CI Integration¶
Status: Available in ETLantic 0.14.0.
Validate without executing transformation code and publish SARIF diagnostics.
Development / local CI¶
etlantic validate package.pipeline:CustomerPipeline \
--profile development --format sarif > etlantic.sarif
etlantic plan package.pipeline:CustomerPipeline \
--profile development --format json > pipeline-plan.json
Production profile (explicit allowlist)¶
The built-in --profile production template is intentionally empty and
fail-closed: it requires a non-empty plugin_allowlist and resolved
bindings. Do not use the bare name for CI until you supply a real profile.
Write a JSON profile (secret-free) and pass its path:
from etlantic import Profile, write_profile
write_profile(
Profile(
name="ci-production",
dataframe_engine="local",
security_domain="production",
validation_policy="strict",
plugin_allowlist={
"local": None,
# "polars": "==0.14.0",
},
bindings={
# Logical binding name → provider key or descriptor name
# "customer_source": "json",
},
),
"profiles/ci-production.json",
)
etlantic validate package.pipeline:CustomerPipeline \
--profile profiles/ci-production.json --format sarif > etlantic.sarif
etlantic plan package.pipeline:CustomerPipeline \
--profile profiles/ci-production.json --format json > pipeline-plan.json
--profile accepts a built-in name or a path to a .json profile file
loaded via load_profile.
Treat the plan as build metadata: it is secret-free, but may reveal pipeline structure and resource names.
Recommended gates:
- Pin ETLantic and official plugins to one tested release (
==0.14.0). - Validate every changed pipeline with an explicit allowlisted profile.
- Generate contracts and fail on unexpected diffs.
- Upload SARIF through the CI platform's supported integration.
- Compile orchestrator artifacts only from a valid plan.
- Never resolve runtime secrets during validation or planning.
See diagnostics, security, runtime configuration, and production profiles.