CI #235
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main, dev] | |
| tags: ["v*.*.*"] | |
| pull_request: | |
| branches: [main, dev] | |
| workflow_dispatch: | |
| env: | |
| PYTHON_VERSION: "3.12" | |
| concurrency: | |
| group: ci-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| quality: | |
| name: Quality (format, lint, repo-map) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| - name: Sync environment and CI tools | |
| run: | | |
| uv sync --extra dev | |
| uv pip install ruff black | |
| - name: Ruff lint | |
| run: uv run ruff check src tests | |
| - name: Black format check | |
| run: uv run black --check src tests | |
| - name: Verify repository map is up to date | |
| run: | | |
| uv run python scripts/generate_repo_map.py | |
| git diff --exit-code .repo-map.md | |
| - name: Verify env.template is up to date | |
| run: | | |
| uv run python scripts/generate_env_template.py | |
| git diff --exit-code env.template | |
| - name: Verify version references are in sync | |
| run: uv run python scripts/bump_version.py --check | |
| - name: Verify uv.lock is up to date | |
| run: uv lock --check | |
| - name: Verify scripts registry is complete and current | |
| run: uv run python scripts/generate_scripts_index.py --check | |
| test: | |
| name: Test (stable CI subset) | |
| runs-on: ubuntu-latest | |
| needs: quality | |
| env: | |
| ENVIRONMENT: test | |
| LOG_LEVEL: INFO | |
| STORAGE_PROVIDER: local | |
| LLM_ENABLED: false | |
| RUN_AZURE_CHAIN_TESTS: "0" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| - name: Install dependencies | |
| run: | | |
| uv sync --extra dev | |
| uv pip install pytest-cov | |
| - name: Run unit lane | |
| run: | | |
| uv run pytest tests \ | |
| -m "unit and not llm and not quarantine" \ | |
| --maxfail=1 \ | |
| --cov=src \ | |
| --cov-report=xml | |
| - name: Run contract lane | |
| run: | | |
| uv run pytest tests \ | |
| -m "contract and not llm and not quarantine" \ | |
| --maxfail=1 \ | |
| --cov=src \ | |
| --cov-append \ | |
| --cov-report=xml | |
| - name: Run integration lane | |
| run: | | |
| uv run pytest tests \ | |
| -m "integration and not llm and not quarantine" \ | |
| --ignore=tests/test_storage_to_okw_list_chain.py \ | |
| --maxfail=1 \ | |
| --cov=src \ | |
| --cov-append \ | |
| --cov-report=xml | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@v5 | |
| with: | |
| file: ./coverage.xml | |
| fail_ci_if_error: false | |
| contract-stability: | |
| name: Contract Stability Guardrails | |
| runs-on: ubuntu-latest | |
| needs: quality | |
| env: | |
| ENVIRONMENT: test | |
| LOG_LEVEL: INFO | |
| STORAGE_PROVIDER: local | |
| LLM_ENABLED: false | |
| RUN_AZURE_CHAIN_TESTS: "0" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| - name: Install dependencies | |
| run: uv sync --extra dev | |
| - name: Run contract stability suite | |
| run: | | |
| uv run pytest \ | |
| tests/api/test_scaffold_cleanup_endpoint.py \ | |
| tests/api/test_package_download_route.py \ | |
| tests/cli/test_scaffold_cleanup_cli.py \ | |
| tests/federation/test_federation_routes.py \ | |
| -m "not llm and not quarantine" \ | |
| --maxfail=1 | |
| security: | |
| name: Security (dependency and static checks) | |
| runs-on: ubuntu-latest | |
| needs: quality | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| - name: Install dependencies and security tools | |
| run: | | |
| uv sync --extra dev | |
| uv pip install pip-audit bandit | |
| - name: Dependency vulnerability scan | |
| run: uv run pip-audit --skip-editable | |
| - name: Static security scan | |
| run: uv run bandit -q -r src -c pyproject.toml -x tests |