TeoSlayer · Alexgodoroja · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026
@@ -0,0 +1,8 @@
+name: "Pilot Protocol CodeQL config"
+
+query-filters:
+  # False positive: DialTLSPinned uses InsecureSkipVerify with a
+  # VerifyPeerCertificate callback that enforces SHA-256 cert pinning,
+  # which is strictly stronger than CA-based trust.
+  - exclude:
+      id: go/disabled-certificate-check
@@ -0,0 +1,116 @@
+# GitHub Actions Workflows
+
+This directory contains CI/CD workflows for the Pilot Protocol project.
+
+## Workflow Overview
+
+```mermaid
+graph TD
+    A[Push to main/build/**] --> B[Tests Workflow]
+    B --> C[Unit Tests]
+    C --> D[Integration Tests]
+    D --> E[Test Summary]
+    E -->|Success| F[Publish Python SDK]
+    E -->|Failure| G[Stop - No Publish]
+    F --> H{Environment}
+    H -->|main branch| I[Publish to PyPI]
+    H -->|build/** branch| J[Publish to TestPyPI]
+```
+
+## Workflows
+
+### 1. tests.yml (Tests)
+**Triggers:** Push to `main`, `build/**`, `docs/**`, PRs to `main`
+
+**Jobs:**
+- **unit-tests**: Runs Go unit tests (`./tests/...`)
+  - Generates coverage report
+  - Uploads coverage artifact
+  - Timeout: 5 minutes
+
+- **integration-tests**: Runs Docker integration tests
+  - Depends on: unit-tests
+  - Runs CLI tests (21 tests)
+  - Runs Python SDK tests (34 tests)
+  - Timeout: 10 minutes
+
+- **test-summary**: Aggregates results
+  - Depends on: unit-tests, integration-tests
+  - Fails if any test suite fails
+  - Displays summary in GitHub UI
+
+**Total Tests:** 55+ (Go unit tests + 21 CLI + 34 SDK integration tests)
+
+### 2. publish-python-sdk.yml (Build and Publish Python SDK)
+**Triggers:** 
+- Manual workflow dispatch
+- Automatic after "Tests" workflow completes (on `main` or `build/**`)
+
+**Dependencies:**
+- ⚠️ **Requires "Tests" workflow to pass** before publishing
+- Will NOT publish if any tests fail
+
+**Jobs:**
+- **check-tests**: Validates test workflow passed
+- **setup**: Determines environment (production vs test)
+- **build-wheels**: Builds for Linux and macOS
+- **publish**: Publishes to PyPI or TestPyPI
+- **test-install**: Verifies installation works
+
+**Behavior:**
+- `main` branch → Production PyPI
+- `build/**` branches → TestPyPI
+- Manual dispatch → Choose environment
+
+### 3. codeql.yml (Security Analysis)
+**Triggers:** Push to `main`, PRs, weekly schedule
+
+**Purpose:** Security scanning using GitHub CodeQL
+
+## Cost Information
+
+✅ **All workflows use FREE GitHub-hosted runners for public repos:**
+- `ubuntu-latest`: FREE
+- `macos-latest`: FREE
+
+**Total Cost: $0/month**
+
+## Testing Locally
+
+```bash
+# Run all tests
+make test
+
+# Run integration tests only
+cd tests/integration && make test
+
+# Run unit tests only
+go test -v ./tests/...
+```
+
+## Workflow Dependencies
+
+```
+Tests Workflow (tests.yml)
+    ↓
+    ├─ Unit Tests (Go)
+    ├─ Integration Tests (Docker: CLI + SDK)
+    └─ Test Summary
+         ↓
+         └─ (on success) triggers →
+              ↓
+         Publish Python SDK (publish-python-sdk.yml)
+              ↓
+              ├─ Build Wheels
+              ├─ Publish to PyPI/TestPyPI
+              └─ Verify Installation
+```
+
+## Key Features
+
+1. **Test-First Publishing**: SDK only publishes after ALL tests pass
+2. **Multi-Platform**: Builds Linux and macOS wheels
+3. **Coverage Reports**: Automatic coverage generation and artifact upload
+4. **Environment Safety**: Test environment (TestPyPI) for `build/**` branches
+5. **Comprehensive Testing**: Unit + Integration (CLI + SDK) tests
+6. **Free Runners**: Zero cost for public repository
@@ -0,0 +1,152 @@
+name: Apply Network Configs
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'configs/networks/*.json'
+  workflow_dispatch:
+
+concurrency:
+  group: apply-networks
+  cancel-in-progress: false
+
+env:
+  PILOT_REGISTRY: "34.71.57.205:9000"
+
+jobs:
+  detect:
+    name: Detect changes
+    runs-on: ubuntu-latest
+    outputs:
+      changed: ${{ steps.diff.outputs.changed }}
+      deleted: ${{ steps.diff.outputs.deleted }}
+      has_changes: ${{ steps.diff.outputs.has_changes }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - name: Detect changed and deleted configs
+        id: diff
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            # Manual run: apply all existing configs, no deletes
+            CHANGED=$(find configs/networks -name '*.json' | jq -R -s -c 'split("\n") | map(select(length > 0))')
+            DELETED="[]"
+          else
+            CHANGED=$(git diff --name-only --diff-filter=ACMR HEAD~1 HEAD -- 'configs/networks/*.json' | jq -R -s -c 'split("\n") | map(select(length > 0))')
+            DELETED=$(git diff --name-only --diff-filter=D HEAD~1 HEAD -- 'configs/networks/*.json' | jq -R -s -c 'split("\n") | map(select(length > 0))')
+          fi
+          echo "changed=$CHANGED" >> "$GITHUB_OUTPUT"
+          echo "deleted=$DELETED" >> "$GITHUB_OUTPUT"
+          if [ "$CHANGED" = "[]" ] && [ "$DELETED" = "[]" ]; then
+            echo "has_changes=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_changes=true" >> "$GITHUB_OUTPUT"
+          fi
+          echo "Changed: $CHANGED"
+          echo "Deleted: $DELETED"
+
+  apply:
+    name: Apply
+    needs: detect
+    if: needs.detect.outputs.has_changes == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Build pilotctl
+        run: CGO_ENABLED=0 go build -o pilotctl ./cmd/pilotctl/
+
+      - name: Validate configs
+        if: fromJSON(needs.detect.outputs.changed)[0] != null
+        run: |
+          for f in ${{ join(fromJSON(needs.detect.outputs.changed), ' ') }}; do
+            echo "Validating $f..."
+            ./pilotctl policy validate --file <(jq '.expr_policy' "$f") || {
+              echo "::error::Validation failed for $f"
+              exit 1
+            }
+          done
+
+      - name: Apply changed configs
+        if: fromJSON(needs.detect.outputs.changed)[0] != null
+        env:
+          PILOT_ADMIN_TOKEN: ${{ secrets.PILOT_ADMIN_TOKEN }}
+        run: |
+          FAILED=0
+          for f in ${{ join(fromJSON(needs.detect.outputs.changed), ' ') }}; do
+            NAME=$(jq -r '.name' "$f")
+            echo "Applying $f (network: $NAME)..."
+            if ./pilotctl provision "$f" -json; then
+              echo "Applied $NAME"
+            else
+              echo "::error::Failed to apply $f"
+              FAILED=1
+            fi
+          done
+          if [ "$FAILED" = "1" ]; then
+            exit 1
+          fi
+
+      - name: Delete removed networks
+        if: fromJSON(needs.detect.outputs.deleted)[0] != null
+        env:
+          PILOT_ADMIN_TOKEN: ${{ secrets.PILOT_ADMIN_TOKEN }}
+        run: |
+          FAILED=0
+          for f in ${{ join(fromJSON(needs.detect.outputs.deleted), ' ') }}; do
+            # Recover the name from the deleted file in the previous commit
+            NAME=$(git show HEAD~1:"$f" | jq -r '.name')
+            if [ -z "$NAME" ] || [ "$NAME" = "null" ]; then
+              echo "::warning::Could not extract name from deleted $f, skipping"
+              continue
+            fi
+            echo "Deleting network $NAME (from $f)..."
+            if ./pilotctl deprovision "$NAME" -json; then
+              echo "Deleted $NAME"
+            else
+              echo "::error::Failed to delete network $NAME"
+              FAILED=1
+            fi
+          done
+          if [ "$FAILED" = "1" ]; then
+            exit 1
+          fi
+
+      - name: Summary
+        if: always()
+        run: |
+          echo "## Apply Network Configs" >> "$GITHUB_STEP_SUMMARY"
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+
+          CHANGED='${{ needs.detect.outputs.changed }}'
+          DELETED='${{ needs.detect.outputs.deleted }}'
+
+          if [ "$CHANGED" != "[]" ]; then
+            echo "**Applied:**" >> "$GITHUB_STEP_SUMMARY"
+            echo "$CHANGED" | jq -r '.[]' | while read -r f; do
+              if [ -f "$f" ]; then
+                NAME=$(jq -r '.name' "$f")
+                echo "- \`$NAME\` ($f)" >> "$GITHUB_STEP_SUMMARY"
+              fi
+            done
+          fi
+
+          if [ "$DELETED" != "[]" ]; then
+            echo "" >> "$GITHUB_STEP_SUMMARY"
+            echo "**Deleted:**" >> "$GITHUB_STEP_SUMMARY"
+            echo "$DELETED" | jq -r '.[]' | while read -r f; do
+              echo "- $f" >> "$GITHUB_STEP_SUMMARY"
+            done
+          fi
+
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo "**Triggered by:** ${{ github.actor }}" >> "$GITHUB_STEP_SUMMARY"
@@ -0,0 +1,83 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  go:
+    name: Go (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Vet
+        run: go vet ./...
+
+      - name: Build
+        run: |
+          go build ./cmd/daemon
+          go build ./cmd/registry
+          go build ./cmd/beacon
+          go build ./cmd/rendezvous
+          go build ./cmd/pilotctl
+          go build ./cmd/nameserver
+          go build ./cmd/gateway
+          go build ./cmd/updater
+
+      - name: Test
+        run: go test -parallel 4 -count=1 -timeout 120s ./tests/ ./pkg/beacon/
+
+      - name: Coverage
+        if: matrix.os == 'ubuntu-latest'
+        run: |
+          cd tests && go test -parallel 4 -count=1 -coverprofile=coverage.out -covermode=atomic -timeout 120s
+          go tool cover -func=coverage.out | tail -1
+
+  website:
+    name: Website
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: web
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+          cache-dependency-path: web/package-lock.json
+
+      - name: Install
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+  node-sdk:
+    name: Node SDK
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: sdk/node
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - run: npm ci
+      - run: npm run build
+      - run: npm test
@@ -0,0 +1,29 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1" # weekly, Monday 6 AM UTC
+
+jobs:
+  analyze:
+    name: Analyze Go
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: go
+          config-file: ./.github/codeql/codeql-config.yml
+
+      - uses: github/codeql-action/autobuild@v3
+
+      - uses: github/codeql-action/analyze@v3