Migrate scripts/ from bash to Python with pytest coverage

.github/workflows/build.yml

@@ -21,12 +21,16 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: true
       - name: resolve newest pair
         id: pair
         run: |
-          cli="$(./scripts/newest-pair.sh --stellar-cli-version)"
-          rust="$(./scripts/newest-pair.sh --rust-version)"
-          tag="$(./scripts/tag-names.sh \
+          cli="$(./scripts/newest_pair.py --stellar-cli-version)"
+          rust="$(./scripts/newest_pair.py --rust-version)"
+          tag="$(./scripts/tag_names.py \
             --stellar-cli-version "$cli" --rust-version "$rust")"
           {
             echo "cli=$cli"
@@ -35,18 +39,18 @@ jobs:
           } >> "$GITHUB_OUTPUT"
       - name: build image
         run: |
-          ./scripts/build-image.sh \
+          ./scripts/build_image.py \
             --stellar-cli-version "${{ steps.pair.outputs.cli }}" \
             --rust-version "${{ steps.pair.outputs.rust }}"
       - name: smoke test
         run: |
-          ./scripts/smoke-test-image.sh \
+          ./scripts/smoke_test_image.py \
             --image "${{ steps.pair.outputs.image }}" \
             --stellar-cli-version "${{ steps.pair.outputs.cli }}" \
             --rust-version "${{ steps.pair.outputs.rust }}"
       - name: wasm reproducibility
         run: |
-          ./scripts/repro-test.sh \
+          ./scripts/repro_test.py \
             --image "${{ steps.pair.outputs.image }}"
 
   complete:

.github/workflows/lint.yml

@@ -17,10 +17,12 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: install check-jsonschema
-        run: pipx install check-jsonschema
+      - name: install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: true
       - name: validate JSON files
-        run: ./scripts/validate-json.sh
+        run: ./scripts/validate_json.py
 
   dockerfile:
     name: hadolint
@@ -34,44 +36,55 @@ jobs:
           dockerfile: Dockerfile
           config: .hadolint.yaml
 
-  shellcheck:
-    name: shellcheck
+  python:
+    name: ruff
     runs-on: ubuntu-24.04
     steps:
       - name: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: shellcheck
-        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
+      - name: install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
-          scandir: scripts
-          severity: style
+          enable-cache: true
+      - name: ruff check
+        run: uv run ruff check scripts/ tests/
+      - name: ruff format
+        run: uv run ruff format --check scripts/ tests/
 
-  shell:
-    name: validate shell
+  matrix-smoke:
+    name: resolve-matrix smoke
     runs-on: ubuntu-24.04
     steps:
       - name: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: validate shell scripts
-        run: ./scripts/validate-shell.sh
+      - name: install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: true
+      - name: resolve and validate matrix
+        run: ./scripts/resolve_matrix.py >/dev/null
 
-  matrix-smoke:
-    name: resolve-matrix smoke
+  tests:
+    name: pytest
     runs-on: ubuntu-24.04
     steps:
       - name: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: resolve and validate matrix
-        run: ./scripts/resolve-matrix.sh | jq -e '.include | length > 0' >/dev/null
+      - name: install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: true
+      - name: run pytest
+        run: uv run pytest
 
   complete:
     if: always()
     needs:
       - json
       - dockerfile
-      - shellcheck
-      - shell
+      - python
       - matrix-smoke
+      - tests
     runs-on: ubuntu-24.04
     steps:
       - name: check upstream jobs

.github/workflows/publish.yml

@@ -28,10 +28,12 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: install check-jsonschema
-        run: pipx install check-jsonschema
+      - name: install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: true
       - name: validate builds.json
-        run: ./scripts/validate-json.sh
+        run: ./scripts/validate_json.py
       - name: scope to one cli version
         id: scope
         env:
@@ -49,7 +51,7 @@ jobs:
         env:
           STELLAR_CLI_VERSION: ${{ steps.scope.outputs.version }}
         run: |
-          matrix="$(./scripts/resolve-matrix.sh \
+          matrix="$(./scripts/resolve_matrix.py \
             --stellar-cli-version "$STELLAR_CLI_VERSION")"
           echo "matrix=$matrix" >> "$GITHUB_OUTPUT"
 
@@ -67,10 +69,15 @@ jobs:
       - name: set up buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
+      - name: install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: true
+
       - name: resolve tag
         id: tag
         run: |
-          tag="$(./scripts/tag-names.sh \
+          tag="$(./scripts/tag_names.py \
             --stellar-cli-version ${{ matrix.stellar_cli_version }} \
             --rust-version ${{ matrix.rust_base_key }} \
             --platform ${{ matrix.platform }} \
@@ -162,17 +169,15 @@ jobs:
       - name: write per-arch metadata
         if: steps.skip.outputs.skipped != 'true'
         run: |
-          out="meta-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_base_key }}-${{ matrix.arch }}.json"
-          jq -n \
-            --arg arch "${{ matrix.arch }}" \
-            --arg cli "${{ matrix.stellar_cli_version }}" \
-            --arg digest "${{ steps.build.outputs.digest }}" \
-            --arg image "${{ steps.tag.outputs.image }}" \
-            --arg rust_base_key "${{ matrix.rust_base_key }}" \
-            --arg rust_version "${{ matrix.rust_version }}" \
-            --arg tag "${{ steps.tag.outputs.tag }}" \
-            '{arch: $arch, digest: $digest, image: $image, rust_base_key: $rust_base_key, rust_version: $rust_version, stellar_cli_version: $cli, tag: $tag}' \
-            > "$out"
+          ./scripts/write_metadata.py \
+            --output "meta-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_base_key }}-${{ matrix.arch }}.json" \
+            --arch "${{ matrix.arch }}" \
+            --stellar-cli-version "${{ matrix.stellar_cli_version }}" \
+            --digest "${{ steps.build.outputs.digest }}" \
+            --image "${{ steps.tag.outputs.image }}" \
+            --rust-base-key "${{ matrix.rust_base_key }}" \
+            --rust-version "${{ matrix.rust_version }}" \
+            --tag "${{ steps.tag.outputs.tag }}"
 
       - name: rename provenance bundle
         if: steps.skip.outputs.skipped != 'true'
@@ -182,31 +187,21 @@ jobs:
 
       # Skipped pairs still need metadata so the release-body composer can
       # show the full state of every declared pair, not just the freshly
-      # built ones. Queries the existing tag's manifest digest from the
-      # registry and writes the same meta-*.json shape we'd write on a
-      # fresh build (just without the SBOM/provenance files — those stay
-      # attached to the previously-published image's attestation store).
+      # built ones. Omitting --digest tells write_metadata to resolve it
+      # from the existing tag in the registry; the SBOM/provenance files
+      # are not regenerated (they stay attached to the previously-
+      # published image's attestation store).
       - name: write per-arch metadata (skipped pair)
         if: steps.skip.outputs.skipped == 'true'
         run: |
-          # `--format '{{.Manifest.Digest}}'` behaves inconsistently across
-          # the amd64 and arm64 runner images (one prints the digest, the
-          # other prints the full verbose dump), so we just parse the
-          # verbose output's "Digest:" line, which is identical on both.
-          existing_digest="$(docker buildx imagetools inspect \
-            "${{ steps.tag.outputs.image }}" \
-            | awk '/^Digest:/ {print $2; exit}')"
-          out="meta-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_base_key }}-${{ matrix.arch }}.json"
-          jq -n \
-            --arg arch "${{ matrix.arch }}" \
-            --arg cli "${{ matrix.stellar_cli_version }}" \
-            --arg digest "$existing_digest" \
-            --arg image "${{ steps.tag.outputs.image }}" \
-            --arg rust_base_key "${{ matrix.rust_base_key }}" \
-            --arg rust_version "${{ matrix.rust_version }}" \
-            --arg tag "${{ steps.tag.outputs.tag }}" \
-            '{arch: $arch, digest: $digest, image: $image, rust_base_key: $rust_base_key, rust_version: $rust_version, stellar_cli_version: $cli, tag: $tag}' \
-            > "$out"
+          ./scripts/write_metadata.py \
+            --output "meta-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_base_key }}-${{ matrix.arch }}.json" \
+            --arch "${{ matrix.arch }}" \
+            --stellar-cli-version "${{ matrix.stellar_cli_version }}" \
+            --image "${{ steps.tag.outputs.image }}" \
+            --rust-base-key "${{ matrix.rust_base_key }}" \
+            --rust-version "${{ matrix.rust_version }}" \
+            --tag "${{ steps.tag.outputs.tag }}"
 
       - name: upload release artifacts
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
@@ -232,50 +227,20 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: set up buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - name: install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: true
       - name: login to Docker Hub
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: create manifest list per (cli, rust base) pair
         run: |
-          stellar_cli_ref="$(jq -r --arg v "$STELLAR_CLI_VERSION" \
-            '.stellar_cli_versions[] | select(.version == $v) | .ref' builds.json \
-            | head -n1)"
-          test -n "$stellar_cli_ref" \
-            || { echo "::error::no stellar_cli_versions entry for $STELLAR_CLI_VERSION"; exit 1; }
-          while IFS= read -r key; do
-            list_tag="$(./scripts/tag-names.sh \
-              --stellar-cli-version "$STELLAR_CLI_VERSION" --rust-version "$key" \
-              --stellar-cli-ref "$stellar_cli_ref")"
-            amd64_tag="$(./scripts/tag-names.sh \
-              --stellar-cli-version "$STELLAR_CLI_VERSION" --rust-version "$key" \
-              --platform linux/amd64 \
-              --stellar-cli-ref "$stellar_cli_ref")"
-            arm64_tag="$(./scripts/tag-names.sh \
-              --stellar-cli-version "$STELLAR_CLI_VERSION" --rust-version "$key" \
-              --platform linux/arm64 \
-              --stellar-cli-ref "$stellar_cli_ref")"
-            if docker buildx imagetools inspect "$REGISTRY:$list_tag" >/dev/null 2>&1; then
-              echo "::warning::manifest list $REGISTRY:$list_tag already exists; skipping (lists are immutable)"
-              {
-                echo "## ⚠️ Manifest list skipped — already published"
-                echo ""
-                echo "\`$REGISTRY:$list_tag\` was already in the registry."
-              } >> "$GITHUB_STEP_SUMMARY"
-              continue
-            fi
-            echo "::group::manifest $REGISTRY:$list_tag"
-            docker buildx imagetools create \
-              --tag "$REGISTRY:$list_tag" \
-              "$REGISTRY:$amd64_tag" \
-              "$REGISTRY:$arm64_tag"
-            echo "::endgroup::"
-          done < <(jq -r --arg v "$STELLAR_CLI_VERSION" '
-            .stellar_cli_versions[]
-            | select(.version == $v)
-            | .rust_versions[]
-          ' builds.json)
+          ./scripts/publish_manifests.py \
+            --stellar-cli-version "$STELLAR_CLI_VERSION" \
+            --registry "$REGISTRY"
 
   aliases:
     name: publish moving aliases
@@ -288,34 +253,20 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: set up buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - name: install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: true
       - name: login to Docker Hub
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: publish :<cli> and :latest aliases
         run: |
-          source scripts/lib/common.sh
-          default_rust="$(derive_default_rust_for_cli "$STELLAR_CLI_VERSION")"
-          stellar_cli_ref="$(stellar_cli_ref_for "$STELLAR_CLI_VERSION")"
-          target_tag="$(./scripts/tag-names.sh \
+          ./scripts/publish_aliases.py \
             --stellar-cli-version "$STELLAR_CLI_VERSION" \
-            --rust-version "$default_rust" \
-            --stellar-cli-ref "$stellar_cli_ref")"
-          target="$REGISTRY:$target_tag"
-
-          echo "::group::alias $REGISTRY:$STELLAR_CLI_VERSION -> $target"
-          docker buildx imagetools create --tag "$REGISTRY:$STELLAR_CLI_VERSION" "$target"
-          echo "::endgroup::"
-
-          newest_cli="$(./scripts/newest-pair.sh --stellar-cli-version)"
-          if [ "$STELLAR_CLI_VERSION" = "$newest_cli" ]; then
-            echo "::group::alias $REGISTRY:latest -> $target"
-            docker buildx imagetools create --tag "$REGISTRY:latest" "$target"
-            echo "::endgroup::"
-          else
-            echo "cli $STELLAR_CLI_VERSION is not the newest ($newest_cli); skipping :latest"
-          fi
+            --registry "$REGISTRY"
 
   release:
     name: enrich github release with sbom and provenance
@@ -326,6 +277,10 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: true
       - name: download per-arch release artifacts
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
@@ -334,7 +289,7 @@ jobs:
           merge-multiple: true
       - name: compose structural body section
         run: |
-          ./scripts/release-body.sh \
+          ./scripts/release_body.py \
             --stellar-cli-version "$STELLAR_CLI_VERSION" \
             --metadata-dir release-artifacts \
             --registry "$REGISTRY" \