feat(ci): add Tier 1 testing pipeline — lint, typecheck, test, security#13
Conversation
- Add CI workflow with 4 jobs: ruff lint/format, mypy typecheck, pytest with Python 3.10/3.11/3.12 matrix, and security scan (pip-audit + bandit) - Add tool configurations in pyproject.toml (ruff, mypy, pytest, bandit) aligned with videoDubbing-cli style - Add dev dependencies: ruff, mypy, pytest-cov, bandit, pip-audit - Create smoke tests: package import, CLI help, version flag - Fix existing lint issues: ruff check + format compliance Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add type annotations for dict variables (lang_counts, tag_counts, params) - Fix _format_size to accept int|float and avoid reassigning int to float - Add default values for .get() calls to satisfy mypy type narrowing Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds a Tier 1 CI pipeline and baseline tooling/tests to enforce linting, type checking, testing, and security scanning on PRs and main pushes.
Changes:
- Introduces GitHub Actions workflow with lint (ruff), typecheck (mypy), tests (pytest + coverage matrix), and security scans (pip-audit + bandit).
- Adds tool configuration and dev dependencies in
pyproject.toml(ruff/mypy/pytest/bandit) plus a newtests/smoke test suite. - Applies formatting/type-hint modernizations across the CLI codebase (e.g.,
Optional→X | None, formatting-only refactors).
Reviewed changes
Copilot reviewed 14 out of 15 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/ci.yml |
Adds multi-job CI pipeline (lint/typecheck/test/security). |
pyproject.toml |
Adds dev extras and tool configs for ruff/mypy/pytest/bandit. |
tests/test_smoke.py |
Adds smoke tests for importability and basic CLI behaviors. |
tests/conftest.py |
Adds test package scaffolding. |
tests/__init__.py |
Creates tests package marker. |
src/narrator_ai/cli.py |
Minor formatting around CLI callback/options. |
src/narrator_ai/client.py |
Updates type hints + minor context manager refactor. |
src/narrator_ai/config.py |
Minor formatting changes to config IO and errors. |
src/narrator_ai/output.py |
Updates type hints (Optional → unions). |
src/narrator_ai/commands/user.py |
Formatting-only changes for request payloads/import ordering. |
src/narrator_ai/commands/task.py |
Formatting/type-hint updates and import ordering. |
src/narrator_ai/commands/materials.py |
Import ordering cleanup. |
src/narrator_ai/commands/file.py |
Formatting/type-hint updates and payload formatting. |
src/narrator_ai/commands/dubbing.py |
Formatting/type-hint updates and readability improvements. |
src/narrator_ai/commands/bgm.py |
Formatting/type-hint updates. |
Comments suppressed due to low confidence (1)
pyproject.toml:34
[dependency-groups].devonly includes pytest/pytest-asyncio, while the newly added[project.optional-dependencies].devincludes the full toolchain (ruff/mypy/pytest-cov/bandit/pip-audit/etc). If this repo usesuv/dependency-groups for local dev,uv sync --group devwill not install most CI/dev tools. Consider either keeping these two dev dependency lists in sync (same packages) or removing one to avoid a split source of truth.
[dependency-groups]
dev = [
"pytest>=8.0.0",
"pytest-asyncio>=1.0.0",
]
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.12" | ||
| - run: pip install -e ".[dev]" mypy types-PyYAML |
There was a problem hiding this comment.
This install step redundantly installs mypy and types-PyYAML even though they’re already included in the .[dev] extra added in pyproject.toml. Dropping the extra packages (or alternatively not using .[dev] here) will make the job faster and avoid divergent tool versions between local dev and CI.
| - run: pip install -e ".[dev]" mypy types-PyYAML | |
| - run: pip install -e ".[dev]" |
| - uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| - run: pip install -e ".[dev]" pytest-cov |
There was a problem hiding this comment.
This step redundantly installs pytest-cov even though it’s already included in the .[dev] extra. Installing only -e ".[dev]" reduces CI time and keeps the dependency set consistent.
| - run: pip install -e ".[dev]" pytest-cov | |
| - run: pip install -e ".[dev]" |
| def test_cli_help(): | ||
| """CLI --help should exit 0 and show usage info.""" | ||
| result = runner.invoke(app, ["--help"]) | ||
| assert result.exit_code == 0 | ||
| assert "narrator-ai-cli" in result.output.lower() or "narrat" in result.output.lower() | ||
|
|
There was a problem hiding this comment.
test_cli_help’s output assertion is very permissive (checking for the substring "narrat"). This can pass even if the command prints an unexpected message rather than help text. Prefer asserting on a stable marker like "Usage:" or the exact command name ("narrator-ai-cli") to make the smoke test deterministic.
Private packages not on PyPI cause pip-audit --strict to fail. Use pip freeze to generate a requirements file excluding the project itself. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ings pip-audit returns exit code 1 on actual vulnerabilities by default. The --strict flag additionally fails on packages not found on PyPI, which breaks for private/unpublished packages like narrator-ai-cli. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 14 out of 15 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
pyproject.toml:34
[dependency-groups].devis currently a much smaller set than[project.optional-dependencies].dev, souv-based installs (groups) andpip install .[dev]will produce different “dev” environments. Consider removing one of these or keeping them in sync to avoid CI/local mismatches.
[dependency-groups]
dev = [
"pytest>=8.0.0",
"pytest-asyncio>=1.0.0",
]
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| runs-on: ${{ vars.RUNNER_LABEL || 'blacksmith-2vcpu-ubuntu-2404' }} | ||
| steps: |
There was a problem hiding this comment.
runs-on defaults to blacksmith-2vcpu-ubuntu-2404, which is not a standard GitHub-hosted runner label. Unless this repo is guaranteed to have that runner available, the workflow will fail to schedule jobs. Consider defaulting to ubuntu-latest (or make the runner label an explicit required variable without a nonstandard fallback).
| pip install "." --quiet | ||
| pip-audit --desc --skip-editable |
There was a problem hiding this comment.
The security job installs pip-audit/bandit and then runs pip-audit against the current environment after installing the project. This will also audit the tooling packages (and whatever else is installed), which can create noisy/unstable failures unrelated to your project dependencies. Consider auditing from a lock/requirements input or running the audit in an isolated env containing only runtime deps.
| pip install "." --quiet | |
| pip-audit --desc --skip-editable | |
| python -m venv .audit-venv | |
| . .audit-venv/bin/activate | |
| pip install "." --quiet | |
| deactivate | |
| pip-audit --path ./.audit-venv/lib/python3.12/site-packages --desc --skip-editable |
lxjmaster
left a comment
lxjmaster
left a comment
There was a problem hiding this comment.
AI Code Review
Verdict: request_changes (AI suggested: comment)
Model: gpt-5.4 | Cost: $0.39 | Mode: session-managed | Config: 5ad1628d
2/3 issues placed as inline comments.
Issues not placed inline (1)
1. [WARNING] pyproject.toml L30
Impact: The repo's Python workflow is now split across two different dependency definitions. CI installs .[dev], but uv sync --dev reads [dependency-groups].dev, which currently only contains pytest and pytest-asyncio. Developers following the repo's standard uv workflow will not get ruff, mypy, pytest-cov, bandit, or pip-audit, so they cannot reproduce the new CI checks locally and will hit CI-only failures.
Suggestion: Make [dependency-groups].dev the single source of truth for the full toolchain and have CI install it via uv sync --dev, or duplicate the full tool list into [dependency-groups].dev so local uv environments match CI.
Generated by agent-pr-review
| with: | ||
| python-version: "3.12" | ||
| - run: pip install pip-audit bandit | ||
| - name: Audit dependencies |
There was a problem hiding this comment.
[WARNING]
Impact: The new pip-audit step will fail every run as currently written. The PR body already states there are 2 known dependency CVEs, and pip-audit exits non-zero when vulnerabilities are found. Because this step has no temporary ignores or non-blocking handling, every PR/push will keep the CI status red until those upstream packages are fixed, which makes the new pipeline noisy at best and merge-blocking at worst.
Suggestion: Add explicit --ignore-vuln <ID> entries for the tracked advisories with comments linking to the follow-up issue, or make this audit step non-blocking until the vulnerable dependencies are upgraded.
| """Running with no arguments should show help (no_args_is_help=True).""" | ||
| result = runner.invoke(app, []) | ||
| # Typer returns exit code 0 or 2 for no_args_is_help depending on version | ||
| assert result.exit_code in (0, 2) |
There was a problem hiding this comment.
[WARNING]
Impact: This test is supposed to enforce the no_args_is_help=True contract, but it explicitly accepts exit code 2, which is Typer's usage-error exit. That means the suite will still pass even if running bare narrator-ai-cli starts failing for users instead of showing help successfully.
Suggestion: Assert result.exit_code == 0 for the no-args path. If a specific Typer version still returns 2, pin or upgrade Typer and keep the test aligned with the intended CLI behavior rather than allowing the error code.
Addressing review feedback1. pip-audit known CVEs — Added 2. test_cli_no_args_shows_help exit code — Investigated: Typer/Click returns exit code 2 by design for 3. dependency-groups.dev out of sync — Unified |
- pip-audit: add continue-on-error for known CVEs (tracked in #14) - security job: use install-cmd instead of hardcoded pip install "." - test: add docstring explaining Typer exit code 2 for no_args_is_help - pyproject.toml: sync [dependency-groups].dev with [project.optional-dependencies].dev so uv sync --dev gets the full toolchain Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
lxjmaster
left a comment
lxjmaster
left a comment
There was a problem hiding this comment.
AI Code Review
Verdict: request_changes (AI suggested: comment)
Model: gpt-5.4 | Cost: $0.82 | Mode: session-managed | Config: 5ad1628d
1/1 issues placed as inline comments.
All issues placed inline.
Generated by agent-pr-review
| PIP_INDEX_URL: https://pypi.org/simple | ||
| - name: Audit dependencies | ||
| # Known CVEs tracked in issue #14 — non-blocking until deps are upgraded | ||
| continue-on-error: true |
There was a problem hiding this comment.
[WARNING]
Impact: The pip-audit step is wrapped in continue-on-error: true, so the security job stays green not only for the two known CVEs but also for any newly introduced vulnerabilities or for audit execution failures. That weakens the new pipeline's security contract because dependency regressions can land without blocking the PR and a broken audit run is indistinguishable from an intentionally tolerated finding.
Suggestion: Remove continue-on-error: true and replace it with explicit --ignore-vuln <ID> entries for the currently tracked advisories. That keeps the job non-blocking only for the known exceptions while still failing on new vulnerabilities or on a broken pip-audit execution.
KYBvWHxW
dismissed
lxjmaster’s stale review
Addressed: removed continue-on-error, simplified test assertion.
- pip-audit: remove continue-on-error (no known CVEs in current deps) - test: drop exit code assertion, verify help text output only (Typer no_args_is_help returns exit code 2 by Click convention) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 14 out of 15 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Audit dependencies | ||
| run: pip-audit --desc --skip-editable | ||
| - run: bandit -r src/narrator_ai -c pyproject.toml |
There was a problem hiding this comment.
pip-audit exits non-zero when vulnerabilities are found, which will fail the entire workflow. The PR description notes the scan currently finds real CVEs tracked separately; if those CVEs aren't being fixed in this PR, consider making the audit step non-blocking for now (e.g., continue-on-error on the audit step/job or temporarily ignoring specific vulnerability IDs) so PRs can still merge while remediation is tracked.
| [project.optional-dependencies] | ||
| dev = [ | ||
| "pytest>=8.0.0", | ||
| "pytest-asyncio>=1.0.0", | ||
| "pytest-cov>=5.0", | ||
| "ruff>=0.4", | ||
| "mypy>=1.10", | ||
| "types-PyYAML>=6.0", | ||
| "bandit>=1.7", | ||
| "pip-audit>=2.7", | ||
| ] | ||
|
|
||
| [dependency-groups] | ||
| dev = [ | ||
| "pytest>=8.0.0", | ||
| "pytest-asyncio>=1.0.0", | ||
| "pytest-cov>=5.0", | ||
| "ruff>=0.4", | ||
| "mypy>=1.10", | ||
| "types-PyYAML>=6.0", | ||
| "bandit>=1.7", | ||
| "pip-audit>=2.7", | ||
| ] |
There was a problem hiding this comment.
[project.optional-dependencies].dev and [dependency-groups].dev contain the same list. If both are required (pip extras vs uv groups), this duplication is easy to let drift. Consider documenting that they must stay in sync, or consolidating (e.g., rely on one mechanism in CI/local dev) to avoid future inconsistencies.
|
|
||
| def test_cli_no_args_shows_help(): | ||
| """Running with no arguments should display help text (no_args_is_help=True).""" | ||
| result = runner.invoke(app, []) |
There was a problem hiding this comment.
test_cli_no_args_shows_help doesn't assert result.exit_code. This test can pass even if the CLI exits non-zero (e.g., error) as long as some output is produced. Add an exit-code assertion (likely == 0) to ensure the no-args behavior is actually successful.
| result = runner.invoke(app, []) | |
| result = runner.invoke(app, []) | |
| assert result.exit_code == 0 |
| def transfer( | ||
| link: Optional[str] = typer.Option(None, help="File link (HTTP URL, Baidu Netdisk share link, or PikPak link)"), | ||
| upload_id: Optional[str] = typer.Option(None, help="Upload ID associated with the file being transferred"), | ||
| type: Optional[str] = typer.Option(None, help="Link type: url=HTTP, baidu=Baidu Netdisk, pikpak=PikPak (auto-detected if omitted)"), | ||
| link: str | None = typer.Option(None, help="File link (HTTP URL, Baidu Netdisk share link, or PikPak link)"), | ||
| upload_id: str | None = typer.Option(None, help="Upload ID associated with the file being transferred"), | ||
| type: str | None = typer.Option( | ||
| None, help="Link type: url=HTTP, baidu=Baidu Netdisk, pikpak=PikPak (auto-detected if omitted)" | ||
| ), |
There was a problem hiding this comment.
The transfer command uses an option named type, which shadows Python's built-in type. This makes debugging harder and can be confusing in stack traces/type hints. Rename the parameter to something specific like link_type, and map it to the request payload key "type" when building payload.
| - name: Install project | ||
| run: pip install -e ".[dev]" | ||
| env: | ||
| PIP_INDEX_URL: https://pypi.org/simple | ||
| - name: Audit dependencies | ||
| run: pip-audit --desc --skip-editable |
There was a problem hiding this comment.
The security job installs -e ".[dev]" before running pip-audit, which means the audit includes dev-only tools (pytest/ruff/mypy/etc.) and can fail due to vulnerabilities unrelated to production/runtime dependencies. If the intent is to gate runtime deps, install only the project/runtime deps for this job (e.g., pip install -e .) or otherwise scope what pip-audit checks.
Related Issue
Closes #14
Summary
.github/workflows/ci.ymlwith 4 CI jobs on Blacksmith runners:ruff check+ruff format --checkmypywith--ignore-missing-importspytestwith coverage across Python 3.10 / 3.11 / 3.12 matrixpip-audit(dependency vulnerabilities) +bandit(SAST)pyproject.toml([tool.ruff],[tool.mypy],[tool.pytest.ini_options],[tool.bandit]) aligned with videoDubbing-cli[project.optional-dependencies] devwith ruff, mypy, pytest-cov, bandit, pip-audittests/with 4 smoke tests: package import, CLI --help, --version, no-argsTest Plan
ruff check .+ruff format --check .pass🤖 Generated with Claude Code