Skip to content
CI

feat: add OAuth 2.1 authorization server module #52

Sign in to view logs

feat: add OAuth 2.1 authorization server module

feat: add OAuth 2.1 authorization server module #52

Workflow file for this run

.github/workflows/ci.yml at 005cbe2
name: CI
on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
permissions:
contents: read
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install
run: pip install -e ".[dev]"
- name: Ruff lint
run: ruff check airlock tests examples
- name: Ruff format
run: ruff format --check airlock tests examples
- name: Mypy
run: mypy airlock || echo "::warning::mypy found type errors — see above for details"
security:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install
run: pip install -e ".[dev,redis,a2a]" bandit pip-audit
- name: Bandit (security linter)
run: bandit -r airlock -c pyproject.toml -f sarif -o bandit-results.sarif || true
- name: Upload Bandit SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: bandit-results.sarif
category: bandit
continue-on-error: true
- name: Bandit (check for HIGH severity)
run: |
bandit -r airlock -c pyproject.toml -f json -o bandit-check.json || true
python -c "
import json, sys
with open('bandit-check.json') as f:
data = json.load(f)
results = data.get('results', [])
high = [r for r in results if r['issue_severity'] == 'HIGH']
if high:
for r in high:
print(f\"HIGH: {r['issue_text']} at {r['filename']}:{r['line_number']}\")
print(f'FAIL: {len(high)} HIGH severity findings')
sys.exit(1)
print(f'OK: No HIGH severity findings ({len(results)} total)')
"
- name: pip-audit (dependency vulnerabilities)
run: pip-audit || echo "::warning::pip-audit found vulnerabilities — review output above"
test:
runs-on: ubuntu-latest
needs: [lint]
strategy:
matrix:
python-version: ["3.11", "3.12"]
steps:
- uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install
run: pip install -e ".[dev,redis,a2a]" pytest-cov
- name: Test with coverage
run: python -m pytest tests/ -v --tb=short --cov=airlock --cov-report=term-missing --cov-report=xml
- name: Upload coverage
if: matrix.python-version == '3.12'
uses: actions/upload-artifact@v7
with:
name: coverage-report
path: coverage.xml
dco:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- name: DCO check
run: |
base=${{ github.event.pull_request.base.sha }}
head=${{ github.event.pull_request.head.sha }}
failed=0
for sha in $(git rev-list "$base".."$head"); do
msg=$(git log -1 --format=%B "$sha")
if ! echo "$msg" | grep -qi "Signed-off-by:"; then
echo "FAIL: Commit $sha missing Signed-off-by"
failed=1
fi
done
if [ "$failed" -eq 1 ]; then
echo ""
echo "All commits must include a DCO sign-off."
echo "Use: git commit -s -m 'your message'"
echo "See: https://developercertificate.org/"
exit 1
fi
echo "OK: All commits have DCO sign-off"
docker-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Docker build (gateway image)
run: docker build -t airlock-gateway:ci .
js:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: "20"
cache: npm
- name: Install npm workspaces
run: npm ci
- name: Build TypeScript SDK + MCP
run: npm run build:js