Fix CI/CD: GHA /tmp bug, dep scanning, DST scheduling, pre-commit hooks (#97)

* fix: resolve 4 CI/CD issues (#58, #60, #72, #90)

- #58: Replace /tmp snapshot with git stash for trading-data branch
  commits; add artifact backup for crash resilience
- #60: Add pip-audit dependency scanning to CI pipeline and weekly
  security-audit.yml workflow with bandit
- #72: Consolidate 4 DST-fragile cron entries into 2 UTC-based entries
  with a Python market-hours guard that skips off-hours runs
- #90: Add pre-commit hooks (trailing-whitespace, end-of-file-fixer,
  check-yaml, check-json, check-merge-conflict, detect-private-key,
  bandit) and bandit config in pyproject.toml

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: resolve 4 review issues in CI/CD batch PR

1. Replace git stash with tar for trading-data branch switch — git stash
   pop fails with merge conflicts when applied across branches with
   divergent histories (confirmed via reproduction)

2. Fix market hours guard: hour >= 16 rejects 20:45 UTC during EDT
   (4:45 PM EDT), blocking the midday run every summer. Extend to >= 17.

3. Update bandit pre-commit hook rev 1.8.3 -> 1.9.4 to match uv.lock

4. Upload bandit JSON report as artifact in security-audit workflow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: costajohnt

.github/workflows/ci.yml

@@ -58,6 +58,21 @@ jobs:
           name: coverage-report
           path: htmlcov/
 
+  dependency-audit:
+    runs-on: ubuntu-latest
+    needs: secrets-scan
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Install Python and dependencies
+        run: uv sync
+
+      - name: Audit dependencies with pip-audit
+        run: uv run pip-audit --strict --desc
+
   integration-test:
     runs-on: ubuntu-latest
     needs: lint

.github/workflows/daily-trading.yml

@@ -2,14 +2,12 @@ name: Daily Trading Pipeline
 
 on:
   schedule:
-    # US market hours — run twice daily Mon-Fri
-    # 6:45 AM PT = 14:45 UTC (PST, Nov-Mar) / 13:45 UTC (PDT, Mar-Nov)
-    # 12:45 PM PT = 20:45 UTC (PST) / 19:45 UTC (PDT)
-    # Using both UTC offsets to cover DST transitions
-    - cron: '45 13 * * 1-5'  # 6:45 AM PDT
-    - cron: '45 14 * * 1-5'  # 6:45 AM PST
-    - cron: '45 19 * * 1-5'  # 12:45 PM PDT
-    - cron: '45 20 * * 1-5'  # 12:45 PM PST
+    # US market hours — run twice daily Mon-Fri (UTC times)
+    # 14:45 UTC = 6:45 AM PST / 7:45 AM PDT (9:45-10:45 AM ET)
+    # 20:45 UTC = 12:45 PM PST / 1:45 PM PDT (3:45 PM EST / 4:45 PM EDT)
+    # Python market hours guard (9 AM - 5 PM ET) skips off-hours execution
+    - cron: '45 14 * * 1-5'  # Morning run
+    - cron: '45 20 * * 1-5'  # Midday run
   workflow_dispatch:  # Allow manual trigger from GitHub UI
 
 concurrency:
@@ -40,80 +38,116 @@ jobs:
       - name: Install Python and dependencies
         run: uv sync
 
+      - name: Check US market hours (skip if outside trading window)
+        id: market_hours
+        if: github.event_name == 'schedule'
+        continue-on-error: true
+        run: |
+          uv run python -c "
+          from datetime import datetime
+          import pytz, sys
+          now = datetime.now(pytz.timezone('US/Eastern'))
+          hour = now.hour
+          # Market open 9:30 AM - 4:00 PM ET
+          # Allow buffer: 9 AM (pre-open) through 4:59 PM (post-close processing)
+          # 20:45 UTC = 4:45 PM EDT, so hour=16 must be allowed
+          if now.weekday() >= 5:
+              print('Weekend -- skipping pipeline')
+              sys.exit(1)
+          if hour < 9 or hour >= 17:
+              print(f'Outside market hours (ET hour={hour}) -- skipping pipeline')
+              sys.exit(1)
+          print(f'Market hours OK (ET hour={hour})')
+          "
+
       - name: Ensure data directory exists
+        if: github.event_name != 'schedule' || steps.market_hours.outcome == 'success'
         run: mkdir -p data
 
       - name: Restore state from trading-data branch
+        if: github.event_name != 'schedule' || steps.market_hours.outcome == 'success'
         run: |
           git fetch origin trading-data 2>/dev/null || true
           git checkout origin/trading-data -- data/ 2>/dev/null || echo "No prior trading data"
 
       - name: 1. Position Manager (manage exits)
         id: position_manager
+        if: github.event_name != 'schedule' || steps.market_hours.outcome == 'success'
         run: uv run python scripts/position_manager.py --execute --check-sentiment
 
       - name: 2. Screener Auto-Trade (biggest dips)
         id: screener
-        if: steps.position_manager.outcome == 'success'
+        if: (github.event_name != 'schedule' || steps.market_hours.outcome == 'success') && steps.position_manager.outcome == 'success'
         run: uv run python scripts/screener_trade.py --min-dip -7.0 --max-trades 8 --amount 3000 --execute
         continue-on-error: true
 
       - name: 3. Watchlist Scan (3-layer analysis)
         id: watchlist
-        if: steps.position_manager.outcome == 'success'
+        if: (github.event_name != 'schedule' || steps.market_hours.outcome == 'success') && steps.position_manager.outcome == 'success'
         run: uv run python scripts/scan_with_sentiment.py --execute
         continue-on-error: true
 
       - name: 4. Momentum Auto-Trade (trend following)
         id: momentum
-        if: steps.position_manager.outcome == 'success'
+        if: (github.event_name != 'schedule' || steps.market_hours.outcome == 'success') && steps.position_manager.outcome == 'success'
         run: uv run python scripts/momentum_trade.py --min-momentum 10.0 --max-trades 5 --amount 3000 --execute
         continue-on-error: true
 
       - name: 5. Portfolio Summary
-        if: always()
+        if: always() && (github.event_name != 'schedule' || steps.market_hours.outcome == 'success')
         run: uv run python scripts/portfolio.py
         continue-on-error: true
 
       - name: 6. Performance Report
-        if: always()
+        if: always() && (github.event_name != 'schedule' || steps.market_hours.outcome == 'success')
         run: uv run python scripts/performance.py
         continue-on-error: true
 
       - name: 7. Strategy Agent (Event Check)
-        if: always()
+        if: always() && (github.event_name != 'schedule' || steps.market_hours.outcome == 'success')
         run: uv run python scripts/strategy_agent.py --mode event-check
         continue-on-error: true
 
+      - name: Backup trading data
+        if: always() && (github.event_name != 'schedule' || steps.market_hours.outcome == 'success')
+        uses: actions/upload-artifact@v6
+        with:
+          name: trading-data-backup
+          path: data/
+          retention-days: 7
+
       - name: Commit state to trading-data branch
-        if: always()
+        if: always() && (github.event_name != 'schedule' || steps.market_hours.outcome == 'success')
+        env:
+          SOURCE_BRANCH: ${{ github.ref_name }}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
-          # Save data directory
-          cp -r data/ /tmp/trading-data-snapshot/
+          # Snapshot data directory (tar avoids git stash merge conflicts across branches)
+          tar cf data-snapshot.tar data/
 
           # Switch to trading-data branch (create if needed)
           git fetch origin trading-data 2>/dev/null || true
-          git checkout trading-data 2>/dev/null || {
+          git checkout -f trading-data 2>/dev/null || {
             git checkout --orphan trading-data
             git rm -rf . 2>/dev/null || true
           }
 
-          # Clean and restore data
+          # Restore data from snapshot
           rm -rf data/
-          cp -r /tmp/trading-data-snapshot/ data/
+          tar xf data-snapshot.tar
+          rm -f data-snapshot.tar
 
           git add data/
           git diff --cached --quiet || git commit -m "chore: update trading state [$(date -u +%Y-%m-%dT%H:%M:%SZ)]"
           git push origin trading-data
 
           # Return to original branch for any subsequent steps
-          git checkout ${{ github.ref_name }} 2>/dev/null || true
+          git checkout -f "$SOURCE_BRANCH" 2>/dev/null || true
 
       - name: Alert on pipeline failures
-        if: always()
+        if: always() && (github.event_name != 'schedule' || steps.market_hours.outcome == 'success')
         env:
           TELEGRAM_BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }}
           TELEGRAM_CHAT_ID: ${{ secrets.TELEGRAM_CHAT_ID }}

.github/workflows/security-audit.yml

@@ -0,0 +1,48 @@
+name: Security Audit
+
+on:
+  schedule:
+    # Weekly on Monday at 09:00 UTC
+    - cron: '0 9 * * 1'
+  workflow_dispatch:
+
+jobs:
+  dependency-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Install Python and dependencies
+        run: uv sync
+
+      - name: Audit dependencies with pip-audit
+        run: uv run pip-audit --strict --desc
+
+  bandit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Install Python and dependencies
+        run: uv sync
+
+      - name: Run bandit security linter
+        run: uv run bandit -c pyproject.toml -r strategies/ scripts/ -f json -o bandit-report.json || true
+
+      - name: Display bandit results
+        if: always()
+        run: uv run bandit -c pyproject.toml -r strategies/ scripts/ -ll
+
+      - name: Upload bandit report
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: bandit-report
+          path: bandit-report.json
+          retention-days: 30

.pre-commit-config.yaml

@@ -1,4 +1,14 @@
 repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-json
+      - id: check-merge-conflict
+      - id: detect-private-key
+
   - repo: https://github.com/gitleaks/gitleaks
     rev: v8.21.2
     hooks:
@@ -11,3 +21,10 @@ repos:
         args: [--fix]
       - id: ruff-format
         args: [--check]
+
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.9.4
+    hooks:
+      - id: bandit
+        args: ["-c", "pyproject.toml"]
+        additional_dependencies: ["bandit[toml]"]

pyproject.toml

@@ -19,7 +19,9 @@ dependencies = [
 
 [dependency-groups]
 dev = [
+    "bandit[toml]>=1.8.0",
     "hypothesis>=6.151.9",
+    "pip-audit>=2.7.0",
     "pre-commit>=4.0",
     "pytest>=9.0.2",
     "pytest-cov>=6.0",
@@ -56,3 +58,8 @@ exclude_lines = [
     "if __name__",
     "pragma: no cover",
 ]
+
+[tool.bandit]
+targets = ["strategies", "scripts"]
+exclude_dirs = ["tests"]
+skips = ["B101"]  # Skip assert warnings (used extensively in tests)