ci: upgrade to comprehensive CI/CD pipeline

- Add concurrency control to cancel in-progress runs
- Add dependency-review job for PR security scanning
- Split test and lint into separate parallel jobs
- Add coverage-gate job to enforce minimum coverage
- Enable pip caching for faster builds
- Upload coverage reports to Codecov
- Use fail-fast: false for complete matrix results

Refs: gemmology-dev/cdl-parser

Author: Bissbert

.github/workflows/ci.yml

@@ -6,10 +6,30 @@ on:
   pull_request:
     branches: [main]
 
+# Cancel in-progress runs for the same branch
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
+  # Dependency review for PRs (security check)
+  dependency-review:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
+          # Deny licenses that are incompatible with MIT
+          deny-licenses: GPL-3.0, AGPL-3.0
+
+  # Test across Python versions
   test:
     runs-on: ubuntu-latest
     strategy:
+      fail-fast: false
       matrix:
         python-version: ['3.10', '3.11', '3.12']
 
@@ -20,16 +40,72 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
+          cache: 'pip'
 
       - name: Install dependencies
-        run: |
-          pip install -e ".[dev]"
+        run: pip install -e ".[dev]"
+
+      - name: Run tests with coverage
+        run: pytest --cov=src/cdl_parser --cov-report=xml --cov-report=term-missing -v
+
+      - name: Upload coverage to Codecov
+        if: matrix.python-version == '3.11'
+        uses: codecov/codecov-action@v4
+        with:
+          files: ./coverage.xml
+          flags: cdl-parser
+          name: cdl-parser-py311
+          fail_ci_if_error: false
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+  # Lint and type check
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+          cache: 'pip'
+
+      - name: Install dependencies
+        run: pip install ruff mypy
+
+      - name: Lint with Ruff
+        run: ruff check . --output-format=github
 
-      - name: Lint
-        run: ruff check .
+      - name: Check formatting with Ruff
+        run: ruff format --check .
 
-      - name: Type check
+      - name: Type check with mypy
         run: mypy src/
 
-      - name: Test
-        run: pytest --cov
+  # Coverage gate - enforce minimum coverage
+  coverage-gate:
+    needs: [test]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+          cache: 'pip'
+
+      - name: Install dependencies
+        run: |
+          pip install pytest pytest-cov
+          pip install -e .
+
+      - name: Check coverage threshold
+        # Target: 80%, Current threshold: 60% (incrementally increasing)
+        run: pytest --cov=src/cdl_parser --cov-report=term-missing --cov-fail-under=60
+
+      - name: Coverage report
+        run: |
+          echo "## Coverage Report" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Current threshold: **60%** (Target: 80%)" >> $GITHUB_STEP_SUMMARY