anti
fe6b349e5e
Some checks failed
CI / Lint (ruff) (push) Successful in 11s
CI / Test (pytest) (3.11) (push) Successful in 1m42s
CI / Test (pytest) (3.12) (push) Successful in 1m45s
CI / SAST (bandit) (push) Failing after 12s
CI / Dependency audit (pip-audit) (push) Successful in 20s
CI / Open PR to main (push) Has been skipped
90 lines
2.6 KiB
YAML
90 lines
2.6 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [dev, testing]
|
|
paths-ignore:
|
|
- "**/*.md"
|
|
- "docs/**"
|
|
|
|
jobs:
|
|
lint:
|
|
name: Lint (ruff)
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.11"
|
|
- run: pip install ruff
|
|
- run: ruff check .
|
|
|
|
test:
|
|
name: Test (pytest)
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
python-version: ["3.11", "3.12"]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: ${{ matrix.python-version }}
|
|
- run: pip install -e .[dev]
|
|
- run: pytest tests/ -v --tb=short
|
|
|
|
bandit:
|
|
name: SAST (bandit)
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.11"
|
|
- run: pip install bandit
|
|
- run: bandit -r decnet/ -ll -x decnet/services/registry.py
|
|
|
|
pip-audit:
|
|
name: Dependency audit (pip-audit)
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.11"
|
|
- run: pip install pip-audit
|
|
- run: pip install -e .[dev]
|
|
- run: pip-audit --skip-editable
|
|
|
|
open-pr:
|
|
name: Open PR to main
|
|
runs-on: ubuntu-latest
|
|
needs: [lint, test, bandit, pip-audit]
|
|
if: github.ref == 'refs/heads/dev'
|
|
steps:
|
|
- name: Open PR via Gitea API
|
|
run: |
|
|
echo "--- Checking for existing open PRs ---"
|
|
LIST_RESPONSE=$(curl -s \
|
|
-H "Authorization: token ${{ secrets.DECNET_PR_TOKEN }}" \
|
|
"https://git.resacachile.cl/api/v1/repos/anti/DECNET/pulls?state=open&head=anti:dev&base=main&limit=5")
|
|
echo "$LIST_RESPONSE"
|
|
EXISTING=$(echo "$LIST_RESPONSE" | python3 -c "import sys, json; print(len(json.load(sys.stdin)))")
|
|
echo "Open PRs found: $EXISTING"
|
|
if [ "$EXISTING" -gt "0" ]; then
|
|
echo "PR already open, skipping."
|
|
exit 0
|
|
fi
|
|
echo "--- Creating PR ---"
|
|
CREATE_RESPONSE=$(curl -s -X POST \
|
|
-H "Authorization: token ${{ secrets.DECNET_PR_TOKEN }}" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{
|
|
"title": "Auto PR: dev → main",
|
|
"head": "dev",
|
|
"base": "main",
|
|
"body": "All CI and security checks passed. Review and merge when ready."
|
|
}' \
|
|
"https://git.resacachile.cl/api/v1/repos/anti/DECNET/pulls")
|
|
echo "$CREATE_RESPONSE"
|