Skip to content

fix(frontend): remediate frontend + extension audit findings #5067

fix(frontend): remediate frontend + extension audit findings

fix(frontend): remediate frontend + extension audit findings #5067

name: backend-required
on:
pull_request:
branches:
- main
- dev
workflow_dispatch:
permissions:
contents: read
concurrency:
group: backend-required-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
changes:
name: Detect Gate Changes
runs-on: ubuntu-latest
outputs:
backend_changed: ${{ steps.detect.outputs.backend_changed }}
frontend_changed: ${{ steps.detect.outputs.frontend_changed }}
e2e_changed: ${{ steps.detect.outputs.e2e_changed }}
security_relevant_changed: ${{ steps.detect.outputs.security_relevant_changed }}
coverage_required: ${{ steps.detect.outputs.coverage_required }}
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
fetch-depth: 0
- id: detect
name: Classify changed files
uses: ./.github/actions/detect-required-gate-changes
backend-required:
name: backend-required
runs-on: ubuntu-latest
needs: [changes]
timeout-minutes: 30
steps:
- name: No-op pass (backend unchanged)
if: needs.changes.outputs.backend_changed != 'true'
run: echo "No backend paths changed; backend-required passed by policy."
- name: Checkout
if: needs.changes.outputs.backend_changed == 'true'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: Install FFmpeg and PortAudio (Linux)
if: needs.changes.outputs.backend_changed == 'true'
uses: ./.github/actions/setup-ffmpeg
with:
install-ffmpeg: 'false'
install-portaudio: 'true'
- name: Setup Python and dependencies
if: needs.changes.outputs.backend_changed == 'true'
uses: ./.github/actions/setup-python-deps
with:
python-version: "3.12"
use-uv: "true"
cache-dependency-path: |
pyproject.toml
uv.lock
extras: dev
- name: Compile backend modules
if: needs.changes.outputs.backend_changed == 'true'
shell: bash
run: |
python - <<'PY'
import compileall, sys
ok = compileall.compile_dir("tldw_Server_API/app", force=True, quiet=1)
sys.exit(0 if ok else 1)
PY
- name: Type check changed backend modules
if: needs.changes.outputs.backend_changed == 'true'
id: mypy_changed
continue-on-error: true
shell: bash
run: |
set -euo pipefail
BASE_SHA="${{ github.event.pull_request.base.sha || github.event.before }}"
if [[ -z "${BASE_SHA:-}" || "${BASE_SHA:-}" == "0000000000000000000000000000000000000000" ]]; then
BASE_SHA="$(git rev-parse HEAD^ 2>/dev/null || true)"
fi
if [[ -n "${BASE_SHA:-}" ]]; then
mapfile -t CHANGED_PY < <(git diff --name-only "$BASE_SHA" "${{ github.sha }}" | grep -E '^tldw_Server_API/.*\.py$' || true)
else
mapfile -t CHANGED_PY < <(git ls-files | grep -E '^tldw_Server_API/.*\.py$' || true)
fi
if [[ "${#CHANGED_PY[@]}" -eq 0 ]]; then
echo "No backend Python files changed; skipping mypy."
exit 0
fi
python -m pip install --upgrade pip
pip install mypy
mypy --follow-imports=silent --ignore-missing-imports "${CHANGED_PY[@]}"
- name: Backend unit smoke
if: needs.changes.outputs.backend_changed == 'true'
env:
PYTHONPATH: .
PYTEST_DISABLE_PLUGIN_AUTOLOAD: "1"
TEST_MODE: "true"
DISABLE_HEAVY_STARTUP: "1"
run: |
pytest -q --disable-warnings -p pytest_asyncio.plugin \
-m "unit and not e2e and not jobs" \
tldw_Server_API/tests/unit