airlock/.github/workflows/ci.yml at 250e8def885ca3ebfe577203fbe38d3937021394 · airlock-protocol/airlock · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: CI

on:
  push:
    branches: [main, master]
  pull_request:
    branches: [main, master]

permissions:
  contents: read

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Install
        run: pip install -e ".[dev]"

      - name: Ruff lint
        run: ruff check airlock tests examples

      - name: Ruff format
        run: ruff format --check airlock tests examples

      - name: Mypy
        run: mypy airlock || echo "::warning::mypy found type errors — see above for details"

  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Install
        run: pip install -e ".[dev,redis,a2a]" bandit pip-audit

      - name: Bandit (security linter)
        run: bandit -r airlock -c pyproject.toml

      - name: pip-audit (dependency vulnerabilities)
        run: pip-audit

  test:
    runs-on: ubuntu-latest
    needs: [lint]
    strategy:
      matrix:
        python-version: ["3.11", "3.12"]

    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}

      - name: Install
        run: pip install -e ".[dev,redis,a2a]" pytest-cov

      - name: Test with coverage
        run: python -m pytest tests/ -v --tb=short --cov=airlock --cov-report=term-missing --cov-report=xml

      - name: Upload coverage
        if: matrix.python-version == '3.12'
        uses: actions/upload-artifact@v7
        with:
          name: coverage-report
          path: coverage.xml

  dco:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: DCO check
        run: |
          base=${{ github.event.pull_request.base.sha }}
          head=${{ github.event.pull_request.head.sha }}
          failed=0
          for sha in $(git rev-list "$base".."$head"); do
            msg=$(git log -1 --format=%B "$sha")
            if ! echo "$msg" | grep -qi "Signed-off-by:"; then
              echo "FAIL: Commit $sha missing Signed-off-by"
              failed=1
            fi
          done
          if [ "$failed" -eq 1 ]; then
            echo ""
            echo "All commits must include a DCO sign-off."
            echo "Use: git commit -s -m 'your message'"
            echo "See: https://developercertificate.org/"
            exit 1
          fi
          echo "OK: All commits have DCO sign-off"

  docker-build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Docker build (gateway image)
        run: docker build -t airlock-gateway:ci .

  js:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: "20"
          cache: npm

      - name: Install npm workspaces
        run: npm ci

      - name: Build TypeScript SDK + MCP
        run: npm run build:js