-
Notifications
You must be signed in to change notification settings - Fork 0
161 lines (132 loc) · 4.27 KB
/
ci.yml
File metadata and controls
161 lines (132 loc) · 4.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: CI
on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
permissions:
contents: read
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install
run: pip install -e ".[dev]"
- name: Ruff lint
run: ruff check airlock tests examples
- name: Ruff format
run: ruff format --check airlock tests examples
- name: Mypy
run: mypy airlock || echo "::warning::mypy found type errors — see above for details"
security:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install
run: pip install -e ".[dev,redis,a2a]" bandit pip-audit
- name: Bandit (security linter)
run: bandit -r airlock -c pyproject.toml -f sarif -o bandit-results.sarif || true
- name: Upload Bandit SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: bandit-results.sarif
category: bandit
continue-on-error: true
- name: Bandit (check for HIGH severity)
run: |
bandit -r airlock -c pyproject.toml -f json -o bandit-check.json || true
python -c "
import json, sys
with open('bandit-check.json') as f:
data = json.load(f)
results = data.get('results', [])
high = [r for r in results if r['issue_severity'] == 'HIGH']
if high:
for r in high:
print(f\"HIGH: {r['issue_text']} at {r['filename']}:{r['line_number']}\")
print(f'FAIL: {len(high)} HIGH severity findings')
sys.exit(1)
print(f'OK: No HIGH severity findings ({len(results)} total)')
"
- name: pip-audit (dependency vulnerabilities)
run: pip-audit || echo "::warning::pip-audit found vulnerabilities — review output above"
test:
runs-on: ubuntu-latest
needs: [lint]
strategy:
matrix:
python-version: ["3.11", "3.12"]
steps:
- uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install
run: pip install -e ".[dev,redis,a2a]" pytest-cov
- name: Test with coverage
run: python -m pytest tests/ -v --tb=short --cov=airlock --cov-report=term-missing --cov-report=xml
- name: Upload coverage
if: matrix.python-version == '3.12'
uses: actions/upload-artifact@v7
with:
name: coverage-report
path: coverage.xml
dco:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- name: DCO check
run: |
base=${{ github.event.pull_request.base.sha }}
head=${{ github.event.pull_request.head.sha }}
failed=0
for sha in $(git rev-list "$base".."$head"); do
msg=$(git log -1 --format=%B "$sha")
if ! echo "$msg" | grep -qi "Signed-off-by:"; then
echo "FAIL: Commit $sha missing Signed-off-by"
failed=1
fi
done
if [ "$failed" -eq 1 ]; then
echo ""
echo "All commits must include a DCO sign-off."
echo "Use: git commit -s -m 'your message'"
echo "See: https://developercertificate.org/"
exit 1
fi
echo "OK: All commits have DCO sign-off"
docker-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Docker build (gateway image)
run: docker build -t airlock-gateway:ci .
js:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: "20"
cache: npm
- name: Install npm workspaces
run: npm ci
- name: Build TypeScript SDK + MCP
run: npm run build:js