feat(harness): promote HiveTrust to byte-exact validated (4/4 inline … #729
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| # Manual trigger — click "Run workflow" in GitHub Actions tab | |
| workflow_dispatch: | |
| # Auto-run on pushes to main | |
| push: | |
| branches: [main] | |
| # Auto-run on PRs targeting main | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| jobs: | |
| backend: | |
| name: Backend (lint + test) | |
| runs-on: ubuntu-latest | |
| services: | |
| postgres: | |
| image: postgres:16 | |
| env: | |
| POSTGRES_USER: postgres | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_DB: agentgraph_test | |
| ports: | |
| - 5432:5432 | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| redis: | |
| image: redis:7 | |
| ports: | |
| - 6379:6379 | |
| options: >- | |
| --health-cmd "redis-cli ping" | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python 3.9 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.9" | |
| - name: Install dependencies | |
| run: pip install -e ".[dev]" | |
| - name: Lint | |
| run: ruff check src/ tests/ | |
| - name: AST verify | |
| run: | | |
| find src tests -name "*.py" -exec python -c " | |
| import ast, sys | |
| ast.parse(open(sys.argv[1]).read()) | |
| print('OK:', sys.argv[1]) | |
| " {} \; | |
| - name: Run migrations | |
| env: | |
| DATABASE_URL: postgresql+asyncpg://postgres:postgres@localhost:5432/agentgraph_test | |
| run: alembic upgrade head | |
| - name: Test | |
| env: | |
| DATABASE_URL: postgresql+asyncpg://postgres:postgres@localhost:5432/agentgraph_test | |
| REDIS_URL: redis://localhost:6379/0 | |
| run: pytest tests/ -v | |
| frontend: | |
| name: Frontend (typecheck + build) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" | |
| cache: "npm" | |
| cache-dependency-path: web/package-lock.json | |
| - name: Install dependencies | |
| working-directory: web | |
| run: npm ci | |
| - name: TypeScript check | |
| working-directory: web | |
| run: npx tsc -b | |
| - name: Build | |
| working-directory: web | |
| run: npx vite build | |
| security: | |
| name: Security Scanning | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python 3.9 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.9" | |
| - name: Install dependencies | |
| run: pip install -e ".[dev]" pip-audit | |
| - name: Audit Python dependencies | |
| run: pip-audit || true | |
| # pip-audit runs for visibility; vulnerabilities are tracked | |
| # in dependency update PRs rather than blocking every commit | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" | |
| cache: "npm" | |
| cache-dependency-path: web/package-lock.json | |
| - name: Audit npm dependencies | |
| run: cd web && npm ci && npm audit --audit-level=high || true | |
| docker: | |
| name: Docker Image Build (verify only) | |
| runs-on: ubuntu-latest | |
| needs: [backend, frontend] | |
| if: github.event_name == 'push' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build backend image (no push) | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: Dockerfile | |
| push: false | |
| tags: agentgraph/backend:${{ github.sha }} | |
| - name: Build frontend image (no push) | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: web | |
| file: web/Dockerfile | |
| push: false | |
| tags: agentgraph/frontend:${{ github.sha }} |