name: CI on: push: branches: [dev, testing, "temp/merge-*"] paths-ignore: - "**/*.md" - "docs/**" jobs: lint: name: Lint (ruff) runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: "3.11" - run: pip install ruff - run: ruff check . bandit: name: SAST (bandit) runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: "3.11" - run: pip install bandit - run: bandit -r decnet/ -ll -x decnet/services/registry.py -x decnet/templates/ pip-audit: name: Dependency audit (pip-audit) runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: "3.11" - run: pip install pip-audit - run: pip install -e .[dev] - run: pip-audit --skip-editable --ignore-vuln CVE-2025-65896 test-standard: name: Test (Standard) runs-on: ubuntu-latest needs: [lint, bandit, pip-audit] strategy: matrix: python-version: ["3.11"] steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - run: pip install -e .[dev] - run: pytest test-live: name: Test (Live) runs-on: ubuntu-latest needs: [test-standard] strategy: matrix: python-version: ["3.11"] steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - run: pip install -e .[dev] - run: pytest -m live test-fuzz: name: Test (Fuzz) runs-on: ubuntu-latest needs: [test-live] strategy: matrix: python-version: ["3.11"] steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - run: pip install -e .[dev] - run: pytest -m fuzz merge-to-testing: name: Merge dev → testing runs-on: ubuntu-latest needs: [test-standard, test-live, test-fuzz] if: github.ref == 'refs/heads/dev' steps: - uses: actions/checkout@v4 with: fetch-depth: 0 token: ${{ secrets.DECNET_PR_TOKEN }} - name: Configure git run: | git config user.name "DECNET CI" git config user.email "ci@decnet.local" - name: Merge dev into testing run: | git fetch origin testing git checkout testing git merge origin/dev --no-ff -m "ci: auto-merge dev → testing [skip ci]" git push origin testing prepare-merge-to-main: name: Prepare Merge to Main runs-on: ubuntu-latest needs: [test-standard, test-live, test-fuzz] if: github.ref == 'refs/heads/testing' steps: - uses: actions/checkout@v4 with: fetch-depth: 0 token: ${{ secrets.DECNET_PR_TOKEN }} - name: Configure git run: | git config user.name "DECNET CI" git config user.email "ci@decnet.local" - name: Create temp branch and sync with main run: | git fetch origin main git checkout -b temp/merge-testing-to-main echo "--- Switched to temp branch, merging main into it ---" git merge origin/main --no-edit || { echo "CONFLICT: Manual resolution required"; exit 1; } git push origin temp/merge-testing-to-main --force finalize-merge-to-main: name: Finalize Merge to Main runs-on: ubuntu-latest needs: [test-standard, test-live, test-fuzz] if: startsWith(github.ref, 'refs/heads/temp/merge-') steps: - uses: actions/checkout@v4 with: fetch-depth: 0 token: ${{ secrets.DECNET_PR_TOKEN }} - name: Configure git run: | git config user.name "DECNET CI" git config user.email "ci@decnet.local" - name: Merge RC into main run: | git fetch origin main git checkout main git merge ${{ github.ref }} --no-ff -m "ci: auto-merge testing → main" git push origin main echo "--- Cleaning up temp branch ---" git push origin --delete ${{ github.ref_name }}