PythonProjectDeployment/.github/workflows/ci.yml at c7fb45961ffb18a4bf13137fd48bf01de6063b79 · Magic-Man-us/PythonProjectDeployment · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
name: CI (uv)

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

# Cancel redundant runs per-branch/PR
concurrency:
  group: ci-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

# Least-privilege for the jobs below
permissions:
  contents: read

jobs:
  test:
    name: Test / Lint / Typecheck (uv)
    runs-on: ubuntu-latest
    # Write perms only where needed
    permissions:
      contents: read
    strategy:
      fail-fast: false
      matrix:
        include:
          - python-version: "3.11"
            experimental: false
          - python-version: "3.12"
            experimental: false
          - python-version: "3.13"
            experimental: false
          - python-version: "3.14"   # treat 3.14 as experimental so CI doesn't block if it breaks
            experimental: true
    continue-on-error: ${{ matrix.experimental }}

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install uv
        uses: astral-sh/setup-uv@v4
        with:
          enable-cache: true

      - name: Set up Python
        run: uv python install ${{ matrix.python-version }}

      # Ensure dev tools (ruff, mypy, pytest, bandit, safety, pytest-cov) are declared in pyproject dev deps.
      - name: Sync dependencies
        run: uv sync --all-extras --dev

      - name: Lint (ruff)
        run: uv run ruff check .

      - name: Typecheck (mypy)
        run: uv run mypy python_project_deployment

      - name: Tests (pytest)
        run: uv run pytest --cov --cov-report=xml --cov-report=html

      - name: Dangerous API scan (grep)
        continue-on-error: true
        shell: bash
        run: |
          set -euo pipefail
          if grep -R --line-number -E "\beval\(|\bexec\(|pickle\.loads|yaml\.load(?!_safe)|subprocess\.(Popen|call)" python_project_deployment/ tests/ || true; then
            echo "⚠️ Potentially dangerous API usage detected. Please review." >&2
            exit 2
          fi

      - name: Upload coverage.xml
        uses: actions/upload-artifact@v5
        with:
          name: coverage-${{ matrix.python-version }}
          path: coverage.xml

      - name: Upload coverage HTML
        uses: actions/upload-artifact@v5
        with:
          name: coverage-html-${{ matrix.python-version }}
          path: htmlcov

  security:
    name: Security Scan (Bandit + Safety)
    runs-on: ubuntu-latest
    needs: test
    permissions:
      contents: read

    env:
      SECURITY_FAIL_LEVEL: MEDIUM

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install uv
        uses: astral-sh/setup-uv@v4
        with:
          enable-cache: true

      - name: Set up Python
        run: uv python install 3.11

      - name: Sync dependencies
        run: uv sync --all-extras --dev

      - name: Run Bandit (JSON)
        run: |
          uv run bandit -r python_project_deployment/ -f json -o bandit-report.json || true
          uv run bandit -r python_project_deployment/ -f txt

      - name: Run Safety (JSON)
        run: uv run safety check --json > safety-report.json || true

      - name: Apply Bandit threshold
        run: uv run python scripts/security_bandit_check.py
        continue-on-error: true

      - name: Fail on Safety vulnerabilities
        run: uv run python scripts/security_safety_check.py

      - name: Upload security reports
        if: always()
        uses: actions/upload-artifact@v5
        with:
          name: security-reports
          path: |
            bandit-report.json
            safety-report.json

  docs:
    name: Build Documentation
    runs-on: ubuntu-latest
    needs: test
    permissions:
      contents: write  # Needed for GitHub Pages deployment

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install uv
        uses: astral-sh/setup-uv@v4
        with:
          enable-cache: true

      - name: Set up Python
        run: uv python install 3.11

      - name: Sync dependencies (includes sphinx)
        run: uv sync --all-extras --dev

      - name: Build documentation
        run: uv run sphinx-build -b html docs docs/_build/html

      - name: Upload documentation artifacts
        uses: actions/upload-artifact@v5
        with:
          name: documentation
          path: docs/_build/html

      - name: Deploy to GitHub Pages
        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
        uses: peaceiris/actions-gh-pages@v3
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          publish_dir: ./docs/_build/html
          keep_files: false