PhotoSort/.github/workflows/ci.yml at 545967859e9bf614013bc14034567d42ea71b928 · duartebarbosadev/PhotoSort · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: CI

on:
  push:
    branches: [ main ]
  pull_request: {}
  schedule:
    - cron: '0 3 * * 1'  # Weekly (Mon 03:00 UTC) security & maintenance run

concurrency:
  group: ci-${{ github.ref }}
  cancel-in-progress: true

jobs:
  build-test:
    name: Lint & Test (Python)
    runs-on: ubuntu-latest
    timeout-minutes: 25
    permissions:
      contents: read
      pull-requests: write
    env:
      PIP_DISABLE_PIP_VERSION_CHECK: '1'
      PIP_NO_PYTHON_VERSION_WARNING: '1'
      PIP_PROGRESS_BAR: 'off'
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Install system deps
        run: |
          sudo apt-get update
          # Base GL/GLib plus EGL for headless PyQt6 usage
          sudo apt-get install -y libgl1 libglib2.0-0 libegl1
          # QtMultimedia runtime deps used by PyQt6 on Linux runners
          sudo apt-get install -y libpulse0 libpulse-mainloop-glib0
          # JPEG tools for lossless JPEG rotation
          sudo apt-get install -y libjpeg-turbo-progs

      - name: Cache pip
        uses: actions/cache@v4
        with:
          path: ~/.cache/pip
          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt', '**/requirements-dev.txt') }}
          restore-keys: |
            ${{ runner.os }}-pip-

      - name: Install dependencies (prod + dev)
        run: |
          python -m pip install --upgrade pip
          pip install -r requirements-dev.txt
          pip install openai


      - name: Ruff Lint
        run: ruff check .

      - name: Ruff Format Check
        run: ruff format --check .

      - name: Run Tests
        env:
          PYTHONWARNINGS: default
          # Ensure Qt runs without an X server
          QT_QPA_PLATFORM: offscreen
        run: |
          pytest -q --cov=src --cov-report=xml:coverage.xml --cov-report=term
          # Single coverage dataset only; no secondary copying.

      - name: Smoke launch (headless)
        env:
          QT_QPA_PLATFORM: offscreen
          PHOTOSORT_ENABLE_FILE_LOGGING: 'false'
        run: |
          # Launch the app briefly in headless mode to catch startup regressions
          timeout 20s python src/main.py --smoke-test --smoke-delay-ms 1500

      - name: Upload coverage XML
        uses: actions/upload-artifact@v4
        if: success() || failure()
        with:
          name: coverage-xml
          path: coverage.xml
          retention-days: 5

      - name: Upload pytest cache & reports
        uses: actions/upload-artifact@v4
        if: success() || failure()
        with:
          name: pytest-artifacts
          path: |
            .pytest_cache/
            ./**/pytest-*.log
          if-no-files-found: ignore
          retention-days: 5


  security:
    name: Basic Security Scan
    runs-on: ubuntu-latest
    needs: [build-test]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - name: Cache pip
        uses: actions/cache@v4
        with:
          path: ~/.cache/pip
          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: Install deps (no extras)
        run: |
          python -m pip install --upgrade pip
          pip install pip-audit
          pip install -r requirements.txt || true
      - name: pip-audit (non-failing)
        continue-on-error: true
        run: |
          pip-audit -r requirements.txt -f json -o pip-audit.json || true
      - name: Upload pip-audit report
        uses: actions/upload-artifact@v4
        with:
          name: pip-audit-report
          path: pip-audit.json
          retention-days: 5

  summary:
    name: PR Summary
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    needs: [build-test, security]
    permissions:
      contents: read
      pull-requests: write
    steps:
      - name: Download coverage artifacts
        uses: actions/download-artifact@v4
        with:
          path: coverage-artifacts
      - name: Summarize Coverage
        run: |
          echo '### Coverage Summary' >> $GITHUB_STEP_SUMMARY
          if [ -f coverage-artifacts/coverage-xml/coverage.xml ]; then
            TOTAL=$(grep -o 'line-rate="[0-9.]*"' coverage-artifacts/coverage-xml/coverage.xml | head -1 | cut -d '"' -f2)
            echo "* Line-rate: ${TOTAL}" >> $GITHUB_STEP_SUMMARY
          else
            echo '* Coverage XML not found' >> $GITHUB_STEP_SUMMARY
          fi
      - name: Generate Summary
        run: |
          echo '### CI Results' >> $GITHUB_STEP_SUMMARY
          echo '* Build/Test: ${{ needs.build-test.result }}' >> $GITHUB_STEP_SUMMARY
          echo '* Security: ${{ needs.security.result }}' >> $GITHUB_STEP_SUMMARY