Skip to content

ci(github-actions): bump softprops/action-gh-release from 2 to 3 #1394

ci(github-actions): bump softprops/action-gh-release from 2 to 3

ci(github-actions): bump softprops/action-gh-release from 2 to 3 #1394

Workflow file for this run

name: LuminaGuard CI
on:
push:
branches: [main, develop]
pull_request:
jobs:
# Security scan (runs first)
security-scan:
name: Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Run Rust security audit
working-directory: orchestrator
run: cargo install cargo-audit --version 0.22.1 && cargo audit || true
- name: Run Python security scan (bandit)
working-directory: agent
run: |
pip install bandit[toml]
bandit -r . --exclude .venv,tests,__pycache__ -f json -o bandit-report.json || true
# Fail on critical issues only (bandit exit codes: 1=error, 2=issues found)
RESULT=$?
if [ $RESULT -eq 1 ]; then exit 1; fi
echo "Bandit scan completed with exit code: $RESULT"
- name: Get base commit for secret scan
id: get-base
run: |
if [ "${{ github.event_name }}" == "pull_request" ]; then
echo "base=${{ github.event.pull_request.base.sha }}" >> $GITHUB_OUTPUT
else
echo "base=${{ github.event.repository.default_branch }}" >> $GITHUB_OUTPUT
fi
- name: Check if base and head differ
id: check-diff
run: |
BASE="${{ steps.get-base.outputs.base }}"
HEAD=$(git rev-parse HEAD)
if [ "$BASE" == "$HEAD" ]; then
echo "same=true" >> $GITHUB_OUTPUT
echo "⚠️ BASE and HEAD commits are the same, skipping secret scan"
else
echo "same=false" >> $GITHUB_OUTPUT
echo "🔍 Scanning for secrets between $BASE and $HEAD"
fi
- name: Check for secrets
if: steps.check-diff.outputs.same == 'false'
uses: trufflesecurity/trufflehog@4158734f234bd8770128deae2e2975cfab4b66a6
with:
path: ./
base: ${{ steps.get-base.outputs.base }}
head: HEAD
continue-on-error: true
# Build Rust orchestrator (needed by Python tests)
build-orchestrator:
name: Build Orchestrator
runs-on: ubuntu-latest
needs: [security-scan]
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Install Rust
uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7
with:
toolchain: stable
- name: Build orchestrator
working-directory: orchestrator
run: cargo build --release
- name: Upload orchestrator binary
uses: actions/upload-artifact@v4
with:
name: orchestrator-bin
path: orchestrator/target/release/luminaguard
retention-days: 1
# Python tests
test-python:
name: Test Python (Agent)
runs-on: ${{ matrix.os }}
needs: [build-orchestrator]
strategy:
matrix:
os: [ubuntu-latest, macos-latest]
python: ['3.11', '3.12']
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python }}
- name: Cache pip packages
uses: actions/cache@v5
with:
path: agent/.venv
key: ${{ runner.os }}-pip-${{ matrix.python }}-${{ hashFiles('agent/pyproject.toml') }}
- name: Install dependencies
working-directory: agent
run: |
python -m venv .venv
.venv/bin/pip install --upgrade pip
.venv/bin/pip install -e ".[dev]"
- name: Download orchestrator binary
uses: actions/download-artifact@v4
with:
name: orchestrator-bin
path: orchestrator/target/release/
- name: Make orchestrator executable
run: chmod +x orchestrator/target/release/luminaguard
- name: Run pytest
working-directory: agent
run: .venv/bin/pytest tests/ -v
- name: Check formatting (black)
working-directory: agent
run: .venv/bin/black --check loop.py tests/
- name: Run mypy
working-directory: agent
run: .venv/bin/mypy loop.py || true # Optional during development
- name: Check Python LOC limit
working-directory: agent
run: |
LINES=$(wc -l < loop.py)
echo "loop.py has $LINES lines"
if [ $LINES -gt 4000 ]; then
echo "ERROR: loop.py exceeds 4,000 line limit"
exit 1
fi
echo "loop.py under 4,000 lines"
# Rust tests
test-rust:
name: Test Rust (Orchestrator)
runs-on: ${{ matrix.os }}
needs: [test-python, security-scan]
strategy:
matrix:
os: [ubuntu-latest, macos-latest]
rust: [stable]
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Install Rust
uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7
with:
toolchain: ${{ matrix.rust }}
- name: Cache cargo registry
uses: actions/cache@v5
with:
path: ~/.cargo/registry
key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
- name: Cache cargo index
uses: actions/cache@v5
with:
path: ~/.cargo/git
key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
- name: Cache cargo build
uses: actions/cache@v5
with:
path: orchestrator/target
key: ${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }}
- name: Run cargo test
working-directory: orchestrator
run: cargo test --verbose
- name: Run cargo clippy
working-directory: orchestrator
run: cargo clippy -- -D warnings
- name: Check formatting
working-directory: orchestrator
run: cargo fmt --all -- --check
# Integration tests (both languages)
test-integration:
name: Integration Tests
runs-on: ubuntu-latest
needs: [test-rust, test-python]
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Install Rust
uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: '3.11'
- name: Install dependencies
run: |
cd agent && python -m venv .venv && .venv/bin/pip install -e ".[dev]"
- name: Run all tests
run: |
echo "Running Rust tests..."
cd orchestrator && cargo test --quiet
echo "Running Python tests..."
cd ../agent && .venv/bin/pytest tests/ -q
echo "All tests passed!"