From bd44fb335863d699a24c5758c4e518924dedb20c Mon Sep 17 00:00:00 2001 From: chinmay ramraika Date: Sun, 15 Mar 2026 05:25:19 +0530 Subject: [PATCH] ci: upgrade pipeline to ASM quality standard - Add permissions (contents: read) for security - Add paths-ignore for docs/config changes - Add security audit step (pip-audit, advisory) - Add environment validation - Add CI summary with markdown table - Improve flake8 lint configuration Co-Authored-By: Claude Opus 4.6 --- .github/workflows/ci.yml | 67 ++++++++++++++++++++++++++++++++++------ 1 file changed, 58 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2f7258e..6fb20e7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,28 +1,59 @@ +# ============================================= +# Bulk API Trigger - CI Pipeline +# ============================================= +# Lint → Security Audit → Docker Build → Summary +# ============================================= + name: CI on: push: branches: [main, master] + paths-ignore: ['*.md', 'docs/**', '.claude/**', '.vscode/**'] pull_request: branches: [main, master] +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: - lint: - name: Lint + ci: + name: CI Quality Gates runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Python + uses: actions/setup-python@v5 with: python-version: "3.11" - - name: Install linter - run: pip install flake8 - - name: Run flake8 - run: flake8 *.py --max-line-length=120 --count --select=E9,F63,F7 --show-source --statistics + cache: 'pip' + + - name: Install dependencies + run: pip install -r requirements.txt flake8 pip-audit + + - name: Lint (flake8) + id: lint + run: | + flake8 *.py --max-line-length=120 --count --show-source --statistics \ + --select=E9,F63,F7,F82,E1,E4,W6 + + - name: Security audit (pip-audit) + id: security + continue-on-error: true + run: pip-audit --desc 2>&1 | head -50 + + - name: Validate environment + id: envcheck + run: | + [ -f "config.yaml" ] && echo "✅ config.yaml found" || echo "⚠️ config.yaml missing" + [ -f "Dockerfile" ] && echo "✅ Dockerfile found" || echo "⚠️ Dockerfile missing" + [ -f "requirements.txt" ] && echo "✅ requirements.txt found" || echo "❌ requirements.txt missing" docker-build: name: Docker Build @@ -31,8 +62,26 @@ jobs: - uses: actions/checkout@v4 - uses: docker/setup-buildx-action@v3 - name: Build Docker image + id: docker uses: docker/build-push-action@v5 with: context: . push: false - tags: bulk-api-trigger:test + tags: bulk-api-trigger:ci-${{ github.sha }} + + summary: + name: CI Summary + runs-on: ubuntu-latest + needs: [ci, docker-build] + if: always() + steps: + - name: CI Summary + run: | + echo "## CI Results" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY + echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY + echo "| Lint + Security | ${{ needs.ci.result }} |" >> $GITHUB_STEP_SUMMARY + echo "| Docker Build | ${{ needs.docker-build.result }} |" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "**Commit:** \`${GITHUB_SHA::7}\`" >> $GITHUB_STEP_SUMMARY