feat: containerize + shared CI pipeline#75
feat: containerize + shared CI pipeline#75ashsolei wants to merge 12 commits intoGitHubSecurityLab:mainfrom
Conversation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
chore: sync docs updates
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add status table (version, Python, build system, license) - Add structured quick start with Codespace, local, and Docker options - Add environment variables table - Add package overview section showing src/ layout - Add verified development commands from CI workflow - Add deployment and security sections - Remove prose-heavy Background section in favor of concise intro - Trim from 82 to 131 lines while adding more actionable content Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add missing ignore rules for: - OS junk (.DS_Store, Thumbs.db) - Editor/IDE temp files (*.bak, *.swp, .idea/, .vscode/) - Node/JS/TS (node_modules/, .next/, .nuxt/) - Terraform (.terraform/, *.tfstate*) - Generic coverage/ directory - Broad .env* glob with .env.example exception - De-duplicate redundant .env entry in Python section Part of Wave 1 hardening.
- Python 3.12-slim base with multi-stage build - Non-root appuser for runtime security - HEALTHCHECK via Python import validation - OCI labels for container registry metadata Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace inline CI steps with shared reusable workflow call to Ai-road-4-You/enterprise-ci-cd for consistent Python CI. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Trigger on version tags (v*) to automate GitHub Releases via the shared enterprise pipeline. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Uses tags-override=latest input from shared pipeline PR GitHubSecurityLab#7. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…l@v1 Runs on push, PR, and weekly schedule (Monday 06:00 UTC). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ashsolei
requested review from
JarLob,
anticomputer,
kevinbackhouse,
m-y-mo,
p- and
sylwia-budzynska
as code owners
|
Opened against wrong repo. Re-creating in AiFeatures fork. |
There was a problem hiding this comment.
Pull request overview
Introduces an initial containerization layer and migrates CI/CD to shared enterprise reusable workflows, alongside documentation and repo hygiene updates to support the new delivery model.
Changes:
- Adds a multi-stage
Dockerfilefor building/running the package in a slim Python image. - Replaces the in-repo Python CI workflow with
Ai-road-4-You/enterprise-ci-cd@v1reusable workflows and adds Docker/release/security-scan workflows. - Updates repository docs and configuration (README rewrite, Dependabot config, expanded
.gitignore, Copilot/agent instruction docs).
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Reworks project overview, quickstart options, env var docs, and CI/deployment notes. |
| Dockerfile | Adds container build/run definition for the repo’s Python package. |
| CLAUDE.md | Adds agent-facing project conventions/integration notes. |
| AGENTS.md | Adds org/infra conventions and review/branch strategy guidance. |
| .gitignore | Expands ignore patterns for cross-platform and Python workflows. |
| .github/workflows/ci.yml | Switches CI to an enterprise reusable Python workflow. |
| .github/workflows/docker.yml | Adds enterprise reusable Docker CI workflow with tag override. |
| .github/workflows/release.yml | Adds enterprise reusable release workflow on version tags. |
| .github/workflows/security-scan.yml | Adds enterprise reusable scheduled/on-PR security scanning workflow. |
| .github/dependabot.yml | Enables weekly updates for GitHub Actions and pip dependencies. |
| .github/copilot-instructions.md | Adds repo-specific Copilot guidance and conventions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | Field | Value | | ||
| |-------|-------| | ||
| | Version | `0.0.4` (pre-release) | | ||
| | Python | `>= 3.9` | | ||
| | Build system | [Hatch](https://hatch.pypa.io/) | | ||
| | License | [MIT](./LICENSE) | |
There was a problem hiding this comment.
The markdown table in the Status section has an extra leading | on each row (|| Field | Value |), which renders as an empty first column on GitHub. Use standard table syntax (| Field | Value | and | --- | --- |) so the table displays correctly.
| | Variable | Purpose | Default | | ||
| |----------|---------|---------| | ||
| | `AI_API_TOKEN` | AI API credentials | _(required)_ | | ||
| | `AI_API_ENDPOINT` | AI model endpoint | `https://models.github.ai/inference` | | ||
| | `GH_TOKEN` | GitHub API access | _(required)_ | | ||
|
|
There was a problem hiding this comment.
The Environment variables table also uses || at the start of each row, which creates an unintended empty column in rendered markdown. Consider switching to single leading pipes so the table layout is correct.
| HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \ | ||
| CMD ["python", "-c", "import seclab_taskflows; print('ok')"] | ||
|
|
||
| ENTRYPOINT ["python", "-m", "seclab_taskflows"] |
There was a problem hiding this comment.
ENTRYPOINT ["python", "-m", "seclab_taskflows"] will fail because the seclab_taskflows package does not define a __main__ module (no src/seclab_taskflows/__main__.py) and there is no console script in pyproject.toml. Update the entrypoint to a runnable module/CLI (e.g., python -m seclab_taskflow_agent ...) or add a __main__.py/console script that provides the intended container command.
| ENTRYPOINT ["python", "-m", "seclab_taskflows"] | |
| ENTRYPOINT ["python"] |
| 3. Never push directly to `main` | ||
| 4. Run tests before submitting PR | ||
| 5. Keep dependencies updated via Dependabot | ||
| 6. All file names in **kebab-case** |
There was a problem hiding this comment.
This file states “All file names in kebab-case”, but the repo includes several non-kebab-case filenames (e.g., README.md, LICENSE, and this AGENTS.md). Consider clarifying the convention (e.g., apply to new source files / directories) or renaming to match the stated rule to avoid conflicting guidance.
| 6. All file names in **kebab-case** | |
| 6. Use **kebab-case** for new source file and directory names; standard repository metadata files such as `README.md`, `LICENSE`, and `AGENTS.md` may keep their conventional names |
|
|
||
| ## Conventions | ||
|
|
||
| - Use kebab-case for file and directory names |
There was a problem hiding this comment.
This file recommends kebab-case for file/directory names, but the repo includes many exceptions (e.g., README.md, LICENSE, CLAUDE.md). Consider scoping the rule (e.g., “new source files under src/”) or aligning filenames to avoid contradictory project guidance.
| - Use kebab-case for file and directory names | |
| - Use kebab-case for new source files and directories; standard top-level files such as `README.md`, `LICENSE`, and `CLAUDE.md` may keep their conventional names |
Wave 1 container layer. Uses enterprise-ci-cd@v1 with tags-override=latest.