palinode/.github/workflows/test.yml at 69040b8ab65cc9227c70d81402660b7d77ec0a34 · phasespace-labs/palinode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# CI pipeline for Palinode
# Runs on every push to main and on pull requests.
#
# Jobs:
#   1. unit-tests    — fast feedback on core logic (no external services)
#   2. integration   — placeholder for tests requiring Ollama/external deps
#   3. security-scan — bandit (code) + pip-audit (dependencies)

name: CI

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  # ---------------------------------------------------------------------------
  # Unit tests — should never need network access or Ollama.
  # All embeddings / LLM calls are mocked in the test suite.
  # ---------------------------------------------------------------------------
  unit-tests:
    runs-on: ubuntu-latest

    strategy:
      matrix:
        python-version: ["3.11", "3.12"]

    steps:
      - uses: actions/checkout@v4

      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}
          cache: "pip"

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"

      - name: Assert palinode resolves to the checked-out tree
        # Regression guard for editable installs:
        # palinode.__file__ must resolve under GITHUB_WORKSPACE, not some
        # other site-packages path.  A failure here means the editable
        # install is broken and tests are running against the wrong source.
        run: |
          RESOLVED=$(python -c "import palinode; print(palinode.__file__)")
          echo "palinode.__file__ = $RESOLVED"
          if [[ "$RESOLVED" != "$GITHUB_WORKSPACE"/* ]]; then
            echo "ERROR: palinode resolves outside the workspace ($GITHUB_WORKSPACE)"
            echo "       Got: $RESOLVED"
            exit 1
          fi

      - name: Run unit tests
        run: pytest tests/ -v --tb=short

  # ---------------------------------------------------------------------------
  # Integration tests — placeholder.
  #
  # When tests/integration/ is created, update the pytest path below.
  # Integration tests will likely need an Ollama service container for
  # BGE-M3 embeddings. That setup is deferred until the test suite exists.
  # ---------------------------------------------------------------------------
  integration-tests:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"
          cache: "pip"

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"

      - name: Run integration tests
        run: pytest tests/integration/ -v --tb=short

  # ---------------------------------------------------------------------------
  # Security scans — informational for now (continue-on-error: true).
  #
  # bandit:    static analysis for common Python security issues
  # pip-audit: checks installed packages against known vulnerability databases
  #
  # These run in a single job to save runner time. Once the findings are
  # triaged, remove continue-on-error to enforce them on PRs.
  # ---------------------------------------------------------------------------
  security-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"
          cache: "pip"

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"
          pip install bandit pip-audit

      - name: Run bandit (static security analysis)
        # -r: recursive, -ll: only medium+ severity findings
        run: bandit -r palinode/ -ll
        continue-on-error: true

      - name: Run pip-audit (dependency vulnerability check)
        run: pip-audit
        continue-on-error: true

  # ---------------------------------------------------------------------------
  # Shipping-leak scan — catch new SYNC-PUBLIC blacklist patterns at PR time.
  #
  # Failing here means the PR introduced a private reference (private host,
  # internal repo name, agent identifier, etc.) into a file that ships
  # publicly. Fix at PR time rather than letting it propagate to staging.
  #
  # Runs only on PRs (not on pushes to main) and only against the diff
  # vs the base branch — existing baseline leaks on dev main are not
  # the concern of this check.
  # ---------------------------------------------------------------------------
  shipping-leak-scan:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0    # full history so the diff comparison works

      - name: Scan PR diff for new shipping leaks
        run: bash scripts/check-shipping-leaks.sh --diff "origin/${{ github.base_ref }}"