You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(ci): set up GitHub Actions CI/CD with pytest matrix, lint, security scan (#49)
Establishes a production-grade CI/CD pipeline so every PR enforces the
same quality gates: cross-platform test execution, static analysis, and
security scanning. Publishing to PyPI is now a declarative, artifact-driven
release workflow triggered by GitHub Releases.
Workflows:
- test.yml: pytest matrix on ubuntu-latest and windows-latest across
Python 3.11, 3.12, 3.13. Installs the package with the new `dev` extras
(pip install -e ".[dev,blockchain]"), runs pytest with branch coverage
across services, tools, auth, blockchain, and api, uploads coverage XML
to Codecov from a single ubuntu/3.12 job to avoid duplicate uploads, and
keeps the existing crypto / merkle / SSRF smoke tests.
- lint.yml: ruff check (blocking) plus mypy (advisory) so style issues
fail fast while gradual type adoption does not block merges. Pinned to
ruff >= 0.6.0 and the shared pyproject.toml ruff config.
- security.yml: pip-audit for dependency CVEs (advisory on PR, strict on
main/schedule), bandit medium+ severity/confidence SAST, and safety as
an advisory CVE scanner. Also runs weekly via cron (Monday 06:00 UTC).
- publish.yml: build -> twine check -> upload-artifact pipeline, then a
separate publish-pypi job using the PYPI_API_TOKEN secret with
skip-existing, and an attach-release-assets job that attaches the
built sdist and wheel to the GitHub Release.
Project config:
- pyproject.toml: add `dev`, `lint`, and `security` optional-dependency
groups so contributors can `pip install -e ".[dev]"` locally and match
CI exactly. Add pytest-cov to the `test` extra. Add tool sections for
ruff (conservative initial rule set so CI passes without a repo-wide
style rewrite), mypy (permissive baseline), bandit (excludes tests,
examples, demos), and coverage (branch coverage, source list).
- README.md: replace the hard-coded version badge with live CI, lint,
security, and Codecov badges. Add a PyPI download count badge.
Tooling notes:
- actions/checkout@v4, actions/setup-python@v5, codecov/codecov-action@v5,
actions/upload-artifact@v4 and download-artifact@v4 used throughout.
- No `os.chmod` / POSIX-specific tests are present in the suite today, so
no platform skips are required for the Windows matrix leg.
- pytest-asyncio configured via asyncio_mode = "auto" already, so the
Windows runners inherit the same event-loop policy as Linux.
python -c "from auth.ssrf import validate_url_host; assert validate_url_host('127.0.0.1') is not None; assert validate_url_host('localhost') is not None; print('SSRF OK')"
0 commit comments