Skip to content
CI

docs: add defense via tool result parsing research analysis #51

Sign in to view logs

docs: add defense via tool result parsing research analysis

docs: add defense via tool result parsing research analysis #51

Workflow file for this run

.github/workflows/ci.yml at 15ca4a1
# =============================================================================
# CI — Lint, Format, Test on every push and PR
# =============================================================================
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
env:
CARGO_TERM_COLOR: always
RUSTFLAGS: "-D warnings"
jobs:
fmt:
name: Format
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt
- run: cargo fmt --all --check
clippy:
name: Clippy
runs-on: ubuntu-latest
needs: fmt
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: clippy
- name: Install protoc
run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
- uses: actions/cache@v4
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-clippy-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-clippy-
- run: cargo clippy --workspace -- -D warnings
test:
name: Test
runs-on: ubuntu-latest
needs: fmt
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- name: Install protoc
run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
- uses: actions/cache@v4
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-test-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-test-
- run: cargo test --workspace
# ---------------------------------------------------------------------------
# Integration tests — run ignored tests against real Docker Compose services
# ---------------------------------------------------------------------------
integration:
name: Integration Tests
runs-on: ubuntu-latest
needs: test
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- name: Install protoc
run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
- uses: actions/cache@v4
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-integration-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-integration-
- name: Start infrastructure services
run: docker compose up -d clickhouse postgres redis
env:
CLICKHOUSE_PORT: "8123"
CLICKHOUSE_NATIVE_PORT: "9000"
CLICKHOUSE_DATABASE: llmtrace
POSTGRES_USER: llmtrace
POSTGRES_PASSWORD: llmtrace
POSTGRES_DB: llmtrace
REDIS_PORT: "6379"
- name: Wait for services to be ready
run: |
echo "Waiting for ClickHouse..."
for i in $(seq 1 60); do
if curl -sf http://localhost:8123/ping >/dev/null 2>&1; then
echo "ClickHouse ready after ${i}s"
break
fi
if [ "$i" -eq 60 ]; then
echo "ClickHouse failed after 60 attempts"
docker compose logs clickhouse
exit 1
fi
sleep 2
done
echo "Waiting for PostgreSQL..."
for i in $(seq 1 30); do
if docker compose exec -T postgres pg_isready -U llmtrace >/dev/null 2>&1; then
echo "PostgreSQL ready after ${i}s"
break
fi
if [ "$i" -eq 30 ]; then
echo "PostgreSQL failed after 30 attempts"
docker compose logs postgres
exit 1
fi
sleep 2
done
echo "Waiting for Redis..."
for i in $(seq 1 30); do
if docker compose exec -T redis redis-cli ping >/dev/null 2>&1; then
echo "Redis ready after ${i}s"
break
fi
if [ "$i" -eq 30 ]; then
echo "Redis failed after 30 attempts"
docker compose logs redis
exit 1
fi
sleep 2
done
echo "All services ready."
- name: Run integration tests
env:
LLMTRACE_CLICKHOUSE_URL: http://localhost:8123
LLMTRACE_CLICKHOUSE_DATABASE: llmtrace
LLMTRACE_POSTGRES_URL: postgres://llmtrace:llmtrace@localhost:5432/llmtrace
LLMTRACE_REDIS_URL: redis://127.0.0.1:6379
run: cargo test --workspace --features "clickhouse,postgres,redis_backend" -- --ignored
- name: Stop services
if: always()
run: docker compose down -v
build:
name: Build
runs-on: ubuntu-latest
needs: [clippy, test]
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- name: Install protoc
run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
- uses: actions/cache@v4
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-build-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-build-
- run: cargo build --workspace --release
# ---------------------------------------------------------------------------
# Container scan (advisory) — scan Docker image on PRs, don't fail
# ---------------------------------------------------------------------------
trivy-scan:
name: Trivy Container Scan
runs-on: ubuntu-latest
needs: build
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker image for scanning
uses: docker/build-push-action@v6
with:
context: .
push: false
load: true
tags: llmtrace-proxy:scan
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.31.0
with:
image-ref: llmtrace-proxy:scan
format: sarif
output: trivy-results.sarif
severity: CRITICAL,HIGH
exit-code: "0"
- name: Upload Trivy SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: trivy-results.sarif