hotfix: remove leaked scrub-check script from public repo #65
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CI pipeline for Palinode | |
| # Runs on every push to main and on pull requests. | |
| # | |
| # Jobs: | |
| # 1. unit-tests — fast feedback on core logic (no external services) | |
| # 2. integration — placeholder for tests requiring Ollama/external deps | |
| # 3. security-scan — bandit (code) + pip-audit (dependencies) | |
| name: CI | |
| env: | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| jobs: | |
| # --------------------------------------------------------------------------- | |
| # Unit tests — should never need network access or Ollama. | |
| # All embeddings / LLM calls are mocked in the test suite. | |
| # --------------------------------------------------------------------------- | |
| unit-tests: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| python-version: ["3.11", "3.12"] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| cache: "pip" | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e ".[dev]" | |
| - name: Assert palinode resolves to the checked-out tree | |
| # Regression guard for editable installs: | |
| # palinode.__file__ must resolve under GITHUB_WORKSPACE, not some | |
| # other site-packages path. A failure here means the editable | |
| # install is broken and tests are running against the wrong source. | |
| run: | | |
| RESOLVED=$(python -c "import palinode; print(palinode.__file__)") | |
| echo "palinode.__file__ = $RESOLVED" | |
| if [[ "$RESOLVED" != "$GITHUB_WORKSPACE"/* ]]; then | |
| echo "ERROR: palinode resolves outside the workspace ($GITHUB_WORKSPACE)" | |
| echo " Got: $RESOLVED" | |
| exit 1 | |
| fi | |
| - name: Run unit tests | |
| run: pytest tests/ -v --tb=short | |
| # --------------------------------------------------------------------------- | |
| # Integration tests — placeholder. | |
| # | |
| # When tests/integration/ is created, update the pytest path below. | |
| # Integration tests will likely need an Ollama service container for | |
| # BGE-M3 embeddings. That setup is deferred until the test suite exists. | |
| # --------------------------------------------------------------------------- | |
| integration-tests: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| cache: "pip" | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e ".[dev]" | |
| - name: Run integration tests | |
| run: pytest tests/integration/ -v --tb=short | |
| # --------------------------------------------------------------------------- | |
| # Security scans — informational for now (continue-on-error: true). | |
| # | |
| # bandit: static analysis for common Python security issues | |
| # pip-audit: checks installed packages against known vulnerability databases | |
| # | |
| # These run in a single job to save runner time. Once the findings are | |
| # triaged, remove continue-on-error to enforce them on PRs. | |
| # --------------------------------------------------------------------------- | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| cache: "pip" | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e ".[dev]" | |
| pip install bandit pip-audit | |
| - name: Run bandit (static security analysis) | |
| # -r: recursive, -ll: only medium+ severity findings | |
| run: bandit -r palinode/ -ll | |
| continue-on-error: true | |
| - name: Run pip-audit (dependency vulnerability check) | |
| run: pip-audit | |
| continue-on-error: true | |
| # --------------------------------------------------------------------------- | |
| # Shipping-leak scan — catch new SYNC-PUBLIC blacklist patterns at PR time. | |
| # | |
| # Failing here means the PR introduced a private reference (private host, | |
| # internal repo name, agent identifier, etc.) into a file that ships | |
| # publicly. Fix at PR time rather than letting it propagate to staging. | |
| # | |
| # Runs only on PRs (not on pushes to main) and only against the diff | |
| # vs the base branch — existing baseline leaks on dev main are not | |
| # the concern of this check. | |
| # --------------------------------------------------------------------------- | |
| shipping-leak-scan: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # full history so the diff comparison works | |
| - name: Scan PR diff for new shipping leaks | |
| run: bash scripts/check-shipping-leaks.sh --diff "origin/${{ github.base_ref }}" |