Skip to content

Epic 7.2: SkillGuard Quality Gates + Blocklist Hardening #103

Epic 7.2: SkillGuard Quality Gates + Blocklist Hardening

Epic 7.2: SkillGuard Quality Gates + Blocklist Hardening #103

Workflow file for this run

name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
jobs:
lint:
name: Lint & Format
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: "3.13"
- name: Install ruff
run: pip install ruff==0.11.12
- name: Ruff lint check
run: ruff check .
- name: Ruff format check
run: ruff format --check .
test:
name: Test & Coverage
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: "3.13"
- name: Install dependencies
run: |
pip install -e ".[dev]"
pip install pytest-timeout==2.4.0 pytest-cov==6.2.1
- name: Run tests with coverage
run: |
python -m pytest tests/ -v \
--timeout=30 \
--cov=openspace \
--cov-report=term-missing \
--cov-report=xml \
--cov-fail-under=20
- name: Upload coverage report
uses: actions/upload-artifact@v4
if: always()
with:
name: coverage-report
path: coverage.xml
typecheck:
name: Type Check (mypy)
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: "3.13"
- name: Install mypy
run: pip install mypy==1.16.0
- name: Run mypy
run: mypy openspace/ --ignore-missing-imports
dependency-audit:
name: Dependency Audit (pip-audit)
runs-on: ubuntu-latest
# SECURITY: pip-audit MUST block merge on known vulnerabilities.
# Removed continue-on-error per /8eyes security audit finding.
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: "3.13"
- name: Install pip-audit
run: pip install "pip-audit>=2.7.0,<3"
- name: Audit dependencies
run: |
pip install -e ".[dev]" --quiet
pip-audit --strict --desc on --skip-editable