Dissect/.github/workflows/ci.yml at main · AI8-Algorithm-Intelligence-Section-8/Dissect · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
name: CI

on:
  push:
    branches: [ main, master ]
  pull_request:
    branches: [ main, master ]

jobs:
  build-test-security:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'

      - name: Cache pip
        uses: actions/cache@v4
        with:
          path: ~/.cache/pip
          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements*.txt') }}
          restore-keys: |
            ${{ runner.os }}-pip-

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
          if [ -f requirements-dev.txt ]; then pip install -r requirements-dev.txt; fi
          pip install pytest pytest-cov coverage
          pip install bandit pip-audit

      - name: Run tests with coverage (threshold 60%)
        run: |
          pytest --maxfail=1 --disable-warnings -q \
            --cov=. --cov-report=term-missing --cov-fail-under=60

      - name: Upload coverage to artifact
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: coverage-report
          path: |
            ./.coverage*
            ./htmlcov/**
          if-no-files-found: ignore

      - name: Security scan (Bandit)
        run: |
          bandit -r . -x tests -lll -q || (echo "Bandit found issues" && exit 1)

      - name: Security scan (pip-audit)
        run: |
          pip-audit --strict || (echo "pip-audit found vulnerable dependencies" && exit 1)