-
-
Notifications
You must be signed in to change notification settings - Fork 6
158 lines (130 loc) · 5.37 KB
/
ci.yml
File metadata and controls
158 lines (130 loc) · 5.37 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# CI pipeline for Palinode — runs on every push and pull_request to any branch.
#
# Jobs:
# 1. unit-tests — fast feedback on core logic (no external services)
# 2. integration — tests/integration/ (may need Ollama; continue-on-error)
# 3. mcp-tool-coverage — release-blocking MCP tool gate (#346)
# 4. security-scan — bandit (code) + pip-audit (dependencies)
name: CI
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
on:
push:
pull_request:
jobs:
# ---------------------------------------------------------------------------
# Unit tests — should never need network access or Ollama.
# All embeddings / LLM calls are mocked in the test suite.
# ---------------------------------------------------------------------------
unit-tests:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.11", "3.12"]
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
cache: "pip"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Assert palinode resolves to the checked-out tree
# Regression guard for editable installs: palinode.__file__ must
# resolve under GITHUB_WORKSPACE, not some other site-packages path.
run: |
RESOLVED=$(python -c "import palinode; print(palinode.__file__)")
echo "palinode.__file__ = $RESOLVED"
if [[ "$RESOLVED" != "$GITHUB_WORKSPACE"/* ]]; then
echo "ERROR: palinode resolves outside the workspace ($GITHUB_WORKSPACE)"
echo " Got: $RESOLVED"
exit 1
fi
- name: Run unit tests (excluding integration)
run: python -m pytest tests/ -x -q --ignore=tests/integration --ignore=tests/live
# ---------------------------------------------------------------------------
# Integration tests — run against tests/integration/.
#
# These tests do not require Ollama directly (embeddings are stubbed), but
# they do spin up FastAPI in-process and exercise the full save/search loop
# against a real SQLite database in a temp directory.
#
# continue-on-error: true — any test tagged @pytest.mark.slow that needs
# a live Ollama instance will fail here; that is expected in CI.
# Run the full suite locally against a host with Ollama for full coverage.
# ---------------------------------------------------------------------------
integration-tests:
runs-on: ubuntu-latest
env:
PALINODE_DIR: /tmp/palinode-ci-test
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: "pip"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Run integration tests
# Integration tests that need Ollama will be skipped in CI;
# run locally against a host with Ollama for full Ollama-backed coverage.
run: python -m pytest tests/integration/ -x -q
continue-on-error: true
# ---------------------------------------------------------------------------
# MCP tool coverage — release-blocking gate (#346, parent #342).
#
# Runs the in-process (Phase 1) and stdio (Phase 2) MCP tool-coverage
# tests WITHOUT continue-on-error. A failure here blocks the PR.
# The drift guard in test_mcp_e2e.py ensures new tools cannot ship
# without smoke-args coverage.
# ---------------------------------------------------------------------------
mcp-tool-coverage:
runs-on: ubuntu-latest
env:
PALINODE_DIR: /tmp/palinode-ci-mcp
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: "pip"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Run MCP tool-coverage tests
run: python -m pytest tests/integration/test_mcp_e2e.py tests/integration/test_mcp_stdio.py -v
# ---------------------------------------------------------------------------
# Security scans — informational (continue-on-error: true on pip-audit).
#
# bandit: static analysis for common Python security issues
# pip-audit: checks installed packages against known vulnerability databases
# ---------------------------------------------------------------------------
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: "pip"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
pip install bandit pip-audit
- name: Run bandit (static security analysis)
# -r: recursive, -ll: medium+ severity, -q: quiet output
run: bandit -r palinode/ -ll -q
- name: Run pip-audit (dependency vulnerability check)
# continue-on-error: known-vulnerability lists drift; treat as informational
run: pip-audit
continue-on-error: true