-
Notifications
You must be signed in to change notification settings - Fork 0
90 lines (86 loc) · 2.99 KB
/
Copy pathci.yml
File metadata and controls
90 lines (86 loc) · 2.99 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
name: CI
on:
push:
branches: [main, develop, homologation]
pull_request:
jobs:
quality:
name: Lint + unit tests
runs-on: ubuntu-latest
env:
# Dummy values so Settings() loads at import; unit tests open no connections.
DATABASE_URL: postgresql+asyncpg://profplan:profplan@localhost:5432/profplan
REDIS_URL: redis://localhost:6379/0
JWT_ACCESS_SECRET: ci-access-secret
JWT_REFRESH_SECRET: ci-refresh-secret
steps:
- uses: actions/checkout@v4
- uses: astral-sh/setup-uv@v5
with:
python-version: "3.13"
- run: uv sync --frozen --extra dev
- name: Ruff lint
run: uv run ruff check .
- name: Ruff format check
run: uv run ruff format --check .
- name: Unit tests
run: uv run pytest -m "not integration"
integration:
name: Integration tests
runs-on: ubuntu-latest
services:
postgres:
image: pgvector/pgvector:pg17
env:
POSTGRES_USER: profplan
POSTGRES_PASSWORD: profplan
POSTGRES_DB: profplan
ports: ["5432:5432"]
options: >-
--health-cmd "pg_isready -U profplan"
--health-interval 10s --health-timeout 5s --health-retries 5
redis:
image: redis:8-alpine
ports: ["6379:6379"]
options: >-
--health-cmd "redis-cli ping"
--health-interval 10s --health-timeout 5s --health-retries 5
env:
DATABASE_URL: postgresql+asyncpg://profplan:profplan@localhost:5432/profplan_test
REDIS_URL: redis://localhost:6379/15
JWT_ACCESS_SECRET: ci-access-secret
JWT_REFRESH_SECRET: ci-refresh-secret
# No LLM in CI: create plain plans instead of calling the AI.
PLAN_GENERATION_ENABLED: "false"
# Disable per-IP limiting so the shared test client isn't throttled.
RATE_LIMIT_ENABLED: "false"
steps:
- uses: actions/checkout@v4
- uses: astral-sh/setup-uv@v5
with:
python-version: "3.13"
- run: uv sync --frozen --extra dev
- name: Integration tests
run: uv run pytest -m integration tests/integration
security:
name: Security scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # gitleaks scans the full history
- uses: astral-sh/setup-uv@v5
with:
python-version: "3.13"
- run: uv sync --frozen --extra dev
# Blocking: fails the build on any known CVE in a dependency. If a real
# advisory has no fix yet, waive it explicitly with pip-audit's
# --ignore-vuln (documented at the call site) rather than re-adding
# continue-on-error, which silences everything indiscriminately.
- name: Dependency vulnerability audit (pip-audit)
run: uv run --with pip-audit pip-audit
# Blocking secret scan across the git history.
- name: Secret scan (gitleaks)
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}