|
| 1 | +# Public-mirror CI (fork-safe). Runs on every push + community PR. |
| 2 | +# |
| 3 | +# SECURITY POSTURE (do not weaken): |
| 4 | +# * permissions: contents: read ONLY — no write scope. |
| 5 | +# * NO secrets are referenced — so a fork PR can never exfiltrate one. |
| 6 | +# * trigger is `pull_request` (NOT `pull_request_target`) — the classic |
| 7 | +# fork-secret footgun is intentionally avoided. |
| 8 | +# |
| 9 | +# The internal-vocabulary (blackbox) gate + contract/conformance run in the |
| 10 | +# UPSTREAM monorepo when a community PR is upstreamed — deliberately NOT here: |
| 11 | +# shipping the internal-term blocklist into a public repo would itself leak |
| 12 | +# internal architecture vocabulary. So this CI covers lint / type / test / |
| 13 | +# secret-scan; every PR is vocabulary-checked at the upstream step, and the |
| 14 | +# mirror is only ever refreshed from the (already-clean) monorepo. |
| 15 | +name: ci |
| 16 | + |
| 17 | +on: |
| 18 | + push: |
| 19 | + branches: [main] |
| 20 | + pull_request: |
| 21 | + |
| 22 | +permissions: |
| 23 | + contents: read |
| 24 | + |
| 25 | +concurrency: |
| 26 | + group: ci-${{ github.ref }} |
| 27 | + cancel-in-progress: true |
| 28 | + |
| 29 | +jobs: |
| 30 | + test: |
| 31 | + runs-on: ubuntu-latest |
| 32 | + steps: |
| 33 | + - uses: actions/checkout@v4 |
| 34 | + - uses: actions/setup-python@v5 |
| 35 | + with: |
| 36 | + python-version: '3.12' |
| 37 | + - name: Install (editable + dev extras) |
| 38 | + run: python -m pip install -e ".[dev]" |
| 39 | + - name: Lint (ruff) |
| 40 | + run: python -m ruff check . |
| 41 | + - name: Format check (ruff) |
| 42 | + run: python -m ruff format --check . |
| 43 | + - name: Typecheck |
| 44 | + run: python -m pyright . || python -m mypy . # whichever the package uses |
| 45 | + - name: Tests |
| 46 | + run: python -m pytest |
| 47 | + |
| 48 | + secret-scan: |
| 49 | + runs-on: ubuntu-latest |
| 50 | + steps: |
| 51 | + - uses: actions/checkout@v4 |
| 52 | + - uses: actions/setup-python@v5 |
| 53 | + with: |
| 54 | + python-version: '3.12' |
| 55 | + - name: detect-secrets (against the shipped baseline) |
| 56 | + run: | |
| 57 | + python -m pip install detect-secrets==1.5.0 |
| 58 | + # .secrets.baseline is scaffolded per repo; fail if any NEW secret appears. |
| 59 | + detect-secrets scan --baseline .secrets.baseline |
| 60 | + git diff --exit-code .secrets.baseline || { |
| 61 | + echo "::error::New secrets detected — review and update .secrets.baseline deliberately."; exit 1; } |
0 commit comments