chore(deps): bump actions/upload-artifact from 4 to 5 #20
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI (uv) | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| # Cancel redundant runs per-branch/PR | |
| concurrency: | |
| group: ci-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # Least-privilege for the jobs below | |
| permissions: | |
| contents: read | |
| jobs: | |
| test: | |
| name: Test / Lint / Typecheck (uv) | |
| runs-on: ubuntu-latest | |
| # Write perms only where needed | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - python-version: "3.11" | |
| experimental: false | |
| - python-version: "3.12" | |
| experimental: false | |
| - python-version: "3.13" | |
| experimental: false | |
| - python-version: "3.14" # treat 3.14 as experimental so CI doesn't block if it breaks | |
| experimental: true | |
| continue-on-error: ${{ matrix.experimental }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v4 | |
| with: | |
| enable-cache: true | |
| - name: Set up Python | |
| run: uv python install ${{ matrix.python-version }} | |
| # Ensure dev tools (ruff, mypy, pytest, bandit, safety, pytest-cov) are declared in pyproject dev deps. | |
| - name: Sync dependencies | |
| run: uv sync --all-extras --dev | |
| - name: Lint (ruff) | |
| run: uv run ruff check . | |
| - name: Typecheck (mypy) | |
| run: uv run mypy src | |
| - name: Tests (pytest) | |
| run: uv run pytest --cov --cov-report=xml --cov-report=html | |
| - name: Dangerous API scan (grep) | |
| continue-on-error: true | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| if grep -R --line-number -E "\beval\(|\bexec\(|pickle\.loads|yaml\.load(?!_safe)|subprocess\.(Popen|call)" src/ tests/ || true; then | |
| echo "⚠️ Potentially dangerous API usage detected. Please review." >&2 | |
| exit 2 | |
| fi | |
| - name: Upload coverage.xml | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: coverage-${{ matrix.python-version }} | |
| path: coverage.xml | |
| - name: Upload coverage HTML | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: coverage-html-${{ matrix.python-version }} | |
| path: htmlcov | |
| # Upload Codecov once to avoid noisy duplicate uploads | |
| - name: Upload to Codecov | |
| if: matrix.python-version == '3.11' | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| files: coverage.xml | |
| flags: unittests | |
| fail_ci_if_error: false | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| security: | |
| name: Security Scan (Bandit + Safety) | |
| runs-on: ubuntu-latest | |
| needs: test | |
| # Grant code scanning upload only here | |
| permissions: | |
| contents: read | |
| security-events: write | |
| env: | |
| SECURITY_FAIL_LEVEL: MEDIUM | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v4 | |
| with: | |
| enable-cache: true | |
| - name: Set up Python | |
| run: uv python install 3.11 | |
| - name: Sync dependencies | |
| run: uv sync --all-extras --dev | |
| - name: Run Bandit (JSON + SARIF) | |
| run: | | |
| uv run bandit -r src/ -f json -o bandit-report.json || true | |
| uv run bandit -r src/ -f sarif -o bandit-report.sarif || true | |
| - name: Upload Bandit SARIF to GitHub Code Scanning | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: bandit-report.sarif | |
| continue-on-error: true | |
| - name: Run Safety (JSON) | |
| run: uv run safety check --json > safety-report.json || true | |
| - name: Apply Bandit threshold | |
| run: uv run python scripts/security_bandit_check.py | |
| continue-on-error: true | |
| - name: Fail on Safety vulnerabilities | |
| run: uv run python scripts/security_safety_check.py | |
| - name: Upload security reports | |
| if: always() | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: security-reports | |
| path: | | |
| bandit-report.json | |
| bandit-report.sarif | |
| safety-report.json |