1- # CI pipeline for Palinode — runs on every push and pull_request to any branch.
2- #
3- # Jobs:
4- # 1. unit-tests — fast feedback on core logic (no external services)
5- # 2. integration — tests/integration/ (may need Ollama; continue-on-error)
6- # 3. security-scan — bandit (code) + pip-audit (dependencies)
7-
81name : CI
92
103env :
114 FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 : true
125
6+ permissions :
7+ contents : read
8+
9+ concurrency :
10+ group : ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.ref || github.run_id }}
11+ cancel-in-progress : ${{ github.event_name == 'pull_request' }}
12+
1313on :
1414 push :
1515 pull_request :
1616
1717jobs :
18- # ---------------------------------------------------------------------------
19- # Unit tests — should never need network access or Ollama.
20- # All embeddings / LLM calls are mocked in the test suite.
21- # ---------------------------------------------------------------------------
2218 unit-tests :
2319 runs-on : ubuntu-latest
20+ timeout-minutes : 15
2421
2522 strategy :
2623 matrix :
27- python-version : ["3.11", "3.12"]
24+ python-version : ["3.11", "3.12", "3.13" ]
2825
2926 steps :
3027 - uses : actions/checkout@v4
4037 python -m pip install --upgrade pip
4138 pip install -e ".[dev]"
4239
43- name : Assert palinode resolves to the checked-out tree
44- # Regression guard for editable installs: palinode.__file__ must
45- # resolve under GITHUB_WORKSPACE, not some other site-packages path.
40+ name : Assert package resolves to the checked-out tree
4641 run : |
4742 RESOLVED=$(python -c "import palinode; print(palinode.__file__)")
4843 echo "palinode.__file__ = $RESOLVED"
@@ -52,22 +47,15 @@ jobs:
5247 exit 1
5348 fi
5449
55- name : Run unit tests (excluding integration)
50+ name : Smoke console entry points
51+ run : python -m pytest tests/test_console_entry_points.py -q
52+
53+ - name : Run unit tests
5654 run : python -m pytest tests/ -x -q --ignore=tests/integration --ignore=tests/live
5755
58- # ---------------------------------------------------------------------------
59- # Integration tests — run against tests/integration/.
60- #
61- # These tests do not require Ollama directly (embeddings are stubbed), but
62- # they do spin up FastAPI in-process and exercise the full save/search loop
63- # against a real SQLite database in a temp directory.
64- #
65- # continue-on-error: true — any test tagged @pytest.mark.slow that needs
66- # a live Ollama instance will fail here; that is expected in CI.
67- # Run the full suite locally against a host with Ollama for full coverage.
68- # ---------------------------------------------------------------------------
6956 integration-tests :
7057 runs-on : ubuntu-latest
58+ timeout-minutes : 20
7159
7260 env :
7361 PALINODE_DIR : /tmp/palinode-ci-test
@@ -87,19 +75,12 @@ jobs:
8775 pip install -e ".[dev]"
8876
8977name : Run integration tests
90- # Integration tests that need Ollama will be skipped in CI;
91- # run locally against a host with Ollama for full Ollama-backed coverage.
9278 run : python -m pytest tests/integration/ -x -q
9379 continue-on-error : true
9480
95- # ---------------------------------------------------------------------------
96- # Security scans — informational (continue-on-error: true on pip-audit).
97- #
98- # bandit: static analysis for common Python security issues
99- # pip-audit: checks installed packages against known vulnerability databases
100- # ---------------------------------------------------------------------------
10181 security-scan :
10282 runs-on : ubuntu-latest
83+ timeout-minutes : 20
10384
10485 steps :
10586 - uses : actions/checkout@v4
@@ -116,11 +97,9 @@ jobs:
11697 pip install -e ".[dev]"
11798 pip install bandit pip-audit
11899
119- name : Run bandit (static security analysis)
120- # -r: recursive, -ll: medium+ severity, -q: quiet output
100+ name : Run bandit
121101 run : bandit -r palinode/ -ll -q
122102
123- - name : Run pip-audit (dependency vulnerability check)
124- # continue-on-error: known-vulnerability lists drift; treat as informational
103+ - name : Run pip-audit
125104 run : pip-audit
126105 continue-on-error : true
0 commit comments