Skip to content

Add comprehensive CI workflows#2

Merged
pdettori merged 1 commit intomainfrom
orchestrate/ci
Mar 13, 2026
Merged

Add comprehensive CI workflows#2
pdettori merged 1 commit intomainfrom
orchestrate/ci

Conversation

@pdettori
Copy link
Contributor

@pdettori pdettori commented Mar 13, 2026

Summary

Phase 4 of repo orchestration — comprehensive CI for agent-toolkit.

  • ci.yaml — Pre-commit hooks + lint + test (Python 3.11, uv, ruff, pytest)
  • security-scans.yaml — Dependency review, Trivy filesystem scan (CRITICAL+HIGH → SARIF), CodeQL Python with security-extended queries, action SHA-pinning verification
  • scorecard.yaml — OpenSSF Scorecard (weekly + on push to main, SARIF upload to Security tab)
  • stale.yaml — Reusable kagenti org workflow for stale issues/PRs
  • dependabot.yml — Weekly updates for pip and github-actions ecosystems

Supply chain hardening

  • All actions SHA-pinned (no tag-only references)
  • Explicit least-privilege permissions on every job
  • timeout-minutes: 15 on CI jobs
  • Trivy + CodeQL SARIF results uploaded to GitHub Security tab

Test plan

  • Verify ci.yaml triggers on PR and runs pre-commit + lint successfully
  • Verify security-scans.yaml runs dependency review, Trivy, CodeQL, and action-pinning check
  • Verify scorecard.yaml runs on push to main
  • Verify dependabot creates PRs for pip and github-actions updates

🤖 Generated with Claude Code

@pdettori
feat: add comprehensive CI workflows
ba158fe 
Add GitHub Actions for lint, test, security scanning, dependency
management, and supply chain hardening:

- ci.yaml: pre-commit + lint + test (Python 3.11, uv, ruff)
- security-scans.yaml: dependency review, Trivy fs scan, CodeQL
  (Python, security-extended), action SHA-pinning verification
- scorecard.yaml: OpenSSF Scorecard with SARIF upload
- stale.yaml: reusable kagenti org stale issues workflow
- dependabot.yml: pip + github-actions ecosystems

All actions SHA-pinned to prevent supply chain attacks.
Explicit least-privilege permissions on every workflow.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
@github-advanced-security
Copy link

github-advanced-security bot commented Mar 13, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@pdettori
Copy link
Contributor Author

pdettori commented Mar 13, 2026

There is no python code to test and scan yet, so CI failures are expected

@pdettori pdettori merged commit 043bed1 into main Mar 13, 2026
3 of 7 checks passed
@pdettori pdettori deleted the orchestrate/ci branch March 13, 2026 18:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pdettori