lane fails, the push is aborted. If the local virtual environment is missing, the hook instructs the user to create it using python -m venv .venv && .venv/bin/pip install -e '.[dev]'.
Push-Target Guard
Section titled “Push-Target Guard”Configuration
Section titled “Configuration”Hooks are stored in the repository but are opt-in per checkout 3. To enable them, run:
git config core.hooksPath .githooksTo bypass the checks for an intentional push, use git push --no-verify 2.
GitHub Actions Workflows
Section titled “GitHub Actions Workflows”The CI pipeline is defined in .github/workflows/ci.yml 4. It triggers on pushes and pull requests to main and dev branches. The workflow uses concurrency groups to cancel in-progress runs for the same branch.
The pipeline consists of four jobs:
- Lint (ruff): Runs
ruff checkandruff format --checkonautosre/andtests/. - Type check (mypy –strict): Runs
mypyonautosre/. - Tests (pytest): Runs
pytestontests/, ignoringtests/integration. - Recipe perf gate: Runs only on pull requests. It checks recipe performance parameters against the base branch using
python -m autosre.hooks_backend.recipe_ci_check.
All jobs use ubuntu-latest runners and Python 3.14. They install dev dependencies via pip install -e '.[dev]' before running their respective checks.
#!/bin/bash
# Auto-SRE installer
# Usage: ./install.sh [--yes]
# --yes, -y: Non-interactive mode (skip prompts)
set -e
AUTO_YES=false
SKIP_START=false
for arg in "$@"; do
case $arg in
--yes|-y)
AUTO_YES=true
;;
--skip-start)
SKIP_START=true
;;
esac
done
# Detect if running non-interactively (piped or no tty)
if [[ ! -t 0 ]] || [[ ! -t 1 ]]; then
AUTO_YES=true
fi
echo "=== Auto-SRE Installer ==="
echo ""
if command -v kubectl &> /dev/null; then
echo "kubectl: found"
else
echo "kubectl: not found (k3s is required; deploy the stack with 'autosre k3s up')"
fi
echo ""
# Check Python
if ! command -v python3 &> /dev/null; then
echo "ERROR: Python 3 is required"
echo "Install Python 3.14+ and try again"
exit 1
#!/usr/bin/env python3
"""pre-push hook for autosre.
Two responsibilities, run on every ``git push``:
1. **CI parity gate** - run the exact lanes that ``.github/workflows/ci.yml``
runs (ruff check, ruff format --check, mypy strict, pytest) against the repo
``.venv`` so that a green local push implies a green CI run. Any failing lane
aborts the push.
2. **Push-target guard** - block pushing dev/non-release refs to the PUBLIC
release repo (sddcinfo/autosre.git). Dev work lives in
sddcinfo/autosre-private.git; the public repo is release-only (main +
release/*). On 2026-05-22 dev recipes were accidentally pushed to public -
this guard prevents recurrence.
Enable per-checkout (one-time): git config core.hooksPath .githooks
Bypass for an intentional push: git push --no-verify <remote> <refs...>
"""
from __future__ import annotations
import re
import subprocess
import sys
from pathlib import Path
_PUBLIC_RELEASE_BRANCHES = re.compile(r"^refs/heads/(main|release/.*)$")
_DELETE_SHA = "0" * 40
_REPO_ROOT = Path(__file__).resolve().parent.parent
_VENV_PYTHON = _REPO_ROOT / ".venv" / "bin" / "python"
# The exact lanes from .github/workflows/ci.yml, in order.
_CI_LANES: list[tuple[str, list[str]]] = [
("ruff check", ["-m", "ruff", "check", "autosre/", "tests/"]),
("ruff format --check", ["-m", "ruff", "format", "--check", "autosre/", "tests/"]),
("mypy", ["-m", "mypy", "autosre/"]),
("pytest", ["-m", "pytest", "tests/", "--ignore=tests/integration", "-q"]),
]
# autosre git hooks (committed, opt-in)
Lives in the repo so every checkout shares the same hooks. Enable per checkout
once:
```
git config core.hooksPath .githooks
```
## `pre-push`
Runs on every push and does two things:
1. **CI parity gate.** Runs the exact lanes from `.github/workflows/ci.yml`
(`ruff check`, `ruff format --check`, `mypy autosre/`, `pytest tests/
--ignore=tests/integration -q`) against the repo `.venv`, so a green local
push implies a green CI run. Any failing lane aborts the push.
2. **Push-target guard.** Blocks pushing dev/non-release refs to the **public**
release repo (`sddcinfo/autosre.git`). Dev work belongs on **private**
(`sddcinfo/autosre-private.git`); the public repo is release-only (main +
release/\*).
Trigger for the guard: a checkout has both remotes configured and someone runs
`git push <public-remote> dev` (or any non-release ref). On 2026-05-22 dev
recipes were accidentally pushed to public this way; this hook prevents
recurrence.
Bypass either check for an intentional push: `git push --no-verify <remote> <refs>`.
name: CI
on:
push:
branches: [main, dev]
pull_request:
branches: [main, dev]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
lint:
name: Lint (ruff)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.14"
- name: Install dev dependencies
run: pip install -e '.[dev]'
- name: ruff check
run: ruff check autosre/ tests/
- name: ruff format --check
run: ruff format --check autosre/ tests/
typecheck:
name: Type check (mypy --strict)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.14"
- name: Install dev dependencies
run: pip install -e '.[dev]'
- name: mypy
run: mypy autosre/