llmtrace/.github/workflows/ci.yml at b08dccc9033f03115239f4b85390c4f123904de8 · techlab-innov/llmtrace · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
# =============================================================================
# CI — Lint, Format, Test on every push and PR
# =============================================================================
name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

env:
  CARGO_TERM_COLOR: always
  RUSTFLAGS: "-D warnings"

jobs:
  fmt:
    name: Format
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
        with:
          components: rustfmt
      - run: cargo fmt --all --check

  clippy:
    name: Clippy
    runs-on: ubuntu-latest
    needs: fmt
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
        with:
          components: clippy
      - name: Install protoc
        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
      - uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
            target/
          key: ${{ runner.os }}-cargo-clippy-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-clippy-
      - run: cargo clippy --workspace -- -D warnings

  test:
    name: Test
    runs-on: ubuntu-latest
    needs: fmt
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - name: Install protoc
        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
      - uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
            target/
          key: ${{ runner.os }}-cargo-test-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-test-
      - run: cargo test --workspace

  # ---------------------------------------------------------------------------
  # Integration tests — run ignored tests against real Docker Compose services
  # ---------------------------------------------------------------------------
  integration:
    name: Integration Tests
    runs-on: ubuntu-latest
    needs: test
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - name: Install protoc
        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
      - uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
            target/
          key: ${{ runner.os }}-cargo-integration-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-integration-

      - name: Start infrastructure services
        run: docker compose up -d clickhouse postgres redis
        env:
          CLICKHOUSE_PORT: "8123"
          CLICKHOUSE_NATIVE_PORT: "9000"
          CLICKHOUSE_DATABASE: llmtrace
          POSTGRES_USER: llmtrace
          POSTGRES_PASSWORD: llmtrace
          POSTGRES_DB: llmtrace
          REDIS_PORT: "6379"

      - name: Wait for services to be ready
        run: |
          echo "Waiting for ClickHouse..."
          for i in $(seq 1 60); do
            if curl -sf http://localhost:8123/ping >/dev/null 2>&1; then
              echo "ClickHouse ready after ${i}s"
              break
            fi
            if [ "$i" -eq 60 ]; then
              echo "ClickHouse failed after 60 attempts"
              docker compose logs clickhouse
              exit 1
            fi
            sleep 2
          done
          echo "Waiting for PostgreSQL..."
          for i in $(seq 1 30); do
            if docker compose exec -T postgres pg_isready -U llmtrace >/dev/null 2>&1; then
              echo "PostgreSQL ready after ${i}s"
              break
            fi
            if [ "$i" -eq 30 ]; then
              echo "PostgreSQL failed after 30 attempts"
              docker compose logs postgres
              exit 1
            fi
            sleep 2
          done
          echo "Waiting for Redis..."
          for i in $(seq 1 30); do
            if docker compose exec -T redis redis-cli ping >/dev/null 2>&1; then
              echo "Redis ready after ${i}s"
              break
            fi
            if [ "$i" -eq 30 ]; then
              echo "Redis failed after 30 attempts"
              docker compose logs redis
              exit 1
            fi
            sleep 2
          done
          echo "All services ready."

      - name: Run integration tests
        env:
          LLMTRACE_CLICKHOUSE_URL: http://localhost:8123
          LLMTRACE_CLICKHOUSE_DATABASE: llmtrace
          LLMTRACE_POSTGRES_URL: postgres://llmtrace:llmtrace@localhost:5432/llmtrace
          LLMTRACE_REDIS_URL: redis://127.0.0.1:6379
        run: cargo test --workspace --features "clickhouse,postgres,redis_backend" -- --ignored

      - name: Stop services
        if: always()
        run: docker compose down -v

  build:
    name: Build
    runs-on: ubuntu-latest
    needs: [clippy, test]
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - name: Install protoc
        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
      - uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
            target/
          key: ${{ runner.os }}-cargo-build-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-build-
      - run: cargo build --workspace --release

  # ---------------------------------------------------------------------------
  # Container scan (advisory) — scan Docker image on PRs, don't fail
  # ---------------------------------------------------------------------------
  trivy-scan:
    name: Trivy Container Scan
    runs-on: ubuntu-latest
    needs: build
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build Docker image for scanning
        uses: docker/build-push-action@v6
        with:
          context: .
          push: false
          load: true
          tags: llmtrace-proxy:scan
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.31.0
        with:
          image-ref: llmtrace-proxy:scan
          format: sarif
          output: trivy-results.sarif
          severity: CRITICAL,HIGH
          exit-code: "0"

      - name: Upload Trivy SARIF to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: trivy-results.sarif