StegX/.github/workflows/ci.yml at main · Delta-Sec/StegX · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
name: CI

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  workflow_dispatch: {}

permissions:
  contents: read

concurrency:
  group: ci-${{ github.ref }}
  cancel-in-progress: true

defaults:
  run:
    shell: bash

jobs:

  test:
    name: pytest (${{ matrix.python-version }} / ${{ matrix.os }})
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest]
        python-version: ["3.12", "3.13"]
        include:
          - os: windows-latest
            python-version: "3.12"
          - os: windows-latest
            python-version: "3.13"

    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
        with:
          python-version: ${{ matrix.python-version }}
          cache: pip

      - name: Install runtime + dev dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e '.[all,dev]'

      - name: Run unit / integration / security / system tests
        run: python -m pytest tests/unit tests/integration tests/security tests/system -q --maxfail=5

      - name: Quick benchmark smoke-test
        run: stegx benchmark --iterations 1 --size-kib 8

  fips:
    name: FIPS mode round-trip
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

      - name: Set up Python 3.12
        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
        with:
          python-version: "3.12"
          cache: pip

      - name: Install runtime + dev dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e '.[all,dev]'

      - name: Run full test suite under FIPS mode
        env:
          STEGX_FIPS: "1"
        run: python -m pytest tests/unit tests/integration tests/security tests/system -q --maxfail=5

  security-scan:
    name: Security scanners
    runs-on: ubuntu-latest
    env:
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

      - name: Set up Python
        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
        with:
          python-version: "3.12"
          cache: pip

      - name: Install dependencies + security tools
        run: |
          python -m pip install --upgrade pip
          pip install -e '.[all,dev]'
          pip install bandit pip-audit

      - name: Bandit — static analysis report (non-fatal)
        run: bandit -r src/stegx -ll --format json -o bandit-report.json || true

      - name: Bandit — fail on HIGH/CRITICAL
        run: bandit -r src/stegx -ll

      - name: pip-audit — known CVEs in dependencies
        run: |
          pip-audit --strict \
              --requirement requirements.txt \
              --requirement requirements/dev.txt \
              --requirement requirements/extras.txt

      - name: Snyk Code — SAST gate (high/critical)
        if: env.SNYK_TOKEN != ''
        run: |
          pip install --upgrade snyk
          snyk auth "$SNYK_TOKEN"
          snyk code test --severity-threshold=high

      - name: Upload bandit report
        if: always()
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
          name: bandit-report
          path: bandit-report.json
          retention-days: 14

  docker:
    name: Docker image build + scan
    runs-on: ubuntu-latest
    needs: test
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f

      - name: Build StegX image
        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8
        with:
          context: .
          file: Dockerfile
          load: true
          push: false
          tags: stegx:ci
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Install Trivy CLI
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
            | sudo sh -s -- -b /usr/local/bin
          trivy --version

      - name: Trivy — CRITICAL/HIGH gate
        run: |
          trivy image \
            --severity CRITICAL,HIGH \
            --ignore-unfixed \
            --exit-code 1 \
            --format table \
            stegx:ci

      - name: Smoke-test the built image
        run: |
          docker run --rm stegx:ci --version
          docker run --rm stegx:ci benchmark --iterations 1 --size-kib 8

  package:
    name: Build sdist + wheel
    runs-on: ubuntu-latest
    needs: test
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          fetch-depth: 0

      - name: Set up Python
        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
        with:
          python-version: "3.12"
          cache: pip

      - name: Install build + twine
        run: |
          python -m pip install --upgrade pip
          pip install build twine

      - name: Build
        run: python -m build

      - name: Validate distributions
        run: twine check dist/*

      - name: Upload dist artefacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
          name: stegx-dist
          path: dist/*
          retention-days: 14