Skip to content
Main CI (post-merge sweep)

tests: replace os.system with subprocess.run to avoid shell usage and… #6

Sign in to view logs

tests: replace os.system with subprocess.run to avoid shell usage and…

tests: replace os.system with subprocess.run to avoid shell usage and… #6

Workflow file for this run

.github/workflows/main-ci.yml at ed48372
# Rationale: Option B (post-merge sweep) from dev#198.
# Option A (require branch-up-to-date before merge) is enforced
# in GitHub repo settings → Branches → main branch protection.
# This file is the backstop if that check is bypassed (admin merge, etc.).
#
# Triggered only on push to main (not on PRs — those are covered by ci.yml).
# On any failure, opens a GitHub issue to flag the regression.
name: Main CI (post-merge sweep)
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
on:
push:
branches: [main]
jobs:
# ---------------------------------------------------------------------------
# Unit tests — mirrors ci.yml; catches interaction bugs that slip through
# independent-PR CI (the failure mode documented in #198).
# ---------------------------------------------------------------------------
unit-tests:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.11", "3.12"]
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
cache: "pip"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Assert palinode resolves to the checked-out tree
run: |
RESOLVED=$(python -c "import palinode; print(palinode.__file__)")
echo "palinode.__file__ = $RESOLVED"
if [[ "$RESOLVED" != "$GITHUB_WORKSPACE"/* ]]; then
echo "ERROR: palinode resolves outside the workspace ($GITHUB_WORKSPACE)"
echo " Got: $RESOLVED"
exit 1
fi
- name: Run unit tests (excluding integration)
run: python -m pytest tests/ -x -q --ignore=tests/integration --ignore=tests/live
# ---------------------------------------------------------------------------
# Integration tests — informational backstop on main.
# continue-on-error: true because Ollama is not available in CI runners.
# ---------------------------------------------------------------------------
integration-tests:
runs-on: ubuntu-latest
env:
PALINODE_DIR: /tmp/palinode-ci-test
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: "pip"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Run integration tests
run: python -m pytest tests/integration/ -x -q
continue-on-error: true
# ---------------------------------------------------------------------------
# Security scan — same as ci.yml.
# ---------------------------------------------------------------------------
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: "pip"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
pip install bandit pip-audit
- name: Run bandit (static security analysis)
run: bandit -r palinode/ -ll -q
- name: Run pip-audit (dependency vulnerability check)
run: pip-audit
continue-on-error: true
# ---------------------------------------------------------------------------
# Regression reporter — fires only when a job above fails.
# Opens a GitHub issue so the regression is visible outside the Actions UI.
# ---------------------------------------------------------------------------
report-regression:
runs-on: ubuntu-latest
needs: [unit-tests, integration-tests, security-scan]
if: failure()
steps:
- name: Report regression
if: failure()
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh issue create \
--title "CI regression on main: ${{ github.sha }}" \
--body "Commit ${{ github.sha }} broke CI on main. Run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
--label "bug"