name: CI on: push: branches: [dev, testing] jobs: lint: name: Lint (ruff) runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: "3.11" - run: pip install ruff - run: ruff check . test: name: Test (pytest) runs-on: ubuntu-latest strategy: matrix: python-version: ["3.11", "3.12"] steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - run: pip install -e . - run: pytest tests/ -v --tb=short bandit: name: SAST (bandit) runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: "3.11" - run: pip install bandit - run: bandit -r decnet/ -ll -x decnet/services/registry.py pip-audit: name: Dependency audit (pip-audit) runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: "3.11" - run: pip install pip-audit - run: pip install -e . - run: pip-audit --skip-editable open-pr: name: Open PR to main runs-on: ubuntu-latest needs: [lint, test, bandit, pip-audit] if: github.ref == 'refs/heads/dev' steps: - name: Open PR via Gitea API run: | echo "--- Checking for existing open PRs ---" LIST_RESPONSE=$(curl -s \ -H "Authorization: token ${{ secrets.DECNET_PR_TOKEN }}" \ "https://git.resacachile.cl/api/v1/repos/anti/DECNET/pulls?state=open&head=anti:dev&base=main&limit=5") echo "$LIST_RESPONSE" EXISTING=$(echo "$LIST_RESPONSE" | python3 -c "import sys, json; print(len(json.load(sys.stdin)))") echo "Open PRs found: $EXISTING" if [ "$EXISTING" -gt "0" ]; then echo "PR already open, skipping." exit 0 fi echo "--- Creating PR ---" CREATE_RESPONSE=$(curl -s -X POST \ -H "Authorization: token ${{ secrets.DECNET_PR_TOKEN }}" \ -H "Content-Type: application/json" \ -d '{ "title": "Auto PR: dev → main", "head": "dev", "base": "main", "body": "All CI and security checks passed. Review and merge when ready." }' \ "https://git.resacachile.cl/api/v1/repos/anti/DECNET/pulls") echo "$CREATE_RESPONSE"