Files
graphify/.github/workflows/ci.yml
T
nucleusjay 39afb2d8ef Wire bandit and pip-audit into CI
bandit, pip-audit, and safety are already declared in the dev dependency
group but nothing in CI invokes them, so a new HIGH-severity finding or
a newly-disclosed CVE in a pinned dep can land without anyone noticing
until the next manual audit.

Add a security-scan job that runs bandit (-ll, HIGH-severity only) and
pip-audit (--strict) on every push and PR. Marked continue-on-error so
this doesn't block PRs on pre-existing findings -- a follow-up should
do the cleanup pass and flip the flag.

safety intentionally omitted: it requires a free-tier API key for the
new commercial backend, which is a setup burden for forks. pip-audit
covers the same ground using the PyPI JSON advisory feed and OSV.
2026-06-09 03:36:44 -04:00

107 lines
3.8 KiB
YAML

name: CI
on:
push:
branches: ["v1", "v2", "v3", "v4", "v5", "v6", "v7", "v8", "main"]
pull_request:
branches: ["v1", "v2", "v3", "v4", "v5", "v6", "v7", "v8", "main"]
workflow_dispatch:
jobs:
skillgen-check:
# Fast lint-style guard: the skill files under graphify/ are generated from
# the fragments in tools/skillgen/. This fails if someone hand-edited a
# generated file or forgot to re-run the generator and bless expected/, and it
# runs the build-time validators that guard per-host coverage, the file_type
# enum, the monolith round-trips, and the always-on round-trips.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
# The audit-coverage, monolith-roundtrip, and always-on-roundtrip
# validators read blobs from origin/v8. A shallow checkout omits that
# ref, so fetch the full history here and the validators run for real
# (rather than skipping). The other jobs stay shallow.
fetch-depth: 0
- name: Install uv
uses: astral-sh/setup-uv@v8.1.0
with:
python-version: "3.12"
# --frozen keeps uv from re-resolving and rewriting uv.lock as a side
# effect of `uv run`; the lock is committed and must not churn in CI.
- name: Check generated skill artifacts are up to date
run: uv run --frozen python -m tools.skillgen --check
- name: Audit per-host v8 coverage
run: uv run --frozen python -m tools.skillgen --audit-coverage
- name: Check the file_type enum is a singleton
run: uv run --frozen python -m tools.skillgen --schema-singleton
- name: Round-trip the monoliths against v8
run: uv run --frozen python -m tools.skillgen --monolith-roundtrip
- name: Round-trip the always-on blocks against v8
run: uv run --frozen python -m tools.skillgen --always-on-roundtrip
test:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.10", "3.12"]
steps:
- uses: actions/checkout@v6
with:
# test_skillgen.py reads pre-split skill bodies from the immutable
# baseline commit via `git show`; a shallow checkout omits that history
# and the baseline tests fail. Full history mirrors the skillgen-check job.
fetch-depth: 0
- name: Install uv
uses: astral-sh/setup-uv@v8.1.0
with:
python-version: ${{ matrix.python-version }}
# --frozen installs straight from the committed uv.lock without re-resolving
# or rewriting it, so CI never churns the lock.
- name: Install dependencies
run: uv sync --all-extras --frozen
- name: Run tests
run: uv run --frozen pytest tests/ -q --tb=short
- name: Verify install works end-to-end
run: |
uv run --frozen graphify --help
uv run --frozen graphify install
security-scan:
# The dev deps already include bandit, pip-audit, and safety. Run them in
# CI so a new HIGH-severity finding or vulnerable dependency is caught on
# the PR that introduces it, rather than at the next manual audit.
# Non-blocking for now (continue-on-error) to avoid breaking CI on
# pre-existing findings; remove continue-on-error after the initial
# cleanup pass.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install uv
uses: astral-sh/setup-uv@v8.1.0
with:
python-version: "3.12"
- name: Install dependencies
run: uv sync --frozen
- name: bandit (static security analysis)
continue-on-error: true
run: uv run --frozen bandit -r graphify -ll
- name: pip-audit (dependency vulnerabilities)
continue-on-error: true
run: uv run --frozen pip-audit --strict