-
Notifications
You must be signed in to change notification settings - Fork 0
170 lines (148 loc) · 6.13 KB
/
ci.yml
File metadata and controls
170 lines (148 loc) · 6.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ['3.12']
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Cache pip dependencies
uses: actions/cache@v4
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install pytest pytest-cov
pip install -r requirements.txt
- name: Run simulator tests
run: |
python -m pytest modules/foundups/simulator/tests/ -v --tb=short --ignore=modules/foundups/simulator/tests/test_sse_server.py
- name: Run FAM tests
run: |
python -m pytest modules/foundups/agent_market/tests/ -v --tb=short
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install ruff
run: pip install ruff
- name: Run ruff check
run: ruff check modules/ --ignore E501,F401 --exit-zero
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check for secrets
run: |
# Check for common secret patterns in tracked files
! git grep -l "AIza\|sk-\|ghp_\|gho_\|AKIA" -- "*.py" "*.json" | grep -v node_modules | grep -v ".example" || echo "Warning: Possible secrets found"
- name: Verify .env not tracked
run: |
! git ls-files | grep "^\.env$" || (echo "ERROR: .env is tracked!" && exit 1)
redteam_observation:
# FOUNDUPS_AGENT_REDTEAM_CI_OBSERVATION_PHASE1
#
# Report-only observation of the agent red-team regression suite.
# This job runs on every PR/push and surfaces results in CI logs +
# uploads a JUnit artifact, but does NOT block merge. Activation
# (blocking gate) is deferred to FOUNDUPS_AGENT_REDTEAM_CI_GATE_ACTIVATION_PHASE1
# after the observation window completes.
#
# If this job fails / is unstable, the broader CI still passes — the
# operator decides when to promote it to a required check based on
# the audit doc's activation criteria.
name: redteam observation (report-only)
runs-on: ubuntu-latest
continue-on-error: true # report-only — must not block PRs in PHASE1
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Cache pip dependencies
uses: actions/cache@v4
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install pytest
# Red-team suite is stdlib + pytest only (no new deps installed
# by this slice). Project requirements pulled in for parity with
# the `test` job in case fixtures share runtime imports.
pip install -r requirements.txt
- name: Run red-team suite (report-only)
# The suite must complete with zero skipped tests. We capture the
# full JUnit report so the observation window can analyse failure
# modes, runtime, and flake rate offline.
# `--strict-markers` and explicit `--no-header` keep CI output
# focused; `-rsxX` shows skipped/xfailed reasons (we expect none).
run: |
mkdir -p .redteam-observation
python -m pytest \
modules/infrastructure/wre_core/tests/redteam \
-v --tb=short --no-header --strict-markers -rsxX \
--junit-xml=.redteam-observation/redteam-report.xml \
| tee .redteam-observation/redteam-stdout.log
- name: Summarise observation
# Runs on success or failure of the previous step; prints a one-
# line summary (passed / failed / skipped / duration) so the
# report-only status is visible at a glance in the CI log tail.
if: always()
run: |
if [ -f .redteam-observation/redteam-report.xml ]; then
python - <<'PY'
import xml.etree.ElementTree as ET, os
path = ".redteam-observation/redteam-report.xml"
tree = ET.parse(path)
root = tree.getroot()
# JUnit may emit a single <testsuite> root or a <testsuites> wrapper.
suites = root.findall("testsuite") if root.tag == "testsuites" else [root]
tests = errors = failures = skipped = 0
duration = 0.0
for s in suites:
tests += int(s.attrib.get("tests", 0))
errors += int(s.attrib.get("errors", 0))
failures += int(s.attrib.get("failures", 0))
skipped += int(s.attrib.get("skipped", 0))
duration += float(s.attrib.get("time", 0))
passed = tests - errors - failures - skipped
status = "GREEN" if (errors == 0 and failures == 0 and skipped == 0) else "OBSERVE"
print(f"[REDTEAM-OBSERVATION] status={status} tests={tests} passed={passed} "
f"failed={failures} errored={errors} skipped={skipped} "
f"duration={duration:.2f}s mode=report-only")
PY
else
echo "[REDTEAM-OBSERVATION] status=NO_REPORT tests=? mode=report-only"
echo "[REDTEAM-OBSERVATION] note: junit xml not produced — pytest likely errored before collection"
fi
- name: Upload red-team observation artifact
if: always()
uses: actions/upload-artifact@v4
with:
name: redteam-observation-${{ github.run_id }}-${{ github.run_attempt }}
path: .redteam-observation/
if-no-files-found: warn
retention-days: 30