|
| 1 | +# Verification Runbook |
| 2 | + |
| 3 | +This page records the checks that match the current repository workflows and the local commands that were used to verify the current `develop` branch. |
| 4 | + |
| 5 | +## CI Workflow Summary |
| 6 | + |
| 7 | +The main build workflow is [`../.github/workflows/build.yml`](../.github/workflows/build.yml). |
| 8 | + |
| 9 | +It currently runs: |
| 10 | + |
| 11 | +- frontend install, lint, audit, and production build |
| 12 | +- backend dependency install, `pip check`, `compileall`, Bandit, and `pip-audit` |
| 13 | +- agent dependency install, `compileall`, Bandit, and `pip-audit` |
| 14 | +- image publishing after verification succeeds |
| 15 | + |
| 16 | +## Frontend Local Verification |
| 17 | + |
| 18 | +Use Docker to avoid host Node drift: |
| 19 | + |
| 20 | +```bash |
| 21 | +docker run --rm -v "$PWD/frontend:/app" -w /app node:20-bookworm-slim \ |
| 22 | + bash -lc 'npm ci --legacy-peer-deps --no-audit --no-fund && npm run lint && npm run build' |
| 23 | +``` |
| 24 | + |
| 25 | +Expected result: |
| 26 | + |
| 27 | +- `npm run lint` may emit warnings |
| 28 | +- the command should still exit successfully |
| 29 | +- `npm run build` should complete and produce `frontend/dist` |
| 30 | + |
| 31 | +## Backend Local Verification |
| 32 | + |
| 33 | +Fast local checks: |
| 34 | + |
| 35 | +```bash |
| 36 | +python3 -m compileall backend |
| 37 | +bandit -q -r backend/api |
| 38 | +``` |
| 39 | + |
| 40 | +Containerized dependency audit with native build packages: |
| 41 | + |
| 42 | +```bash |
| 43 | +docker run --rm -v "$PWD/backend:/app" -w /app python:3.11-slim \ |
| 44 | + bash -lc 'apt-get update >/tmp/apt.log && \ |
| 45 | + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ |
| 46 | + build-essential pkg-config libffi-dev libssl-dev libpq-dev \ |
| 47 | + default-libmysqlclient-dev libjpeg-dev zlib1g-dev libyaml-dev >/tmp/apt-install.log && \ |
| 48 | + python -m pip install --no-cache-dir pip-audit >/tmp/pip-audit-install.log && \ |
| 49 | + pip-audit -r requirements.txt --progress-spinner=off' |
| 50 | +``` |
| 51 | + |
| 52 | +Expected result: |
| 53 | + |
| 54 | +- `No known vulnerabilities found` |
| 55 | + |
| 56 | +## Agent Local Verification |
| 57 | + |
| 58 | +The CI workflow verifies the agent separately. Follow the same pattern as the backend: |
| 59 | + |
| 60 | +- install `agent/requirements.txt` |
| 61 | +- run `python -m compileall agent` |
| 62 | +- run `bandit -q -r agent` |
| 63 | +- run `pip-audit -r agent/requirements.txt --progress-spinner=off` |
| 64 | + |
| 65 | +## When Verification Fails |
| 66 | + |
| 67 | +- fix the dependency or workflow problem first |
| 68 | +- do not document a change as current behavior until the branch verifies cleanly |
| 69 | +- if a dependency bump is incompatible with the current codebase, pin it back to the last known-good version and document why in the compatibility page |
0 commit comments