test(errors,transport): regression coverage + CVE-2026-4539 fix (#122) #421
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CI: quality (lint+typecheck), test, coverage, security. | |
| # 6 jobs total. Branch protection: require quality (python), quality (web), test (python), test (web), coverage, security. | |
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - 'src/**' | |
| - 'scripts/**' | |
| - 'tests/**' | |
| - 'asap-compliance/**' | |
| - 'docs/**' | |
| - 'apps/web/**' | |
| - 'pyproject.toml' | |
| - 'uv.lock' | |
| - 'mkdocs.yml' | |
| - '.github/workflows/**' | |
| - '.github/actions/**' | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - 'src/**' | |
| - 'scripts/**' | |
| - 'tests/**' | |
| - 'asap-compliance/**' | |
| - 'docs/**' | |
| - 'apps/web/**' | |
| - 'pyproject.toml' | |
| - 'uv.lock' | |
| - 'mkdocs.yml' | |
| - '.github/workflows/**' | |
| - '.github/actions/**' | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| quality-python: | |
| name: quality (python) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 14 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Python | |
| uses: ./.github/actions/setup-python | |
| - name: Lint with ruff | |
| run: | | |
| uv run ruff check . --output-format=github | |
| uv run ruff format --check . | |
| - name: Type check with mypy | |
| run: uv run mypy src/ scripts/ tests/ | |
| - name: Build docs | |
| run: uv run mkdocs build | |
| quality-web: | |
| name: quality (web) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 14 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Node | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: 20 | |
| cache: 'npm' | |
| cache-dependency-path: apps/web/package-lock.json | |
| - name: Install dependencies | |
| run: npm ci | |
| working-directory: apps/web | |
| - name: Lint | |
| run: npm run lint | |
| working-directory: apps/web | |
| - name: Type check | |
| run: npx tsc --noEmit | |
| working-directory: apps/web | |
| test-python: | |
| name: test (python) | |
| runs-on: ubuntu-latest | |
| needs: [quality-python] | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Python | |
| uses: ./.github/actions/setup-python | |
| - name: Run tests | |
| env: | |
| PYTHONPATH: ${{ github.workspace }}/src:${{ github.workspace }} | |
| run: uv run pytest -n auto --tb=short | |
| timeout-minutes: 12 | |
| - name: Run compliance tests | |
| env: | |
| PYTHONPATH: ${{ github.workspace }}/src:${{ github.workspace }}:${{ github.workspace }}/asap-compliance | |
| run: uv run pytest asap-compliance/tests/ -q --tb=short | |
| test-web: | |
| name: test (web) | |
| runs-on: ubuntu-latest | |
| needs: [quality-web] | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Node | |
| uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: 20 | |
| cache: 'npm' | |
| cache-dependency-path: apps/web/package-lock.json | |
| - name: Install dependencies | |
| run: npm ci | |
| working-directory: apps/web | |
| - name: Vitest | |
| run: npm test | |
| working-directory: apps/web | |
| coverage: | |
| name: coverage | |
| runs-on: ubuntu-latest | |
| needs: [quality-python] | |
| timeout-minutes: 18 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Python | |
| uses: ./.github/actions/setup-python | |
| - name: Run tests with coverage | |
| env: | |
| PYTHONPATH: ${{ github.workspace }}/src:${{ github.workspace }} | |
| run: | | |
| for i in 1 2; do | |
| echo "Coverage attempt $i/2" | |
| if uv run pytest --tb=short --cov=asap --cov-report=xml --cov-fail-under=85; then | |
| echo "Coverage passed on attempt $i" | |
| exit 0 | |
| fi | |
| echo "Coverage attempt $i failed, retrying..." | |
| done | |
| echo "Coverage failed after 2 attempts" | |
| exit 1 | |
| timeout-minutes: 15 | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 | |
| with: | |
| files: ./coverage.xml | |
| fail_ci_if_error: false | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| security: | |
| name: security | |
| runs-on: ubuntu-latest | |
| needs: [quality-python] | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Python | |
| uses: ./.github/actions/setup-python | |
| with: | |
| # Omit extras whose transitive deps have no OSV fix on PyPI (diskcache, nltk). | |
| sync-flags: --no-extra crewai --no-extra llamaindex | |
| # Pygments 2.19.2 is the latest PyPI release; OSV reports CVE-2026-4539 with no fix published yet. | |
| - name: Scan for vulnerabilities (pip-audit) | |
| run: uv run pip-audit --ignore-vuln CVE-2026-4539 | |
| - name: Scan for security issues (bandit) | |
| run: uv run bandit -r src/ -ll |