Release v5.3.3: SSH policy fix (revert AutoAddPolicy default + add --ssh-tofu opt-in) #52
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main, dev] | |
| pull_request: | |
| branches: [main, dev] | |
| permissions: | |
| contents: read | |
| jobs: | |
| syntax: | |
| name: Python syntax & import check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 | |
| with: | |
| python-version: "3.10" | |
| - name: Parse hardax package | |
| run: python -c "import ast; ast.parse(open('hardax/__init__.py').read()); print('AST OK')" | |
| - name: Show version (module mode) | |
| run: python -m hardax --version | |
| - name: Help text renders (module mode) | |
| run: python -m hardax --help > /dev/null | |
| install-test: | |
| name: pip install smoke test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 | |
| with: | |
| python-version: "3.10" | |
| - name: Build wheel | |
| run: | | |
| python -m pip install --upgrade pip build | |
| python -m build | |
| - name: Install built wheel | |
| run: | | |
| python -m pip install dist/*.whl | |
| - name: Console command runs | |
| run: | | |
| hardax --version | |
| hardax --help > /dev/null | |
| - name: Bundled checks load via console command | |
| run: | | |
| # No --json or --json-dir means hardax should find its bundled commands/. | |
| # Without a device it will fail at adb step; we only need the load to succeed. | |
| python -c " | |
| import hardax, os | |
| pkg_dir = os.path.dirname(hardax.__file__) | |
| assert os.path.isdir(os.path.join(pkg_dir, 'commands')), 'commands/ not bundled' | |
| assert os.path.isfile(os.path.join(pkg_dir, 'templates', 'report.html')), 'templates/report.html not bundled' | |
| print('Bundled data OK') | |
| " | |
| json-checks: | |
| name: Validate hardax/commands/*.json | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 | |
| with: | |
| python-version: "3.10" | |
| - name: Validate each JSON file is parseable | |
| run: | | |
| set -e | |
| for f in hardax/commands/*.json; do | |
| python -c "import json,sys; json.load(open('$f')); print('OK: $f')" | |
| done | |
| - name: Validate required fields and regex patterns | |
| run: | | |
| python - <<'PY' | |
| import json, re, sys, os, glob | |
| required = {"category","label","command","safe_pattern","level","description"} | |
| fail = 0 | |
| for path in sorted(glob.glob("hardax/commands/*.json")): | |
| data = json.load(open(path)) | |
| checks = data["checks"] if isinstance(data, dict) and "checks" in data else data | |
| for i, c in enumerate(checks, 1): | |
| missing = required - set(c.keys()) | |
| if missing: | |
| print(f"FAIL {path}#{i}: missing {sorted(missing)}") | |
| fail += 1 | |
| pat = c.get("safe_pattern", "") | |
| if pat: | |
| try: | |
| re.compile(pat, re.IGNORECASE | re.MULTILINE | re.DOTALL) | |
| except re.error as e: | |
| print(f"FAIL {path}#{i} [{c.get('label','?')}]: invalid regex: {e}") | |
| fail += 1 | |
| if fail: | |
| sys.exit(f"{fail} check(s) failed validation") | |
| print("All checks valid.") | |
| PY |