From 03937dc263eae0bf8dcdbdf371c0bd2ec78cd013 Mon Sep 17 00:00:00 2001 From: mackbook Date: Wed, 27 May 2026 23:23:01 +0200 Subject: [PATCH] =?UTF-8?q?ci:=20org-weite=20Default-CI=20f=C3=BCr=20AIE-B?= =?UTF-8?q?auteile=20(W84-D)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Workflow-Template (GitHub Org-Konvention `.github/workflow-templates/`): - aie-bauteil-ci.yml: ruff + black + bandit + pytest, Python 3.11+3.12 Matrix - aie-bauteil-ci.properties.json: Name + Kategorien für Org-Picker - least-privilege permissions (contents: read), persist-credentials: false - concurrency-cancel, action-pinning auf @v4/@v5 major-tags Wirkung: Repos in AI-Engineering-at sehen "AIE Bauteil CI" im "Set up workflow" Picker als Default-Vorlage. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../aie-bauteil-ci.properties.json | 7 ++ workflow-templates/aie-bauteil-ci.yml | 113 ++++++++++++++++++ 2 files changed, 120 insertions(+) create mode 100644 workflow-templates/aie-bauteil-ci.properties.json create mode 100644 workflow-templates/aie-bauteil-ci.yml diff --git a/workflow-templates/aie-bauteil-ci.properties.json b/workflow-templates/aie-bauteil-ci.properties.json new file mode 100644 index 0000000..f1189bd --- /dev/null +++ b/workflow-templates/aie-bauteil-ci.properties.json @@ -0,0 +1,7 @@ +{ + "name": "AIE Bauteil CI", + "description": "Standard CI für AIE-Bauteile mit ruff/black/bandit/pytest (Python 3.11+3.12 Matrix, least-privilege)", + "iconName": "python", + "categories": ["Python", "AIE"], + "filePatterns": ["pyproject.toml$", "requirements.*\\.txt$", "setup\\.py$"] +} diff --git a/workflow-templates/aie-bauteil-ci.yml b/workflow-templates/aie-bauteil-ci.yml new file mode 100644 index 0000000..fc8193c --- /dev/null +++ b/workflow-templates/aie-bauteil-ci.yml @@ -0,0 +1,113 @@ +--- +# AIE-Bauteil CI - Org-weite Default-Vorlage +# Standard-CI für AIE-Bauteile (AI Engineering at) +# Tools: ruff (lint) + black (format) + bandit (security) + pytest (tests) +# Python 3.11 + 3.12 Matrix, least-privilege Permissions + +name: AIE Bauteil CI + +on: + push: + branches: [main, develop] + pull_request: + branches: [main, develop] + workflow_dispatch: + +# Least-privilege: read-only default; jobs erhalten nur was sie brauchen +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + lint: + name: Lint (ruff + black) + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: "3.12" + cache: pip + + - name: Install lint tools + run: | + python -m pip install --upgrade pip + pip install ruff black + + - name: Ruff check + run: ruff check . + + - name: Black format check + run: black --check . + + security: + name: Security (bandit) + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: "3.12" + cache: pip + + - name: Install bandit + run: | + python -m pip install --upgrade pip + pip install bandit[toml] + + - name: Bandit scan + run: bandit -r . -ll -x ./tests,./test + + test: + name: Test (pytest, Python ${{ matrix.python-version }}) + runs-on: ubuntu-latest + permissions: + contents: read + strategy: + fail-fast: false + matrix: + python-version: ["3.11", "3.12"] + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Setup Python ${{ matrix.python-version }} + uses: actions/setup-python@v5 + with: + python-version: ${{ matrix.python-version }} + cache: pip + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + if [ -f requirements.txt ]; then pip install -r requirements.txt; fi + if [ -f requirements-dev.txt ]; then pip install -r requirements-dev.txt; fi + if [ -f pyproject.toml ]; then pip install -e ".[dev]" || pip install -e . || true; fi + pip install pytest pytest-cov + + - name: Run pytest + run: | + if [ -d tests ] || [ -d test ]; then + pytest --cov --cov-report=term-missing -q + else + echo "Keine tests/ oder test/ Verzeichnisse - skip" + fi