ci: harden CI/security pipelines, add smoke workflow and reference implementations#4
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d8b474fc65
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| readme = "README.md" | ||
| license = {text = "MIT"} | ||
| requires-python = ">=3.11" | ||
| requires-python = ">=3.9" |
There was a problem hiding this comment.
Lowering requires-python to 3.9 advertises support that the codebase does not currently have: modules such as kernels/execution/dispatcher.py use PEP 604 unions (e.g. ToolCall | dict[str, Any]) without from __future__ import annotations, which raises TypeError during import on Python 3.9. This means users installing on 3.9 (now allowed by metadata) and the new 3.9 CI lane will fail at runtime/import time rather than getting a compatible build.
Useful? React with 👍 / 👎.
| storage = SQLiteAuditStorage(".tmp/smoke/audit.db") | ||
| storage.append("kernel-smoke", entry) |
There was a problem hiding this comment.
The smoke script always writes to .tmp/smoke/audit.db and inserts the same primary key (kernel-smoke, ledger_seq=1), so a second run in the same workspace raises sqlite3.IntegrityError and aborts because set -e is enabled. This makes ./scripts/smoke.sh non-idempotent for local/dev reruns and any environment that reuses the workspace.
Useful? React with 👍 / 👎.
1 participant
Motivation
Description
.github/workflows/ci.ymlto a multi-version Python matrix (3.9–3.12) and added steps forrufflint/format checks,mypyoverkernelsandimplementations,banditsecurity scan, coverage-enforcedpytest, smoke script execution, and package build verification viapython -m build..github/workflows/security.ymlenhancements for scheduled CodeQL, dependency review, vulnerability scans (safety,pip-audit), and agitleakssecret-scanning job, and adjusted.github/workflows/release.ymlto includeworkflow_dispatchandtwine checkverification..github/workflows/smoke.ymlfor on-demand/manual/PR smoke runs that executes./scripts/smoke.sh.implementations/permits_threadsafe.py(TTL-aware, thread-safe nonce registry withstats()) andimplementations/storage.py(SQLite-backed audit storage withappend(),list_entries(), andhealth()).tests/test_reference_implementations.pyto validate concurrency, max-execution enforcement, TTL cleanup, SQLite persistence, and health diagnostics, and extendedscripts/smoke.shto exercise these implementations and setPYTHONPATHfor local runs.Makefilewith new targets (format-check,dep-scan,smoke,build), loweredrequires-pythonto>=3.9inpyproject.toml, and added changelog entries describing the changes.Testing
ruff check implementations/permits_threadsafe.py implementations/storage.py tests/test_reference_implementations.pyand the checks passed for the modified files.ruff formatand then verified withruff format --checkfor the same files (formatting applied where needed and check passed).mypy implementations/permits_threadsafe.py implementations/storage.py --follow-imports=skipand it reported no issues for the new implementations.pytest tests/test_reference_implementations.py -qand all tests passed (4 passed)../scripts/smoke.shlocally and it completed successfully exercising examples, the nonce registry, and SQLite storage.bandit,safety,pip-audit,build,twine) in this execution environment were blocked by package/index/proxy restrictions, so full repo-wide CI gates (lint across the whole repo, fullmypy kernels, and coverage enforcement withpytest-cov) are configured in workflows but could not be fully validated here.Codex Task