Skip to content
CI

hotfix: remove public leak scanner patterns #17

Sign in to view logs

hotfix: remove public leak scanner patterns

hotfix: remove public leak scanner patterns #17

Workflow file for this run

.github/workflows/ci.yml at dcc889f
# CI pipeline for Palinode — runs on every push and pull_request to any branch.
#
# Jobs:
# 1. unit-tests — fast feedback on core logic (no external services)
# 2. integration — tests/integration/ (may need Ollama; continue-on-error)
# 3. security-scan — bandit (code) + pip-audit (dependencies)
name: CI
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
on:
push:
pull_request:
jobs:
# ---------------------------------------------------------------------------
# Unit tests — should never need network access or Ollama.
# All embeddings / LLM calls are mocked in the test suite.
# ---------------------------------------------------------------------------
unit-tests:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.11", "3.12"]
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
cache: "pip"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Assert palinode resolves to the checked-out tree
# Regression guard for editable installs: palinode.__file__ must
# resolve under GITHUB_WORKSPACE, not some other site-packages path.
run: |
RESOLVED=$(python -c "import palinode; print(palinode.__file__)")
echo "palinode.__file__ = $RESOLVED"
if [[ "$RESOLVED" != "$GITHUB_WORKSPACE"/* ]]; then
echo "ERROR: palinode resolves outside the workspace ($GITHUB_WORKSPACE)"
echo " Got: $RESOLVED"
exit 1
fi
- name: Run unit tests (excluding integration)
run: python -m pytest tests/ -x -q --ignore=tests/integration --ignore=tests/live
# ---------------------------------------------------------------------------
# Integration tests — run against tests/integration/.
#
# These tests do not require Ollama directly (embeddings are stubbed), but
# they do spin up FastAPI in-process and exercise the full save/search loop
# against a real SQLite database in a temp directory.
#
# continue-on-error: true — any test tagged @pytest.mark.slow that needs
# a live Ollama instance will fail here; that is expected in CI.
# Run the full suite locally against a host with Ollama for full coverage.
# ---------------------------------------------------------------------------
integration-tests:
runs-on: ubuntu-latest
env:
PALINODE_DIR: /tmp/palinode-ci-test
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: "pip"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Run integration tests
# Integration tests that need Ollama will be skipped in CI;
# run locally against a host with Ollama for full Ollama-backed coverage.
run: python -m pytest tests/integration/ -x -q
continue-on-error: true
# ---------------------------------------------------------------------------
# Security scans — informational (continue-on-error: true on pip-audit).
#
# bandit: static analysis for common Python security issues
# pip-audit: checks installed packages against known vulnerability databases
# ---------------------------------------------------------------------------
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: "pip"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
pip install bandit pip-audit
- name: Run bandit (static security analysis)
# -r: recursive, -ll: medium+ severity, -q: quiet output
run: bandit -r palinode/ -ll -q
- name: Run pip-audit (dependency vulnerability check)
# continue-on-error: known-vulnerability lists drift; treat as informational
run: pip-audit
continue-on-error: true