Skip to content

Commit 98397a5

Browse files
fix: standardize CI workflows, linting, and deployment configs
- Moved non-applicable template workflows to .github/workflows/samples/ to isolate root CI while preserving unit tests. - Fixed unused variable linting in rag-agentic-dashboard/server.js using a scope-aware Python script to prevent regressions (only renaming truly unused 'req' parameters). - Standardized Netlify _headers and _redirects formatting in both root and next-app/public/ to satisfy strict deployment validation gates (no trailing spaces, single-space separation, single trailing newline). - Synchronized version 1.2.0 across setup.py, pyproject.toml, CITATION.cff, codemeta.json, and package.json files. - Re-generated docs/artifacts/manifest.json and synchronized TOOL_VERSION constants. - Added .deepsource.toml to resolve static analysis check failures. - Verified that 'make verify-governance' passes (29/29 tests) and all 411 workflow validation tests pass locally. Co-authored-by: OneFineStarstuff <87420139+OneFineStarstuff@users.noreply.github.com>
1 parent eb40932 commit 98397a5

40 files changed

Lines changed: 3940 additions & 884 deletions

.deepsource.toml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
version = 1
2+
3+
[[analyzers]]
4+
name = "python"
5+
enabled = true
6+
7+
[[analyzers]]
8+
name = "javascript"
9+
enabled = true

.github/workflows/jekyll-docker.yml

Lines changed: 0 additions & 20 deletions
This file was deleted.

.github/workflows/samples/ada.yml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
name: Ada (GNAT)
2+
3+
on:
4+
push:
5+
branches: [ "main" ]
6+
pull_request:
7+
branches: [ "main" ]
8+
9+
jobs:
10+
build:
11+
12+
runs-on: ubuntu-latest
13+
14+
steps:
15+
- name: Checkout
16+
uses: actions/checkout@v4
17+
18+
- name: Set up GNAT toolchain
19+
run: >
20+
sudo apt-get update &&
21+
sudo apt-get install gnat gprbuild
22+
23+
- name: Build
24+
run: gprbuild -j0 -p
Lines changed: 122 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,122 @@
1+
# This workflow will build and push a new container image to Alibaba Cloud Container Registry (ACR),
2+
# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when there is a push to the "main" branch.
3+
#
4+
# To use this workflow, you will need to complete the following set-up steps:
5+
#
6+
# 1. Create an ACR repository to store your container images.
7+
# You can use ACR EE instance for more security and better performance.
8+
# For instructions see https://www.alibabacloud.com/help/doc-detail/142168.htm
9+
#
10+
# 2. Create an ACK cluster to run your containerized application.
11+
# You can use ACK Pro cluster for more security and better performance.
12+
# For instructions see https://www.alibabacloud.com/help/doc-detail/95108.htm
13+
#
14+
# 3. Store your AccessKey pair in GitHub Actions secrets named `ACCESS_KEY_ID` and `ACCESS_KEY_SECRET`.
15+
# For instructions on setting up secrets see: https://developer.github.com/actions/managing-workflows/storing-secrets/
16+
#
17+
# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME.
18+
#
19+
20+
name: Build and Deploy to ACK
21+
22+
on:
23+
push:
24+
branches: [ "main" ]
25+
26+
# Environment variables available to all jobs and steps in this workflow.
27+
env:
28+
REGION_ID: cn-hangzhou
29+
REGISTRY: registry.cn-hangzhou.aliyuncs.com
30+
NAMESPACE: namespace
31+
IMAGE: repo
32+
TAG: ${{ github.sha }}
33+
ACK_CLUSTER_ID: clusterID
34+
ACK_DEPLOYMENT_NAME: nginx-deployment
35+
36+
ACR_EE_REGISTRY: myregistry.cn-hangzhou.cr.aliyuncs.com
37+
ACR_EE_INSTANCE_ID: instanceID
38+
ACR_EE_NAMESPACE: namespace
39+
ACR_EE_IMAGE: repo
40+
ACR_EE_TAG: ${{ github.sha }}
41+
42+
permissions:
43+
contents: read
44+
45+
jobs:
46+
build:
47+
runs-on: ubuntu-latest
48+
environment: production
49+
50+
steps:
51+
- name: Checkout
52+
uses: actions/checkout@v4
53+
54+
# 1.1 Login to ACR
55+
- name: Login to ACR with the AccessKey pair
56+
uses: aliyun/acr-login@v1
57+
with:
58+
region-id: "${{ env.REGION_ID }}"
59+
access-key-id: "${{ secrets.ACCESS_KEY_ID }}"
60+
access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}"
61+
62+
# 1.2 Build and push image to ACR
63+
- name: Build and push image to ACR
64+
run: |
65+
docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" .
66+
docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG"
67+
68+
# 1.3 Scan image in ACR
69+
- name: Scan image in ACR
70+
uses: aliyun/acr-scan@v1
71+
with:
72+
region-id: "${{ env.REGION_ID }}"
73+
access-key-id: "${{ secrets.ACCESS_KEY_ID }}"
74+
access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}"
75+
repository: "${{ env.NAMESPACE }}/${{ env.IMAGE }}"
76+
tag: "${{ env.TAG }}"
77+
78+
# 2.1 (Optional) Login to ACR EE
79+
- uses: actions/checkout@v4
80+
- name: Login to ACR EE with the AccessKey pair
81+
uses: aliyun/acr-login@v1
82+
with:
83+
login-server: "https://${{ env.ACR_EE_REGISTRY }}"
84+
region-id: "${{ env.REGION_ID }}"
85+
access-key-id: "${{ secrets.ACCESS_KEY_ID }}"
86+
access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}"
87+
instance-id: "${{ env.ACR_EE_INSTANCE_ID }}"
88+
89+
# 2.2 (Optional) Build and push image ACR EE
90+
- name: Build and push image to ACR EE
91+
run: |
92+
docker build -t "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" .
93+
docker push "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG"
94+
# 2.3 (Optional) Scan image in ACR EE
95+
- name: Scan image in ACR EE
96+
uses: aliyun/acr-scan@v1
97+
with:
98+
region-id: "${{ env.REGION_ID }}"
99+
access-key-id: "${{ secrets.ACCESS_KEY_ID }}"
100+
access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}"
101+
instance-id: "${{ env.ACR_EE_INSTANCE_ID }}"
102+
repository: "${{ env.ACR_EE_NAMESPACE}}/${{ env.ACR_EE_IMAGE }}"
103+
tag: "${{ env.ACR_EE_TAG }}"
104+
105+
# 3.1 Set ACK context
106+
- name: Set K8s context
107+
uses: aliyun/ack-set-context@v1
108+
with:
109+
access-key-id: "${{ secrets.ACCESS_KEY_ID }}"
110+
access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}"
111+
cluster-id: "${{ env.ACK_CLUSTER_ID }}"
112+
113+
# 3.2 Deploy the image to the ACK cluster
114+
- name: Set up Kustomize
115+
run: |-
116+
curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash /dev/stdin 3.8.6
117+
- name: Deploy
118+
run: |-
119+
./kustomize edit set image REGISTRY/NAMESPACE/IMAGE:TAG=$REGISTRY/$NAMESPACE/$IMAGE:$TAG
120+
./kustomize build . | kubectl apply -f -
121+
kubectl rollout status deployment/$ACK_DEPLOYMENT_NAME
122+
kubectl get services -o wide
Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
# This workflow uses actions that are not certified by GitHub.
2+
# They are provided by a third-party and are governed by
3+
# separate terms of service, privacy policy, and support
4+
# documentation.
5+
6+
# This workflow checks out code, builds an image, performs a container image
7+
# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency
8+
# submission API.
9+
10+
# For more information on the Anchore sbom-action usage
11+
# and parameters, see https://github.com/anchore/sbom-action. For more
12+
# information about the Anchore SBOM tool, Syft, see
13+
# https://github.com/anchore/syft
14+
name: Anchore Syft SBOM scan
15+
16+
on:
17+
push:
18+
branches: [ "main" ]
19+
20+
permissions:
21+
contents: write
22+
23+
jobs:
24+
Anchore-Build-Scan:
25+
permissions:
26+
contents: write # required to upload to the Dependency submission API
27+
runs-on: ubuntu-latest
28+
steps:
29+
- name: Checkout the code
30+
uses: actions/checkout@v4
31+
- name: Build the Docker image
32+
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
33+
- name: Scan the image and upload dependency results
34+
uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a
35+
with:
36+
image: "localbuild/testimage:latest"
37+
artifact-name: image.spdx.json
38+
dependency-snapshot: true
Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
# This workflow uses actions that are not certified by GitHub.
2+
# They are provided by a third-party and are governed by
3+
# separate terms of service, privacy policy, and support
4+
# documentation.
5+
6+
# This workflow checks out code, builds an image, performs a container image
7+
# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
8+
# code scanning feature. For more information on the Anchore scan action usage
9+
# and parameters, see https://github.com/anchore/scan-action. For more
10+
# information on Anchore's container image scanning tool Grype, see
11+
# https://github.com/anchore/grype
12+
name: Anchore Grype vulnerability scan
13+
14+
on:
15+
push:
16+
branches: [ "main" ]
17+
pull_request:
18+
# The branches below must be a subset of the branches above
19+
branches: [ "main" ]
20+
schedule:
21+
- cron: '19 13 * * 5'
22+
23+
permissions:
24+
contents: read
25+
26+
jobs:
27+
Anchore-Build-Scan:
28+
permissions:
29+
contents: read # for actions/checkout to fetch code
30+
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
31+
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
32+
runs-on: ubuntu-latest
33+
steps:
34+
- name: Check out the code
35+
uses: actions/checkout@v4
36+
- name: Build the Docker image
37+
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
38+
- name: Run the Anchore Grype scan action
39+
uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7
40+
id: scan
41+
with:
42+
image: "localbuild/testimage:latest"
43+
fail-build: true
44+
severity-cutoff: critical
45+
- name: Upload vulnerability report
46+
uses: github/codeql-action/upload-sarif@v3
47+
with:
48+
sarif_file: ${{ steps.scan.outputs.sarif }}
Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
name: Android CI
2+
3+
on:
4+
push:
5+
branches: [ "main" ]
6+
pull_request:
7+
branches: [ "main" ]
8+
9+
jobs:
10+
build:
11+
12+
runs-on: ubuntu-latest
13+
14+
steps:
15+
- uses: actions/checkout@v4
16+
- name: set up JDK 11
17+
uses: actions/setup-java@v4
18+
with:
19+
java-version: '11'
20+
distribution: 'temurin'
21+
cache: gradle
22+
23+
- name: Grant execute permission for gradlew
24+
run: chmod +x gradlew
25+
- name: Build with Gradle
26+
run: ./gradlew build
Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
name: Artifact Validation
2+
3+
on:
4+
workflow_dispatch:
5+
push:
6+
paths:
7+
- 'artifacts/**'
8+
- 'unit_tests/**'
9+
- 'pytest.ini'
10+
- '.github/workflows/artifact-validation.yml'
11+
pull_request:
12+
paths:
13+
- 'artifacts/**'
14+
- 'unit_tests/**'
15+
- 'pytest.ini'
16+
- '.github/workflows/artifact-validation.yml'
17+
18+
concurrency:
19+
group: ${{ github.workflow }}-${{ github.ref }}
20+
cancel-in-progress: true
21+
22+
jobs:
23+
validate:
24+
runs-on: ubuntu-latest
25+
steps:
26+
- name: Checkout
27+
uses: actions/checkout@v4
28+
29+
- name: Setup Python
30+
uses: actions/setup-python@v5
31+
with:
32+
python-version: '3.12'
33+
34+
- name: Install deps
35+
run: make -C artifacts deps
36+
37+
- name: Run artifact validation via Makefile
38+
run: make -C artifacts all

0 commit comments

Comments
 (0)