-
Notifications
You must be signed in to change notification settings - Fork 0
82 lines (76 loc) · 3.11 KB
/
Copy pathci.yml
File metadata and controls
82 lines (76 loc) · 3.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# Public-mirror CI (fork-safe). Runs on every push + community PR.
#
# SECURITY POSTURE (do not weaken):
# * permissions: contents: read ONLY — no write scope.
# * NO secrets are referenced — so a fork PR can never exfiltrate one.
# * trigger is `pull_request` (NOT `pull_request_target`) — the classic
# fork-secret footgun is intentionally avoided.
#
# The internal-vocabulary (blackbox) gate + contract/conformance run in the
# UPSTREAM monorepo when a community PR is upstreamed — deliberately NOT here:
# shipping the internal-term blocklist into a public repo would itself leak
# internal architecture vocabulary. So this CI covers lint / format / test /
# secret-scan; every PR is vocabulary-checked at the upstream step, and the
# mirror is only ever refreshed from the (already-clean) monorepo.
name: ci
on:
push:
branches: [main]
pull_request:
permissions:
contents: read
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install (editable + dev extras)
run: python -m pip install -e ".[dev]"
- name: Lint (ruff)
run: python -m ruff check .
- name: Format check (ruff)
run: python -m ruff format --check .
- name: Tests
run: python -m pytest
secret-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: detect-secrets (against the shipped baseline)
run: |
python -m pip install detect-secrets==1.5.0
# detect-secrets-hook exits non-zero ONLY on NEW, un-baselined secrets.
# (A plain `scan --baseline` + `git diff --exit-code` would ALWAYS fail:
# detect-secrets rewrites the baseline's `generated_at` timestamp every
# run, so the diff is never empty even with zero findings.)
git ls-files -z | xargs -0 detect-secrets-hook --baseline .secrets.baseline
# DCO (§7d): every PR commit must carry a Signed-off-by trailer. Fork-safe —
# read-only, no secrets, plain git; complements (does not require) the DCO
# GitHub App. Push events skip it: only refresh commits land on main, and
# they are generated by the release identity, not community contributions.
dco:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Sign-off check (git commit -s)
run: |
missing=0
for sha in $(git rev-list "${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}"); do
if ! git log -1 --format=%B "$sha" | grep -Eq '^Signed-off-by: .+ <.+>'; then
echo "::error::commit $sha lacks a Signed-off-by trailer — amend with: git rebase --signoff"
missing=1
fi
done
exit $missing