ci: add integration tests with Docker Compose and Trivy container sca… #21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ============================================================================= | |
| # CI — Lint, Format, Test on every push and PR | |
| # ============================================================================= | |
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUSTFLAGS: "-D warnings" | |
| jobs: | |
| fmt: | |
| name: Format | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt | |
| - run: cargo fmt --all --check | |
| clippy: | |
| name: Clippy | |
| runs-on: ubuntu-latest | |
| needs: fmt | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: clippy | |
| - name: Install protoc | |
| run: sudo apt-get update && sudo apt-get install -y protobuf-compiler | |
| - uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/bin/ | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/git/db/ | |
| target/ | |
| key: ${{ runner.os }}-cargo-clippy-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-clippy- | |
| - run: cargo clippy --workspace -- -D warnings | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| needs: fmt | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - name: Install protoc | |
| run: sudo apt-get update && sudo apt-get install -y protobuf-compiler | |
| - uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/bin/ | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/git/db/ | |
| target/ | |
| key: ${{ runner.os }}-cargo-test-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-test- | |
| - run: cargo test --workspace | |
| # --------------------------------------------------------------------------- | |
| # Integration tests — run ignored tests against real Docker Compose services | |
| # --------------------------------------------------------------------------- | |
| integration: | |
| name: Integration Tests | |
| runs-on: ubuntu-latest | |
| needs: test | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - name: Install protoc | |
| run: sudo apt-get update && sudo apt-get install -y protobuf-compiler | |
| - uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/bin/ | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/git/db/ | |
| target/ | |
| key: ${{ runner.os }}-cargo-integration-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-integration- | |
| - name: Start infrastructure services | |
| run: docker compose up -d --wait clickhouse postgres redis | |
| env: | |
| CLICKHOUSE_PORT: "8123" | |
| CLICKHOUSE_NATIVE_PORT: "9000" | |
| CLICKHOUSE_DATABASE: llmtrace | |
| POSTGRES_USER: llmtrace | |
| POSTGRES_PASSWORD: llmtrace | |
| POSTGRES_DB: llmtrace | |
| REDIS_PORT: "6379" | |
| - name: Verify service health | |
| run: | | |
| echo "Checking ClickHouse..." | |
| docker compose exec -T clickhouse wget --spider -q http://localhost:8123/ping | |
| echo "Checking PostgreSQL..." | |
| docker compose exec -T postgres pg_isready -U llmtrace | |
| echo "Checking Redis..." | |
| docker compose exec -T redis redis-cli ping | |
| echo "All services healthy." | |
| - name: Run integration tests | |
| env: | |
| LLMTRACE_CLICKHOUSE_URL: http://localhost:8123 | |
| LLMTRACE_CLICKHOUSE_DATABASE: llmtrace | |
| LLMTRACE_POSTGRES_URL: postgres://llmtrace:llmtrace@localhost:5432/llmtrace | |
| LLMTRACE_REDIS_URL: redis://127.0.0.1:6379 | |
| run: cargo test --workspace --features "clickhouse,postgres,redis_backend" -- --ignored | |
| - name: Stop services | |
| if: always() | |
| run: docker compose down -v | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| needs: [clippy, test] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - name: Install protoc | |
| run: sudo apt-get update && sudo apt-get install -y protobuf-compiler | |
| - uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/bin/ | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/git/db/ | |
| target/ | |
| key: ${{ runner.os }}-cargo-build-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-build- | |
| - run: cargo build --workspace --release | |
| # --------------------------------------------------------------------------- | |
| # Container scan (advisory) — scan Docker image on PRs, don't fail | |
| # --------------------------------------------------------------------------- | |
| trivy-scan: | |
| name: Trivy Container Scan | |
| runs-on: ubuntu-latest | |
| needs: build | |
| permissions: | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Docker image for scanning | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: false | |
| load: true | |
| tags: llmtrace-proxy:scan | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@0.31.0 | |
| with: | |
| image-ref: llmtrace-proxy:scan | |
| format: sarif | |
| output: trivy-results.sarif | |
| severity: CRITICAL,HIGH | |
| exit-code: "0" | |
| - name: Upload Trivy SARIF to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: trivy-results.sarif |