Skip to content

Add ACES MCP server (AUT-807) #36

Add ACES MCP server (AUT-807)

Add ACES MCP server (AUT-807) #36

Workflow file for this run

name: CI
on:
push:
branches: [main]
tags: ["v*"]
pull_request:
branches: [main, dev]
workflow_dispatch:
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
permissions:
contents: read
pull-requests: write
jobs:
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
- name: Install uv
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8
- name: Resolve policy base revision
id: base
run: |
if [ "${{ github.event_name }}" = "pull_request" ]; then
echo "base_rev=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT"
else
echo "base_rev=${{ github.event.before }}" >> "$GITHUB_OUTPUT"
fi
- name: Resolve requirement UID from branch
id: requirement
env:
BRANCH: ${{ github.head_ref || github.ref_name }}
run: |
REQ_UID="$(printf '%s\n' "$BRANCH" | grep -oE '[A-Z]{3}-[0-9]{3}' | head -n1 || true)"
echo "Resolved branch='$BRANCH' uid='$REQ_UID'"
echo "uid=$REQ_UID" >> "$GITHUB_OUTPUT"
- name: Run canonical verification graph
env:
ACES_REQUIREMENT_UID: ${{ steps.requirement.outputs.uid }}
GC_BASE_URL: ${{ vars.GC_BASE_URL }}
run: >
uv tool run --from 'nox[uv]==2026.4.10'
nox -f noxfile.py -s verify --
--base-rev "${{ steps.base.outputs.base_rev }}"
- name: Upload coverage report
if: always()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: coverage-report
path: implementations/python/coverage.xml
fuzz:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
- name: Install uv
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8
- name: Run fuzz session
run: uv tool run --from 'nox[uv]==2026.4.10' nox -f noxfile.py -s fuzz
sonar:
runs-on: ubuntu-latest
needs: [verify]
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: coverage-report
path: implementations/python/
- name: SonarCloud Scan
uses: SonarSource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}