palinode/.github/workflows/main-ci.yml at d6beab797de6bdaafc761cc512b7345a76fb10a3 · phasespace-labs/palinode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# Rationale: Option B (post-merge sweep) from dev#198.
# Option A (require branch-up-to-date before merge) is enforced
# in GitHub repo settings → Branches → main branch protection.
# This file is the backstop if that check is bypassed (admin merge, etc.).
#
# Triggered only on push to main (not on PRs — those are covered by ci.yml).
# On any failure, opens a GitHub issue to flag the regression.

name: Main CI (post-merge sweep)

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

on:
  push:
    branches: [main]

jobs:
  # ---------------------------------------------------------------------------
  # Unit tests — mirrors ci.yml; catches interaction bugs that slip through
  # independent-PR CI (the failure mode documented in #198).
  # ---------------------------------------------------------------------------
  unit-tests:
    runs-on: ubuntu-latest

    strategy:
      matrix:
        python-version: ["3.11", "3.12"]

    steps:
      - uses: actions/checkout@v4

      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}
          cache: "pip"

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"

      - name: Assert palinode resolves to the checked-out tree
        run: |
          RESOLVED=$(python -c "import palinode; print(palinode.__file__)")
          echo "palinode.__file__ = $RESOLVED"
          if [[ "$RESOLVED" != "$GITHUB_WORKSPACE"/* ]]; then
            echo "ERROR: palinode resolves outside the workspace ($GITHUB_WORKSPACE)"
            echo "       Got: $RESOLVED"
            exit 1
          fi

      - name: Run unit tests (excluding integration)
        run: python -m pytest tests/ -x -q --ignore=tests/integration --ignore=tests/live

  # ---------------------------------------------------------------------------
  # Integration tests — informational backstop on main.
  # continue-on-error: true because Ollama is not available in CI runners.
  # ---------------------------------------------------------------------------
  integration-tests:
    runs-on: ubuntu-latest

    env:
      PALINODE_DIR: /tmp/palinode-ci-test

    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"
          cache: "pip"

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"

      - name: Run integration tests
        run: python -m pytest tests/integration/ -x -q
        continue-on-error: true

  # ---------------------------------------------------------------------------
  # Security scan — same as ci.yml.
  # ---------------------------------------------------------------------------
  security-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"
          cache: "pip"

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"
          pip install bandit pip-audit

      - name: Run bandit (static security analysis)
        run: bandit -r palinode/ -ll -q

      - name: Run pip-audit (dependency vulnerability check)
        run: pip-audit
        continue-on-error: true

  # ---------------------------------------------------------------------------
  # Regression reporter — fires only when a job above fails.
  # Opens a GitHub issue so the regression is visible outside the Actions UI.
  # ---------------------------------------------------------------------------
  report-regression:
    runs-on: ubuntu-latest
    needs: [unit-tests, integration-tests, security-scan]
    if: failure()

    steps:
      - name: Report regression
        if: failure()
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh issue create \
            --title "CI regression on main: ${{ github.sha }}" \
            --body "Commit ${{ github.sha }} broke CI on main. Run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
            --label "bug"