-
Notifications
You must be signed in to change notification settings - Fork 146
342 lines (330 loc) · 14.4 KB
/
ci.yml
File metadata and controls
342 lines (330 loc) · 14.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
jobs:
# ── Path detection — determines which jobs to run ─────────────────────
changes:
runs-on: ubuntu-latest
outputs:
python: ${{ steps.filter.outputs.python }}
dotnet: ${{ steps.filter.outputs.dotnet }}
typescript: ${{ steps.filter.outputs.typescript }}
integrations: ${{ steps.filter.outputs.integrations }}
workflows: ${{ steps.filter.outputs.workflows }}
docs-only: ${{ steps.filter.outputs.docs-only }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
id: filter
with:
filters: |
python:
- 'packages/agent-os/**'
- 'packages/agent-mesh/**'
- 'packages/agent-hypervisor/**'
- 'packages/agent-sre/**'
- 'packages/agent-compliance/**'
- 'scripts/**'
- 'requirements/**'
dotnet:
- 'packages/agent-governance-dotnet/**'
typescript:
- 'packages/agent-mesh/sdks/typescript/**'
- 'packages/agent-os/extensions/**'
- 'packages/agentmesh-integrations/mastra-agentmesh/**'
- 'packages/agentmesh-integrations/copilot-governance/**'
integrations:
- 'packages/agentmesh-integrations/**'
workflows:
- '.github/workflows/**'
docs-only:
- '**/*.md'
- 'notebooks/**'
- 'docs/**'
# ── Python lint + test (only when Python files change) ────────────────
lint:
needs: changes
if: needs.changes.outputs.python == 'true'
runs-on: ubuntu-latest
strategy:
matrix:
package: [agent-os, agent-mesh, agent-hypervisor, agent-sre, agent-compliance]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.11"
- name: Install ruff
run: pip install --require-hashes --no-cache-dir -r requirements/ci-lint.txt
- name: Lint ${{ matrix.package }}
run: ruff check packages/${{ matrix.package }}/src/ --select E,F,W --ignore E501
# ── Python test (only when Python files change) ───────────────────────
test:
needs: changes
if: needs.changes.outputs.python == 'true'
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
package: [agent-os, agent-mesh, agent-hypervisor, agent-sre, agent-compliance]
python-version: ["3.10", "3.11", "3.12", "3.13"]
exclude:
- package: agent-mesh
python-version: "3.10"
- package: agent-hypervisor
python-version: "3.10"
- package: agent-compliance
python-version: "3.10"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ matrix.python-version }}
- name: Install ${{ matrix.package }}
working-directory: packages/${{ matrix.package }}
run: |
pip install --no-cache-dir -e ".[dev]" 2>/dev/null || pip install --no-cache-dir -e ".[test]" 2>/dev/null || pip install --no-cache-dir -e .
pip install --no-cache-dir pytest==8.4.1 pytest-asyncio==0.26.0 2>/dev/null || true
- name: Test ${{ matrix.package }}
working-directory: packages/${{ matrix.package }}
run: pytest tests/ -q --tb=short
# ── Python dependency safety (only when Python files change) ──────────
security:
needs: changes
if: needs.changes.outputs.python == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.11"
- name: Install safety
run: |
pip install --no-cache-dir safety==3.2.1
- name: Check dependencies
env:
GIT_TERMINAL_PROMPT: "0"
run: |
for pkg in agent-os agent-mesh agent-hypervisor agent-sre agent-compliance; do
echo "=== $pkg ==="
cd packages/$pkg
pip install --no-cache-dir -e . 2>/dev/null || true
cd ../..
done
safety check 2>/dev/null || echo "Safety check completed with warnings"
# ── .NET build + test (only when C# files change) ────────────────────
test-dotnet:
needs: changes
if: needs.changes.outputs.dotnet == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
with:
dotnet-version: "8.0.x"
- name: Build .NET SDK
working-directory: packages/agent-governance-dotnet
run: dotnet build --configuration Release --verbosity quiet
- name: Test .NET SDK
working-directory: packages/agent-governance-dotnet
run: dotnet test --configuration Release --verbosity normal --no-build
# ── Integration tests (only when integration packages change) ────────
test-integrations:
needs: changes
if: needs.changes.outputs.integrations == 'true' || needs.changes.outputs.python == 'true'
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- package: a2a-protocol
import-module: a2a_agentmesh
- package: crewai-agentmesh
import-module: crewai_agentmesh
- package: flowise-agentmesh
import-module: flowise_agentmesh
- package: haystack-agentmesh
import-module: haystack_agentmesh
- package: langchain-agentmesh
import-module: langchain_agentmesh
- package: langflow-agentmesh
import-module: langflow_agentmesh
- package: langgraph-trust
import-module: langgraph_trust
- package: llamaindex-agentmesh
import-module: llama_index.agent.agentmesh
- package: mcp-trust-proxy
import-module: mcp_trust_proxy
- package: nostr-wot
import-module: agentmesh_nostr_wot
- package: openai-agents-agentmesh
import-module: openai_agents_agentmesh
- package: openai-agents-trust
import-module: openai_agents_trust
- package: pydantic-ai-governance
import-module: pydantic_ai_governance
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.11"
- name: Install ${{ matrix.package }}
working-directory: packages/agentmesh-integrations/${{ matrix.package }}
run: |
pip install --no-cache-dir -e ".[dev]" 2>/dev/null || pip install --no-cache-dir -e ".[test]" 2>/dev/null || pip install --no-cache-dir -e .
pip install --no-cache-dir pytest==8.4.1 pytest-asyncio==0.26.0 2>/dev/null || true
- name: Validate Python syntax
working-directory: packages/agentmesh-integrations/${{ matrix.package }}
run: |
python -c "
import ast, glob, sys
errors = 0
for f in glob.glob('**/*.py', recursive=True):
try:
with open(f) as fh:
ast.parse(fh.read(), f)
except SyntaxError as e:
print(f'FAIL {f}: {e}')
errors += 1
if errors:
sys.exit(1)
print('All Python files parse successfully')
"
- name: Smoke test — import ${{ matrix.import-module }}
run: python -c "import ${{ matrix.import-module }}"
continue-on-error: true
- name: Run tests
working-directory: packages/agentmesh-integrations/${{ matrix.package }}
run: |
if [ -d tests ]; then
pytest tests/ -q --tb=short
else
echo "No tests/ directory — smoke import passed"
fi
# ── Dependency confusion scan (always runs — security gate) ──────────
dependency-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.11"
- name: Dependency confusion scan
run: python scripts/check_dependency_confusion.py --strict
- name: Notebook pip-install audit
run: |
python -c "
import json, glob, sys, re
REGISTERED = {
'agent-os-kernel','agentmesh-platform','agent-hypervisor',
'agentmesh-runtime','agent-sre','agent-governance-toolkit',
'agentmesh-lightning','agentmesh-marketplace',
'pydantic','pyyaml','cryptography','pynacl','click','rich',
'httpx','aiohttp','fastapi','uvicorn','structlog','numpy',
'scipy','openai','anthropic','langchain','crewai',
'streamlit','plotly','pandas','networkx','aioredis',
'langchain-openai','langchain-core','python-dotenv',
'agent-primitives','emk',
}
bad = []
for nb in glob.glob('**/*.ipynb', recursive=True):
if 'node_modules' in nb or '.ipynb_checkpoints' in nb:
continue
try:
cells = json.load(open(nb))['cells']
except Exception:
continue
for c in cells:
for line in c.get('source', []):
if 'pip install' in line and not line.strip().startswith('#') and not line.strip().startswith('>'):
pkgs = re.findall(r'(?:pip install\s+)(.+)', line)
if pkgs:
for p in pkgs[0].split():
name = re.sub(r'[^a-zA-Z0-9._-]', '', re.sub(r'\[.*\]', '', p))
if (name and not name.startswith('-') and not name.startswith('.')
and not name.startswith('http') and name not in REGISTERED
and not name.startswith('--')):
bad.append(f'{nb}: {name}')
if bad:
print('UNREGISTERED PACKAGES IN NOTEBOOKS:')
for b in bad:
print(f' {b}')
sys.exit(1)
print(f'OK: All notebook pip install packages are registered')
"
# ── Workflow security audit (only when workflows change) ─────────────
workflow-security:
needs: changes
if: needs.changes.outputs.workflows == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Audit pull_request_target workflows
run: |
echo "=== Checking pull_request_target safety ==="
UNSAFE=0
for f in .github/workflows/*.yml; do
if grep -q 'pull_request_target' "$f"; then
# Only flag if actions/checkout has ref: pointing to head (unsafe)
# Uses awk to check checkout blocks specifically, not unrelated lines
if awk '/actions\/checkout/{found=1} found && /ref:.*head\.(ref|sha)/{print; exit 1}' "$f" 2>/dev/null; then
echo "OK: $f (pull_request_target, base-only checkout)"
else
echo "UNSAFE: $f checks out PR head in pull_request_target context"
UNSAFE=1
fi
fi
done
if [ $UNSAFE -eq 1 ]; then exit 1; fi
# ── TypeScript integration tests (only when TS files change) ─────────
test-integrations-ts:
needs: changes
if: needs.changes.outputs.typescript == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: "20"
- name: Install mastra-agentmesh
working-directory: packages/agentmesh-integrations/mastra-agentmesh
run: npm ci 2>/dev/null || npm install
- name: Lint mastra-agentmesh
working-directory: packages/agentmesh-integrations/mastra-agentmesh
run: npm run lint 2>/dev/null || true
- name: Test mastra-agentmesh
working-directory: packages/agentmesh-integrations/mastra-agentmesh
run: npm test
- name: Install copilot-governance
working-directory: packages/agentmesh-integrations/copilot-governance
run: npm ci 2>/dev/null || npm install
- name: Lint copilot-governance
working-directory: packages/agentmesh-integrations/copilot-governance
run: npm run lint 2>/dev/null || true
- name: Test copilot-governance
working-directory: packages/agentmesh-integrations/copilot-governance
run: npm test
# ── CI Gate — required status check that handles skipped jobs ────────
# When path-filters skip jobs (e.g. docs-only PRs skip tests), those
# jobs report "skipped" which doesn't satisfy required status checks.
# This gate job always runs, checks that no jobs FAILED, and reports
# success. Configure this as the single required status check.
ci-complete:
if: always()
needs: [changes, lint, test, security, test-dotnet, test-integrations, dependency-scan, workflow-security, test-integrations-ts]
runs-on: ubuntu-latest
steps:
- name: Check job results
run: |
results='${{ toJSON(needs.*.result) }}'
echo "Job results: $results"
if echo "$results" | grep -qE '"failure"|"cancelled"'; then
echo "One or more required jobs failed or were cancelled"
exit 1
fi
echo "All jobs passed or were correctly skipped"