fix(ci): unblock daily pipeline preflight + suppress gitleaks false positive #230
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| # Weekly cron preserves the cadence the deleted security-audit.yml had — | |
| # dependency-audit + sast keep running even if the repo goes a week | |
| # without a push (a real scenario for this slow-moving project). | |
| schedule: | |
| - cron: '0 9 * * 1' | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| secrets-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| lint: | |
| runs-on: ubuntu-latest | |
| needs: secrets-scan | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: ./.github/actions/setup-python-env | |
| - name: Lint with ruff | |
| run: uv run ruff check . | |
| type-check: | |
| runs-on: ubuntu-latest | |
| needs: lint | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: ./.github/actions/setup-python-env | |
| - name: Type check with pyright | |
| run: uv run pyright | |
| test: | |
| runs-on: ubuntu-latest | |
| needs: lint | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: ./.github/actions/setup-python-env | |
| - name: Run unit tests with coverage | |
| run: uv run python -m pytest tests/ -v --tb=short --cov=strategies --cov=scripts --cov-report=term-missing --cov-report=html --cov-report=json --cov-fail-under=80 | |
| - name: Enforce per-file coverage floors | |
| run: uv run python .github/scripts/check_coverage_floors.py | |
| - name: Upload coverage report | |
| if: always() | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: coverage-report | |
| path: htmlcov/ | |
| dependency-audit: | |
| runs-on: ubuntu-latest | |
| needs: secrets-scan | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: ./.github/actions/setup-python-env | |
| # CVE-2026-3219: pip's concatenated tar/zip handling. Ignored because pip | |
| # itself is a CI-time tool (used to install deps), not in any runtime | |
| # surface our trading code or agent ship. Re-audit and drop the flag | |
| # when uv resolves to a patched pip release. | |
| - name: Audit dependencies with pip-audit | |
| run: uv run pip-audit --strict --desc --ignore-vuln CVE-2026-3219 | |
| sast: | |
| runs-on: ubuntu-latest | |
| needs: secrets-scan | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: ./.github/actions/setup-python-env | |
| # bandit complements gitleaks (which finds committed secrets) and | |
| # pip-audit (vulnerable dependencies). It scans our own source for | |
| # patterns like hardcoded credentials, weak crypto, eval() on user | |
| # input, pickle on untrusted streams. | |
| # | |
| # --severity-level medium: only fail on Medium/High findings. The | |
| # codebase has 56 Low-severity findings (subprocess use, try/except | |
| # /pass) that are accepted patterns; cleaning those up is a | |
| # separate effort and shouldn't block enabling the safety net for | |
| # new code. | |
| - name: Run bandit security linter | |
| run: uv run bandit -r strategies scripts -c pyproject.toml --severity-level medium | |
| integration-test: | |
| runs-on: ubuntu-latest | |
| needs: lint | |
| # Integration tests run separately — they may need API keys and test | |
| # multi-component flows. Skipped when secrets are unavailable (e.g. forks). | |
| if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: ./.github/actions/setup-python-env | |
| - name: Run integration tests | |
| run: uv run python -m pytest tests/integration/ -v --tb=short -m integration |