-
-
Notifications
You must be signed in to change notification settings - Fork 1
140 lines (117 loc) · 3.68 KB
/
ci.yml
File metadata and controls
140 lines (117 loc) · 3.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# ⟡ MirrorDNA CI/CD + Security Scanning
# Copy this to .github/workflows/ci.yml in each repo
name: CI + Security
on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
schedule:
# Run security scans weekly
- cron: '0 9 * * 1'
permissions:
contents: read
security-events: write
jobs:
lint-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install flake8 black mypy pytest pytest-cov
if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
if [ -f pyproject.toml ]; then pip install -e ".[dev]" || pip install -e .; fi
- name: Lint with flake8
run: |
flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
continue-on-error: true
- name: Check formatting with black
run: black --check . || true
continue-on-error: true
- name: Type check with mypy
run: mypy . --ignore-missing-imports || true
continue-on-error: true
- name: Run tests
run: |
if [ -d tests ]; then
pytest tests/ -v --cov=. --cov-report=xml || true
fi
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install security tools
run: |
pip install safety bandit pip-audit
- name: Check for known vulnerabilities (safety)
run: |
if [ -f requirements.txt ]; then
safety check -r requirements.txt --full-report || true
fi
continue-on-error: true
- name: Audit dependencies (pip-audit)
run: |
if [ -f requirements.txt ]; then
pip-audit -r requirements.txt || true
fi
continue-on-error: true
- name: Security lint with bandit
run: |
bandit -r . -f json -o bandit-report.json || true
bandit -r . -f txt || true
continue-on-error: true
- name: Check for secrets
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ""
extra_args: --only-verified
continue-on-error: true
citation-spine:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Verify canonical spine
run: |
echo "Checking for canonical spine in README..."
SPINE_ELEMENTS=(
"N1 Intelligence"
"Active MirrorOS"
"MirrorDNA"
"Paul Desai"
"activemirror.ai"
)
SCORE=0
for element in "${SPINE_ELEMENTS[@]}"; do
if grep -qi "$element" README.md 2>/dev/null; then
echo "✓ Found: $element"
SCORE=$((SCORE + 1))
else
echo "✗ Missing: $element"
fi
done
echo ""
echo "Spine coverage: $SCORE/5"
if [ $SCORE -lt 3 ]; then
echo "::warning::Citation spine incomplete ($SCORE/5). Add canonical attribution."
fi
notify-on-failure:
needs: [lint-and-test, security-scan]
if: failure()
runs-on: ubuntu-latest
steps:
- name: Notify on failure
run: |
echo "CI failed - notification would be sent here"
# Add Pushover/Slack notification here