Add comprehensive test suite and modernize CI (#26)

* Add comprehensive test suite and modernize CI

- Add pytest with 74 tests covering unit, integration, and E2E scenarios
- Test file_paths, ranges, and analysis_structures utilities
- Test SlitherDiagnostics with mocked server
- Test LSP protocol types and server capabilities
- Add test fixtures (Solidity contracts, detector JSON)
- Configure pytest-asyncio for async test support
- Add test.yaml CI workflow with pinned action SHAs
- Replace black/pylint workflows with ruff-based lint.yaml
- Update pip-audit.yaml and publish.yaml for uv
- Add pre-commit configuration
- Add py.typed marker for type checking
- Add __init__.py files for proper package structure
- Fix TYPE_CHECKING annotation in slither_diagnostics.py
- Format codebase with ruff

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* Restrict GitHub Actions workflow permissions

Add explicit minimal permissions to all workflows to follow
security best practices (fixes zizmor excessive-permissions audit).

Co-Authored-By: Claude Opus 4.5 <[email protected]>

---------

Co-authored-by: Claude Opus 4.5 <[email protected]>

Author: dguido

.github/workflows/black.yaml

@@ -0,0 +1,36 @@
+name: Lint
+
+on:
+  pull_request:
+    branches: [main, dev]
+    paths: ["**/*.py"]
+  push:
+    branches: [main, dev]
+    paths: ["**/*.py"]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca  # v6.0.1
+        with:
+          enable-cache: true
+
+      - run: uv sync --group lint
+
+      - run: uv run ruff format --check .
+
+      - run: uv run ruff check --output-format=github .
+
+      - run: uv run ty check slither_lsp/

.github/workflows/lint.yaml

@@ -1,39 +1,28 @@
----
-    name: pip-audit
-    
-    on:
-      push:
-        branches: [ dev, main ]
-      pull_request:
-        branches: [ dev, main ]
-      schedule: [ cron: "0 7 * * 2" ]
-    
-    concurrency:
-      group: ${{ github.workflow }}-${{ github.ref }}
-      cancel-in-progress: true
-    
-    jobs:
-      audit:
-        runs-on: ubuntu-latest
-    
-        steps:
-          - name: Checkout repository
-            uses: actions/checkout@v4
-    
-          - name: Install Python
-            uses: actions/setup-python@v5
-            with:
-              python-version: "3.10"
-    
-          - name: Install Slither
-            run: |
-              python -m venv /tmp/pip-audit-env
-              source /tmp/pip-audit-env/bin/activate
-    
-              python -m pip install --upgrade pip setuptools wheel
-              python -m pip install .
-    
-          - name: Run pip-audit
-            uses: pypa/[email protected]
-            with:
-              virtual-environment: /tmp/pip-audit-env
+name: pip-audit
+
+on:
+  push:
+    branches: [dev, main]
+  pull_request:
+    branches: [dev, main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca  # v6.0.1
+
+      - run: uv sync --group audit
+
+      - run: uv run pip-audit

.github/workflows/matchers/pylint.json

@@ -4,26 +4,23 @@ on:
   release:
     types: [published]
 
+permissions: {}
+
 jobs:
   build-release:
-
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
-
     steps:
-      - uses: actions/checkout@v4
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
-          python-version: '3.x'
-
-      - name: Build distributions
-        run: |
-          python -m pip install --upgrade pip
-          python -m pip install build
-          python -m build
-      - name: Upload distributions
-        uses: actions/upload-artifact@v4
+          persist-credentials: false
+
+      - uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca  # v6.0.1
+
+      - run: uv build
+
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
         with:
           name: slither-lsp-dists
           path: dist/
@@ -32,22 +29,19 @@ jobs:
     runs-on: ubuntu-latest
     environment: release
     permissions:
-      id-token: write  # For trusted publishing + codesigning.
-      contents: write  # For attaching signing artifacts to the release.
+      id-token: write
+      contents: write
     needs:
       - build-release
     steps:
-      - name: fetch dists
-        uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
         with:
           name: slither-lsp-dists
           path: dist/
 
-      - name: publish
-        uses: pypa/[email protected]
+      - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # v1.12.4
 
-      - name: sign
-        uses: sigstore/[email protected]
+      - uses: sigstore/gh-action-sigstore-python@f514d46b907ebcd5bedc05145c03b69c1edd8b46  # v3.0.0
         with:
           inputs: ./dist/*.tar.gz ./dist/*.whl
-          release-signing-artifacts: true
+          release-signing-artifacts: true

.github/workflows/pip-audit.yaml

@@ -0,0 +1,25 @@
+name: Test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b  # v7.2.0
+
+      - name: Install dependencies
+        run: uv sync --group dev
+
+      - name: Run tests
+        run: uv run pytest -q

.github/workflows/publish.yaml

@@ -100,6 +100,12 @@ ENV/
 # mypy
 .mypy_cache
 
+# ruff
+.ruff_cache
+
+# uv (lockfile not committed for library packages)
+uv.lock
+
 *.sw*
 
 # PyCharm project dir

.github/workflows/pylint.yaml

@@ -0,0 +1,15 @@
+repos:
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.14.14
+    hooks:
+      - id: ruff-check
+        args: [--fix]
+      - id: ruff-format
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-toml