anhmtk
diff --git a/‎.github/dependabot.yml‎
Lines changed: 25 additions & 41 deletions b/‎.github/dependabot.yml‎
Lines changed: 25 additions & 41 deletions
diff --git a/‎.github/workflows/attic-dryrun.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/workflows/attic-dryrun.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/workflows/ci-smoke.yml‎
Lines changed: 65 additions & 0 deletions b/‎.github/workflows/ci-smoke.yml‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎.github/workflows/cleanup-audit.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/workflows/cleanup-audit.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/workflows/costs-report.yml‎
Lines changed: 37 additions & 0 deletions b/‎.github/workflows/costs-report.yml‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎.github/workflows/gitleaks.yml‎
Lines changed: 9 additions & 0 deletions b/‎.github/workflows/gitleaks.yml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.gitignore‎
214 Bytes b/‎.gitignore‎
214 Bytes
diff --git a/‎.gitleaks.toml‎
Lines changed: 1 addition & 1 deletion b/‎.gitleaks.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.sandbox/config/env/dev.yaml‎
Lines changed: 0 additions & 42 deletions b/‎.sandbox/config/env/dev.yaml‎
Lines changed: 0 additions & 42 deletions
diff --git a/‎.sandbox/config/env/prod.yaml‎
Lines changed: 0 additions & 57 deletions b/‎.sandbox/config/env/prod.yaml‎
Lines changed: 0 additions & 57 deletions
@@ -1,23 +1,33 @@
 version: 2
 updates:
-  # Enable version updates for Python dependencies
+  # GitHub Actions – weekly để giảm nhiễu
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+    open-pull-requests-limit: 2
+    commit-message:
+      prefix: "deps(actions)"
+      include: "scope"
+    groups:
+      gha-minors:
+        patterns: ["*"]
+        update-types: ["minor", "patch"]
+
+  # Python (nếu có pyproject/requirements)
   - package-ecosystem: "pip"
     directory: "/"
     schedule:
       interval: "weekly"
       day: "monday"
-      time: "09:00"
-    open-pull-requests-limit: 10
-    reviewers:
-      - "stillme-ai/security-team"
-    assignees:
-      - "stillme-ai/maintainers"
+      time: "06:30"
+    open-pull-requests-limit: 2
     commit-message:
-      prefix: "chore(deps)"
+      prefix: "deps(pip)"
       include: "scope"
-    labels:
-      - "dependencies"
-      - "python"
+    insecure-external-code-execution: "deny"
     ignore:
       # Ignore major version updates for critical dependencies
       - dependency-name: "fastapi"
@@ -27,40 +37,14 @@ updates:
       - dependency-name: "pydantic"
         update-types: ["version-update:semver-major"]
 
-  # Enable version updates for GitHub Actions
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-      day: "monday"
-      time: "09:00"
-    open-pull-requests-limit: 5
-    reviewers:
-      - "stillme-ai/security-team"
-    assignees:
-      - "stillme-ai/maintainers"
-    commit-message:
-      prefix: "chore(ci)"
-      include: "scope"
-    labels:
-      - "dependencies"
-      - "github-actions"
-
-  # Enable version updates for Docker dependencies
+  # Docker dependencies
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
       interval: "weekly"
       day: "monday"
-      time: "09:00"
-    open-pull-requests-limit: 5
-    reviewers:
-      - "stillme-ai/security-team"
-    assignees:
-      - "stillme-ai/maintainers"
+      time: "07:00"
+    open-pull-requests-limit: 2
     commit-message:
-      prefix: "chore(docker)"
+      prefix: "deps(docker)"
       include: "scope"
-    labels:
-      - "dependencies"
-      - "docker"
@@ -8,9 +8,15 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   attic-dryrun:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
+    if: "!contains(github.event.head_commit.message, '[skip ci]')"
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
@@ -0,0 +1,65 @@
+name: CI – Smoke
+
+on:
+  pull_request:
+    paths:
+      - "tests/test_*smoke*.py"
+      - "tests/test_*canary*.py"
+      - "pytest.ini"
+      - "stillme_core/**"
+      - "agent_dev/**"
+      - "framework.py"
+  push:
+    branches: [ main ]
+    paths:
+      - "tests/test_*smoke*.py"
+      - "tests/test_*canary*.py"
+      - "pytest.ini"
+      - "stillme_core/**"
+      - "agent_dev/**"
+      - "framework.py"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  smoke:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    if: "!contains(github.event.head_commit.message, '[skip ci]')"
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          
+      - name: Install dependencies
+        run: |
+          pip install -e . || true
+          pip install pytest
+          
+      - name: Run smoke tests
+        run: |
+          pytest -q -k "smoke or canary"
+        env:
+          STILLME_DRY_RUN: "1"
+          
+      - name: Run learning smoke only
+        run: |
+          pytest -q tests/test_learning_smoke.py
+        env:
+          STILLME_DRY_RUN: "1"
+          
+      - name: Run framework smoke only
+        run: |
+          pytest -q tests/test_framework_smoke.py
+        env:
+          STILLME_DRY_RUN: "1"
@@ -17,9 +17,15 @@ on:
 permissions:
   contents: read  # đủ để checkout & đọc repo
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   cleanup-audit:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
+    if: "!contains(github.event.head_commit.message, '[skip ci]')"
 
     steps:
       - name: Checkout
 
@@ -0,0 +1,37 @@
+name: Costs Report
+
+on:
+  schedule:
+    - cron: "0 7 * * MON"   # mỗi Thứ Hai 14:00 ICT
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Generate COSTS.md
+        run: |
+          python scripts/gen_costs_report.py
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v6
+        with:
+          title: "chore(docs): update COSTS.md (weekly)"
+          commit-message: "chore(docs): update COSTS.md (weekly)"
+          branch: "bot/update-costs-md"
+          base: "main"
+          delete-branch: true
+          add-paths: |
+            reports/COSTS.md
@@ -5,9 +5,18 @@ on:
     branches: [ main, master, develop ]
   pull_request:
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   gitleaks:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
+    if: "!contains(github.event.head_commit.message, '[skip ci]')"
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
@@ -10,5 +10,5 @@ paths = [
 ]
 
 regexes = [
-  '''FAKE|DUMMY|PLACEHOLDER|EXAMPLE_KEY'''
+  '''FAKE|DUMMY|PLACEHOLDER|EXAMPLE_KEY|sk-xxxx|sk-dev-xxxx|sk-or-dev-xxxx|test_key_for_testing_purposes_only'''
 ]
Original file line number	Diff line number	Diff line change
`@@ -10,5 +10,5 @@ paths = [`
`10`	`10`	`]`
`11`	`11`
`12`	`12`	`regexes = [`
`13`		`- '''FAKE\|DUMMY\|PLACEHOLDER\|EXAMPLE_KEY'''`
	`13`	`+ '''FAKE\|DUMMY\|PLACEHOLDER\|EXAMPLE_KEY\|sk-xxxx\|sk-dev-xxxx\|sk-or-dev-xxxx\|test_key_for_testing_purposes_only'''`
`14`	`14`	`]`