Restructure CI/CD pipeline and fix PyPI publishing

.codecov.yml

@@ -0,0 +1,12 @@
+coverage:
+  status:
+    project:
+      default:
+        informational: true
+    patch:
+      default:
+        informational: true
+
+comment:
+  layout: "condensed_header, condensed_files"
+  behavior: default

.github/workflows/pipeline.yaml

@@ -63,6 +63,7 @@ jobs:
               national_epochs=int('${NATIONAL_EPOCHS}'),
               num_workers=int('${NUM_WORKERS}'),
               skip_national='${SKIP_NATIONAL}' == 'true',
+              scope='${SCOPE}',
           )
           print(f'Pipeline spawned. Monitor on the Modal dashboard.')
           "

.github/workflows/pr.yaml

@@ -0,0 +1,103 @@
+name: PR checks
+
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  check-fork:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check if PR is from fork
+        run: |
+          if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
+            echo "::error::PRs must be from branches in PolicyEngine/policyengine-us-data, not forks."
+            echo "Fork PRs cannot access secrets required for data downloads."
+            echo "Please close this PR and push your branch directly to the upstream repo."
+            exit 1
+          fi
+
+  check-lock-freshness:
+    runs-on: ubuntu-latest
+    needs: check-fork
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - uses: astral-sh/setup-uv@v5
+      - name: Check lock file is up-to-date
+        run: |
+          uv lock --locked || {
+            echo "::error::uv.lock is outdated. Run 'uv lock' and commit the changes."
+            exit 1
+          }
+
+  lint:
+    runs-on: ubuntu-latest
+    needs: check-fork
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install ruff
+        run: pip install ruff>=0.9.0
+      - name: Check formatting
+        run: ruff format --check .
+
+  check-changelog:
+    runs-on: ubuntu-latest
+    needs: check-fork
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check for changelog fragment
+        run: |
+          FRAGMENTS=$(find changelog.d -type f ! -name '.gitkeep' | wc -l)
+          if [ "$FRAGMENTS" -eq 0 ]; then
+            echo "::error::No changelog fragment found in changelog.d/"
+            echo "Add one with: echo 'Description.' > changelog.d/\$(git branch --show-current).<type>.md"
+            echo "Types: added, changed, fixed, removed, breaking"
+            exit 1
+          fi
+
+  unit-tests:
+    runs-on: ubuntu-latest
+    needs: [check-fork, lint]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - uses: astral-sh/setup-uv@v5
+      - name: Install package
+        run: uv sync --dev
+      - name: Run unit tests with coverage
+        env:
+          HUGGING_FACE_TOKEN: ${{ secrets.HUGGING_FACE_TOKEN }}
+        run: >
+          uv run pytest policyengine_us_data/tests/unit/
+          --cov=policyengine_us_data
+          --cov-report=xml
+          -v
+      - name: Upload coverage to Codecov
+        if: always()
+        uses: codecov/codecov-action@v4
+        with:
+          file: coverage.xml
+          flags: unit
+          fail_ci_if_error: false
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
+  smoke-test:
+    runs-on: ubuntu-latest
+    needs: [check-fork, lint]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - name: Install package (no dev deps)
+        run: python -m pip install .
+      - name: Test basic import
+        run: python -c "import policyengine_us_data; print('Minimal import OK')"
+      - name: Test core import
+        run: python -c "from policyengine_core.data import Dataset; print('Core import OK')"