fix(web): attach terminals through configured backend (#417) #1282
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| test: | |
| name: Unit Tests | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| python-version: ["3.10", "3.11", "3.12"] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v4 | |
| with: | |
| enable-cache: true | |
| cache-dependency-glob: "uv.lock" | |
| - name: Set up Python ${{ matrix.python-version }} | |
| run: uv python install ${{ matrix.python-version }} | |
| - name: Install dependencies | |
| run: uv sync --all-extras --dev | |
| - name: Run unit tests with coverage | |
| run: | | |
| uv run pytest test/ \ | |
| --ignore=test/providers/test_kiro_cli_integration.py \ | |
| --ignore=test/e2e \ | |
| -m "not e2e" \ | |
| --cov=src/cli_agent_orchestrator \ | |
| --cov-report=xml \ | |
| --cov-report=term-missing \ | |
| -v | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| file: ./coverage.xml | |
| flags: unittests | |
| name: codecov-umbrella | |
| fail_ci_if_error: false | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| web-build: | |
| name: Web UI Build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" | |
| cache: "npm" | |
| cache-dependency-path: web/package-lock.json | |
| - name: Install dependencies | |
| run: npm ci | |
| working-directory: web | |
| - name: Type check | |
| run: npx tsc --noEmit | |
| working-directory: web | |
| - name: Run tests | |
| run: npm test | |
| working-directory: web | |
| - name: Build | |
| run: npm run build | |
| working-directory: web | |
| cao-mcp-apps: | |
| name: CAO MCP Apps | |
| runs-on: ubuntu-latest | |
| # Per-tier test timing budgets (Requirement 20.3), surfaced as env so the | |
| # vitest tiers (Phase II+) and CI can enforce them: | |
| # Unit < 5s, Component < 8s, Integration < 15s, E2E < 60s. | |
| env: | |
| CAO_TIER_TIMEOUT_UNIT_MS: "5000" | |
| CAO_TIER_TIMEOUT_COMPONENT_MS: "8000" | |
| CAO_TIER_TIMEOUT_INTEGRATION_MS: "15000" | |
| CAO_TIER_TIMEOUT_E2E_MS: "60000" | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v4 | |
| - name: Set up Python | |
| run: uv python install 3.12 | |
| - name: Install Python deps (for the HTTP-only guard + coverage ratchet) | |
| run: uv sync --all-extras --dev | |
| - name: Install MCP-apps deps | |
| run: npm install | |
| working-directory: cao_mcp_apps | |
| - name: Type check | |
| working-directory: cao_mcp_apps | |
| run: | | |
| if ls src/**/*.ts src/**/*.tsx >/dev/null 2>&1; then | |
| npm run typecheck | |
| else | |
| echo "no TypeScript sources yet (Phase 0) — skipping tsc" | |
| fi | |
| - name: Unit tests | |
| working-directory: cao_mcp_apps | |
| # --coverage emits coverage/coverage-summary.json for the ratchet floor. | |
| run: npx vitest run --coverage --passWithNoTests | |
| - name: Build single-file bundles | |
| working-directory: cao_mcp_apps | |
| run: npm run build:all | |
| - name: JIT-free deny-list scan | |
| working-directory: cao_mcp_apps | |
| run: npm run scan:jit | |
| - name: Bundle-size budget | |
| working-directory: cao_mcp_apps | |
| run: npm run check:size | |
| - name: HTTP-only MCP boundary guard | |
| run: uv run pytest test/test_http_only_boundary.py -q | |
| - name: Backend coverage (for the ratchet floor) | |
| # Produces coverage.json (python floor) consumed by coverage:ratchet. | |
| run: | | |
| uv run pytest test/ \ | |
| --ignore=test/providers/test_kiro_cli_integration.py \ | |
| --ignore=test/e2e \ | |
| -m "not e2e" \ | |
| --cov=src/cli_agent_orchestrator \ | |
| --cov-report=json \ | |
| -q | |
| - name: Coverage ratchet | |
| working-directory: cao_mcp_apps | |
| run: npm run coverage:ratchet | |
| cao-mcp-apps-e2e: | |
| name: CAO MCP Apps E2E (Playwright) | |
| runs-on: ubuntu-latest | |
| # E2E tier budget (Requirement 20.3): 60s per test (enforced in | |
| # playwright.config.ts via `timeout: 60_000`). | |
| env: | |
| CAO_TIER_TIMEOUT_E2E_MS: "60000" | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" | |
| - name: Install MCP-apps deps | |
| run: npm install | |
| working-directory: cao_mcp_apps | |
| - name: Install Playwright browser (chromium) | |
| run: npm run test:e2e:install | |
| working-directory: cao_mcp_apps | |
| - name: Run Playwright E2E | |
| # playwright.config.ts builds the single-file bundles and starts the | |
| # harness server (e2e/server.mjs) on 127.0.0.1:9889 before the run. | |
| run: npm run test:e2e | |
| working-directory: cao_mcp_apps | |
| lint: | |
| name: Code Quality | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v4 | |
| with: | |
| enable-cache: true | |
| cache-dependency-glob: "uv.lock" | |
| - name: Set up Python | |
| run: uv python install 3.12 | |
| - name: Install dependencies | |
| run: uv sync --all-extras --dev | |
| - name: Check code formatting with black | |
| run: uv run black --check src/ test/ | |
| - name: Check import sorting with isort | |
| run: uv run isort --check-only src/ test/ | |
| - name: Run type checker with mypy | |
| run: uv run mypy src/ | |
| continue-on-error: true | |
| security: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v4 | |
| - name: Generate requirements.txt for scanning | |
| run: | | |
| uv export --format requirements-txt > requirements.txt | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.69.3 | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| ignore-unfixed: true | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' && github.repository == 'awslabs/cli-agent-orchestrator' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: high | |
| deny-licenses: GPL-3.0, AGPL-3.0 | |
| # NOTE: CodeQL runs via GitHub's "default setup" (visible as the `Analyze (...)` | |
| # checks on every PR). Adding a workflow-based CodeQL job here would conflict | |
| # with default setup ("CodeQL analyses from advanced configurations cannot be | |
| # processed when the default setup is enabled") and fail uploads. To widen the | |
| # query suite beyond the default, toggle default setup off in | |
| # Settings → Code security → CodeQL default setup and re-add a workflow job. |