complete visible execution lifecycle #124
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [master, main, 'feature/**'] | |
| pull_request: | |
| branches: [master, main] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| lint-type: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| python-version: ['3.11', '3.12'] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| cache: pip | |
| - name: Install | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e ".[dev]" | |
| - name: Lint (ruff) | |
| run: ruff check src/linuxagent/ tests/ | |
| - name: Type check (mypy) | |
| run: mypy src/linuxagent/ | |
| unit-tests: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| cache: pip | |
| - name: Install | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e ".[dev]" | |
| - name: Unit tests | |
| run: pytest tests/unit/ --cov=linuxagent --cov-report=term-missing --cov-report=xml --cov-report=html --cov-fail-under=80 | |
| - name: Upload coverage report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: coverage-report | |
| path: | | |
| coverage.xml | |
| htmlcov/ | |
| if-no-files-found: error | |
| integration-tests: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| cache: pip | |
| - name: Install | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e ".[dev]" | |
| - name: Integration tests | |
| run: make integration | |
| sandbox-tests: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| cache: pip | |
| - name: Install | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e ".[dev]" | |
| - name: Sandbox boundary tests | |
| run: make sandbox | |
| security-redlines: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: R-QUAL-02/03 code structure | |
| run: python scripts/check_code_rules.py | |
| - name: R-SEC-01 ban shell=True | |
| run: '! grep -rn "shell=True" src/linuxagent/' | |
| - name: R-SEC-03 ban AutoAddPolicy | |
| run: '! grep -rn "AutoAddPolicy" src/linuxagent/' | |
| - name: R-QUAL-01 ban bare except | |
| run: '! grep -rnE "^[[:space:]]*except:[[:space:]]*$" src/linuxagent/' | |
| - name: R-HITL-05 no input() in graph | |
| run: | | |
| if [ -d src/linuxagent/graph ]; then | |
| ! grep -rn "input(" src/linuxagent/graph/ | |
| fi | |
| - name: Sandbox bypass red-lines | |
| run: python scripts/check_sandbox_rules.py | |
| - name: bandit | |
| run: | | |
| pip install "bandit>=1.7,<2.0" | |
| bandit -q -r src/linuxagent/ -ll | |
| harness: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| cache: pip | |
| - name: Install | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e ".[dev]" | |
| - name: Harness | |
| run: make harness | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| cache: pip | |
| - name: Install | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e ".[dev]" | |
| - name: Verify build | |
| run: make verify-build |