feat: set up GitHub Actions CI/CD with pytest matrix, lint, security scan#49
Conversation
…ity scan Establishes a production-grade CI/CD pipeline so every PR enforces the same quality gates: cross-platform test execution, static analysis, and security scanning. Publishing to PyPI is now a declarative, artifact-driven release workflow triggered by GitHub Releases. Workflows: - test.yml: pytest matrix on ubuntu-latest and windows-latest across Python 3.11, 3.12, 3.13. Installs the package with the new `dev` extras (pip install -e ".[dev,blockchain]"), runs pytest with branch coverage across services, tools, auth, blockchain, and api, uploads coverage XML to Codecov from a single ubuntu/3.12 job to avoid duplicate uploads, and keeps the existing crypto / merkle / SSRF smoke tests. - lint.yml: ruff check (blocking) plus mypy (advisory) so style issues fail fast while gradual type adoption does not block merges. Pinned to ruff >= 0.6.0 and the shared pyproject.toml ruff config. - security.yml: pip-audit for dependency CVEs (advisory on PR, strict on main/schedule), bandit medium+ severity/confidence SAST, and safety as an advisory CVE scanner. Also runs weekly via cron (Monday 06:00 UTC). - publish.yml: build -> twine check -> upload-artifact pipeline, then a separate publish-pypi job using the PYPI_API_TOKEN secret with skip-existing, and an attach-release-assets job that attaches the built sdist and wheel to the GitHub Release. Project config: - pyproject.toml: add `dev`, `lint`, and `security` optional-dependency groups so contributors can `pip install -e ".[dev]"` locally and match CI exactly. Add pytest-cov to the `test` extra. Add tool sections for ruff (conservative initial rule set so CI passes without a repo-wide style rewrite), mypy (permissive baseline), bandit (excludes tests, examples, demos), and coverage (branch coverage, source list). - README.md: replace the hard-coded version badge with live CI, lint, security, and Codecov badges. Add a PyPI download count badge. Tooling notes: - actions/checkout@v4, actions/setup-python@v5, codecov/codecov-action@v5, actions/upload-artifact@v4 and download-artifact@v4 used throughout. - No `os.chmod` / POSIX-specific tests are present in the suite today, so no platform skips are required for the Windows matrix leg. - pytest-asyncio configured via asyncio_mode = "auto" already, so the Windows runners inherit the same event-loop policy as Linux.
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 19 minutes and 45 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (6)
Note
|
Deploying attestix with
|
| Latest commit: |
6f94151
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://645f8381.attestix.pages.dev |
| Branch Preview URL: | https://feat-github-actions-cicd.attestix.pages.dev |
Minor version bump (0.2.5 -> 0.3.0) bundling seven previously merged but unreleased pull requests. Security: - CRITICAL: delegation chain auth bypass fix (PR #45). Parent tokens and capability attenuation are now strictly verified on every delegation verify. - SSRF hardening on agent discovery, DID resolution, credential fetch (PR #47). - Timing-safe comparisons for signature and token equality checks (PR #47). - Seven REST API router exception paths no longer leak internals to clients (PR #47). Added: - Real LangChain integration using BaseCallbackHandler (PR #42). - Real OpenAI Agents SDK integration via MCPServerStdio (PR #48). - Real CrewAI integration via MCPServerAdapter (PR #51). Fixed: - Article 43 Annex III conformity assessment now correctly differentiates categories that require a notified body versus permitted self-assessment (PR #46). - EAS schema UID derivation matches the on-chain EAS encoding (PR #50). - Attested event decoding prefers web3.py ABI decoding with a hardened topic-signature fallback (PR #50). - tests/conftest.py blockchain_service_mock now emits an Attested log with the correct topic[0] so the hardened decoder is exercised end to end. Infrastructure: - GitHub Actions CI/CD: pytest matrix (py 3.10 through 3.13), ruff, mypy, bandit, pip-audit, plus a PyPI publish workflow on release creation (PR #49). - Default pytest addopts now include "-p no:logfire" so that transitive installs of opentelemetry-sdk (via CrewAI) do not abort collection with ImportError: cannot import name 'ReadableLogRecord'. Files updated: pyproject.toml (0.2.5 -> 0.3.0, addopts), attestix/__init__.py (0.2.4 -> 0.3.0), server.json (0.2.4 -> 0.3.0), CHANGELOG.md (0.3.0 section), tests/conftest.py (Attested log mock). All 358 tests pass, 1 skipped. twine check on wheel and sdist: PASSED.
…real integrations) Sync public docs and pyproject classifiers to the v0.3.0 ground truth after all today's merges (PRs #41, #42, #45, #46, #47, #48, #49, #50, #51, #55). README.md: - Update hero subtitle to 358 tests, 44 REST endpoints, and the 3 real framework integrations (LangChain, OpenAI Agents SDK, CrewAI). - Replace the 284 / 91 legacy test counts with the current split (358 passing, 1 skipped on Windows for POSIX chmod; 79 benchmarks). docs/changelog.md: - Add a full v0.3.0 section covering: real LangChain, OpenAI Agents, and CrewAI integrations; 7 framework examples + 15 integration tests; GitHub Actions CI/CD matrix across Python 3.10-3.13; EAS schema UID correctness; Annex III Article 43 differentiation; the CRITICAL delegation chain auth bypass fix; the security batch (SSRF, API timing, exception leaks, display_name, key perms); the 4 HIGH blockers fix + PyJWT CVE-2026-32597 mitigation + dependency pinning; and the test count move from 284 to 358. docs/roadmap.md: - Add Phase 3.5 (Complete, v0.3.0) describing the real framework integrations, CI/CD, and security hardening delivered today. - Note EAS integration is complete and testnet-ready on Base Sepolia but mainnet schema registration is still outstanding. - Rewrite the version plan: 0.3.0 is Phase 3.5 (shipped), 0.4.0 now targets broader GDPR coverage, ISO/IEC 42001 alignment, and EAS mainnet schema registration. ERC-8004 / A2A sync / ANS / Polygon ID move to 0.5.0. pyproject.toml: - Drop the Python 3.10 classifier so classifiers match the CI test matrix (3.11, 3.12, 3.13). requires-python remains >=3.10 for now so existing installs do not break. Out of tree (gitignored) and updated separately: - paper/internal/standards-coverage.md: reconciled test totals to 358, flagged DPDPA as NOT IMPLEMENTED (pitch reference only, no code), scoped broader GDPR beyond Article 17 to v0.4.0, and noted EAS mainnet schema is not yet registered. - MEMORY.md (global): updated version to 0.3.0, test count to 358, services to 12, REST endpoints to 44, GitHub stars to 15, PyPI totals 2,947 / 941 month, and documented the 10 merged PRs and the real-vs-simulated integration split.
…real integrations) (#58) Sync public docs and pyproject classifiers to the v0.3.0 ground truth after all today's merges (PRs #41, #42, #45, #46, #47, #48, #49, #50, #51, #55). README.md: - Update hero subtitle to 358 tests, 44 REST endpoints, and the 3 real framework integrations (LangChain, OpenAI Agents SDK, CrewAI). - Replace the 284 / 91 legacy test counts with the current split (358 passing, 1 skipped on Windows for POSIX chmod; 79 benchmarks). docs/changelog.md: - Add a full v0.3.0 section covering: real LangChain, OpenAI Agents, and CrewAI integrations; 7 framework examples + 15 integration tests; GitHub Actions CI/CD matrix across Python 3.10-3.13; EAS schema UID correctness; Annex III Article 43 differentiation; the CRITICAL delegation chain auth bypass fix; the security batch (SSRF, API timing, exception leaks, display_name, key perms); the 4 HIGH blockers fix + PyJWT CVE-2026-32597 mitigation + dependency pinning; and the test count move from 284 to 358. docs/roadmap.md: - Add Phase 3.5 (Complete, v0.3.0) describing the real framework integrations, CI/CD, and security hardening delivered today. - Note EAS integration is complete and testnet-ready on Base Sepolia but mainnet schema registration is still outstanding. - Rewrite the version plan: 0.3.0 is Phase 3.5 (shipped), 0.4.0 now targets broader GDPR coverage, ISO/IEC 42001 alignment, and EAS mainnet schema registration. ERC-8004 / A2A sync / ANS / Polygon ID move to 0.5.0. pyproject.toml: - Drop the Python 3.10 classifier so classifiers match the CI test matrix (3.11, 3.12, 3.13). requires-python remains >=3.10 for now so existing installs do not break. Out of tree (gitignored) and updated separately: - paper/internal/standards-coverage.md: reconciled test totals to 358, flagged DPDPA as NOT IMPLEMENTED (pitch reference only, no code), scoped broader GDPR beyond Article 17 to v0.4.0, and noted EAS mainnet schema is not yet registered. - MEMORY.md (global): updated version to 0.3.0, test count to 358, services to 12, REST endpoints to 44, GitHub stars to 15, PyPI totals 2,947 / 941 month, and documented the 10 merged PRs and the real-vs-simulated integration split.
…rce Cloudflare redeploy The Cloudflare Pages project is still wired to this monorepo's website/ subdirectory, not the split-out VibeTensor/attestix-website repo. When PR #1 and PR #2 merged in attestix-website, the live site never picked them up because Cloudflare was watching this directory instead. This commit replays both PRs against website/ so the live site actually updates before tomorrow's YC demo. Content fixes replayed from attestix-website#1 Replace 16-reps Julie Zhuo testimonial loop with three distinct real validation quotes (Yoshua Bengio, Alvaro Cabrejas Egea from the EU AI Office, Matt Pagett). Drop the second Marquee and lower repeat from 4 to 2 so the same quote does not surface 16 times in the DOM. Add VHS demo tape and asciinema walkthrough files under public/. Add a redirect stub at content/docs/guides/eu-compliance-walkthrough.mdx so the old link Matt Pagett hit no longer 404s. Content fixes replayed from attestix-website#2 Fix NumberTicker SSR so initial render shows the target value formatted with Intl.NumberFormat instead of the start value. Crawlers, no-JS visitors, and social previews now see 47 / 358 / 6 even if hydration never completes. On the client the component snaps to startValue on first-in-view and springs up to value, preserving the count-up effect. Add v0.3.0 flagship story to the landing page. Technology Stack gains a new Agent Frameworks category with LangChain, OpenAI Agents SDK, and CrewAI, labelled as real shipped integrations (not simulations). Hero subcopy and FAQ copy updated to mention the three integrations. Bump ATTESTIX_VERSION default and package.json version from 0.2.4 to 0.3.0. Replace stale 284 test counts with 358 (1 skipped on Windows) across the architecture guide, configuration reference, contributing guide, roadmap version plan, and research abstract. Historical 0.2.0 and 0.2.1 changelog entries keep their original 284 figure but now point forward to the 0.3.0 entry. Add a full 0.3.0 changelog entry covering every PR merged today: framework integrations (#41, #42, #48, #51), CI/CD setup (#49, #54, #56, #58), six security fixes (#45, #47, #55), EAS schema UID and Article 43 correctness fixes (#46, #50), and persona e2e polish (#57). Rewrite the sitemap generator to import the Fumadocs source loader and emit every docs page in content/docs/** automatically, weighted per section. The previous hand-maintained list surfaced only 4 of 17 docs pages to crawlers. The final sitemap now has 32 URLs (was 14).
…rce Cloudflare redeploy (#60) The Cloudflare Pages project is still wired to this monorepo's website/ subdirectory, not the split-out VibeTensor/attestix-website repo. When PR #1 and PR #2 merged in attestix-website, the live site never picked them up because Cloudflare was watching this directory instead. This commit replays both PRs against website/ so the live site actually updates before tomorrow's YC demo. Content fixes replayed from attestix-website#1 Replace 16-reps Julie Zhuo testimonial loop with three distinct real validation quotes (Yoshua Bengio, Alvaro Cabrejas Egea from the EU AI Office, Matt Pagett). Drop the second Marquee and lower repeat from 4 to 2 so the same quote does not surface 16 times in the DOM. Add VHS demo tape and asciinema walkthrough files under public/. Add a redirect stub at content/docs/guides/eu-compliance-walkthrough.mdx so the old link Matt Pagett hit no longer 404s. Content fixes replayed from attestix-website#2 Fix NumberTicker SSR so initial render shows the target value formatted with Intl.NumberFormat instead of the start value. Crawlers, no-JS visitors, and social previews now see 47 / 358 / 6 even if hydration never completes. On the client the component snaps to startValue on first-in-view and springs up to value, preserving the count-up effect. Add v0.3.0 flagship story to the landing page. Technology Stack gains a new Agent Frameworks category with LangChain, OpenAI Agents SDK, and CrewAI, labelled as real shipped integrations (not simulations). Hero subcopy and FAQ copy updated to mention the three integrations. Bump ATTESTIX_VERSION default and package.json version from 0.2.4 to 0.3.0. Replace stale 284 test counts with 358 (1 skipped on Windows) across the architecture guide, configuration reference, contributing guide, roadmap version plan, and research abstract. Historical 0.2.0 and 0.2.1 changelog entries keep their original 284 figure but now point forward to the 0.3.0 entry. Add a full 0.3.0 changelog entry covering every PR merged today: framework integrations (#41, #42, #48, #51), CI/CD setup (#49, #54, #56, #58), six security fixes (#45, #47, #55), EAS schema UID and Article 43 correctness fixes (#46, #50), and persona e2e polish (#57). Rewrite the sitemap generator to import the Fumadocs source loader and emit every docs page in content/docs/** automatically, weighted per section. The previous hand-maintained list surfaced only 4 of 17 docs pages to crawlers. The final sitemap now has 32 URLs (was 14).
Summary
test.yml(pytest matrix on ubuntu+windows, Python 3.11/3.12/3.13, coverage to Codecov),lint.yml(ruff blocking, mypy advisory),security.yml(pip-audit, bandit, safety, weekly cron), and rewritespublish.ymlinto a build -> verify -> publish -> attach-artifacts pipeline usingPYPI_API_TOKEN.dev,lint, andsecurityoptional-dependency groups inpyproject.tomlso contributors can reproduce CI locally withpip install -e ".[dev]". Adds ruff, mypy, bandit, and coverage config sections.Why
Required secrets (user action)
PYPI_API_TOKEN- for publishing to PyPI.CODECOV_TOKEN- optional, only needed for private repos (public repos use Codecov's tokenless upload).Test plan
Testsworkflow runs on this PR, all 6 matrix cells (3 versions x 2 OSes) green.Lintworkflow runs on this PR, ruff passes, mypy reports advisory only.Securityworkflow runs on this PR, bandit passes, pip-audit advisory.Publishworkflow is not triggered by PR (only by release / manual dispatch).Follow-ups (not in this PR)
ruff check --fixacross the repo in a dedicated style cleanup PR, then re-enable F541/I001/E701 rules.passwordfield.