-
Notifications
You must be signed in to change notification settings - Fork 7
154 lines (129 loc) · 4.48 KB
/
Copy pathci.yml
File metadata and controls
154 lines (129 loc) · 4.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
name: CI
on:
pull_request:
branches: [main]
push:
branches: [main]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
PYTHON_VERSION: "3.12"
NODE_VERSION: "22"
OMOIOS_ENV: test
jobs:
lint:
name: Lint & Format
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: astral-sh/setup-uv@v4
with:
version: "latest"
- uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install dependencies
working-directory: backend
run: uv sync --group test
- name: Install linters
run: uv tool install ruff@0.9.7
- name: Ruff lint check
working-directory: backend
run: ruff check . --statistics
- name: Ruff format check
working-directory: backend
run: |
ruff format --check . || {
echo ""
echo "::error::Files need formatting. Run 'uv run ruff format backend/' locally and commit."
exit 1
}
test:
name: Tests
runs-on: ubuntu-latest
services:
redis:
image: redis:7
ports:
- 16379:6379
options: >-
--health-cmd "redis-cli ping"
--health-interval 10s
--health-timeout 5s
--health-retries 5
steps:
- uses: actions/checkout@v4
- uses: astral-sh/setup-uv@v4
with:
version: "latest"
- uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install dependencies
working-directory: backend
run: uv sync --group test
- name: Run unit tests
working-directory: backend
env:
DATABASE_URL: postgresql+psycopg://postgres:postgres@localhost:15432/omoi_os_test
REDIS_URL: redis://localhost:16379
run: >-
uv run pytest tests/unit/ -x -v
--ignore=tests/unit/workers/
--ignore=tests/unit/services/test_ownership_validation.py
--ignore=tests/unit/services/test_synthesis_service.py
--ignore=tests/unit/test_artifact_service.py
--ignore=tests/unit/test_credential_encryption.py
--ignore=tests/unit/test_environment_credentials_column.py
--ignore=tests/unit/test_feature_flags.py
--ignore=tests/unit/test_webhook_service.py
--ignore=tests/unit/test_credential_broker.py
--ignore=tests/unit/test_workspace_isolation.py
--ignore=tests/unit/test_environment_service.py
--ignore=tests/unit/services/test_session_event_envelope.py
-k "not database and not db and not migration"
frontend:
name: Frontend Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- uses: pnpm/action-setup@v4
with:
version: 9
- name: Install dependencies
working-directory: frontend
run: pnpm install --frozen-lockfile
- name: Type check & Build
working-directory: frontend
run: pnpm build
secrets-scan:
name: Secret Detection
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install detect-secrets
run: pip install detect-secrets
- name: Scan for new secrets (against baseline)
run: |
# Save the current results (minus timestamp) for comparison
python3 -c "import json; d=json.load(open('.secrets.baseline')); d.pop('generated_at',None); json.dump(d,open('/tmp/before.json','w'),sort_keys=True)"
# Update baseline with any new findings
detect-secrets scan --baseline .secrets.baseline
# Compare results (minus timestamp)
python3 -c "import json; d=json.load(open('.secrets.baseline')); d.pop('generated_at',None); json.dump(d,open('/tmp/after.json','w'),sort_keys=True)"
if diff -q /tmp/before.json /tmp/after.json > /dev/null 2>&1; then
echo "No new secrets detected."
else
echo "::error::New potential secrets found! Run 'detect-secrets scan --baseline .secrets.baseline' locally, audit them, and commit the updated baseline."
diff /tmp/before.json /tmp/after.json || true
exit 1
fi