-
Notifications
You must be signed in to change notification settings - Fork 7
161 lines (131 loc) · 3.84 KB
/
ci.yml
File metadata and controls
161 lines (131 loc) · 3.84 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: CI
on:
# Manual trigger — click "Run workflow" in GitHub Actions tab
workflow_dispatch:
# Auto-run on pushes to main
push:
branches: [main]
# Auto-run on PRs targeting main
pull_request:
branches: [main]
permissions:
contents: read
jobs:
backend:
name: Backend (lint + test)
runs-on: ubuntu-latest
services:
postgres:
image: postgres:16
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: agentgraph_test
ports:
- 5432:5432
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
redis:
image: redis:7
ports:
- 6379:6379
options: >-
--health-cmd "redis-cli ping"
--health-interval 10s
--health-timeout 5s
--health-retries 5
steps:
- uses: actions/checkout@v4
- name: Set up Python 3.9
uses: actions/setup-python@v5
with:
python-version: "3.9"
- name: Install dependencies
run: pip install -e ".[dev]"
- name: Lint
run: ruff check src/ tests/
- name: AST verify
run: |
find src tests -name "*.py" -exec python -c "
import ast, sys
ast.parse(open(sys.argv[1]).read())
print('OK:', sys.argv[1])
" {} \;
- name: Run migrations
env:
DATABASE_URL: postgresql+asyncpg://postgres:postgres@localhost:5432/agentgraph_test
run: alembic upgrade head
- name: Test
env:
DATABASE_URL: postgresql+asyncpg://postgres:postgres@localhost:5432/agentgraph_test
REDIS_URL: redis://localhost:6379/0
run: pytest tests/ -v
frontend:
name: Frontend (typecheck + build)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
cache: "npm"
cache-dependency-path: web/package-lock.json
- name: Install dependencies
working-directory: web
run: npm ci
- name: TypeScript check
working-directory: web
run: npx tsc -b
- name: Build
working-directory: web
run: npx vite build
security:
name: Security Scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python 3.9
uses: actions/setup-python@v5
with:
python-version: "3.9"
- name: Install dependencies
run: pip install -e ".[dev]" pip-audit
- name: Audit Python dependencies
run: pip-audit || true
# pip-audit runs for visibility; vulnerabilities are tracked
# in dependency update PRs rather than blocking every commit
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
cache: "npm"
cache-dependency-path: web/package-lock.json
- name: Audit npm dependencies
run: cd web && npm ci && npm audit --audit-level=high || true
docker:
name: Docker Image Build (verify only)
runs-on: ubuntu-latest
needs: [backend, frontend]
if: github.event_name == 'push'
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build backend image (no push)
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile
push: false
tags: agentgraph/backend:${{ github.sha }}
- name: Build frontend image (no push)
uses: docker/build-push-action@v5
with:
context: web
file: web/Dockerfile
push: false
tags: agentgraph/frontend:${{ github.sha }}