You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ci: add lint, format-check, and security gates to CI pipeline
Add three new CI enforcement layers that were previously missing:
- ruff lint + format check job (was only in Makefile, never enforced in CI)
- pip-audit dependency vulnerability scanning job
- Expanded ruff rules: S (bandit/security), B (bugbear), UP (pyupgrade)
Fix all resulting lint violations across src/ and tests/:
- B904: add proper exception chains (raise from e)
- E501: wrap long lines in help strings and docstrings
- S110: annotate intentional try/except/pass with noqa + justification
- S101: replace assert with proper guard in invoke_cmd
- B007: prefix unused loop variable with underscore
- UP022: use capture_output instead of stdout/stderr=PIPE
Add matching Makefile targets (format-check, security) and pin pip-audit
in dev dependencies for reproducible local runs.
Change-Id: I94d2355be83f4c44b144f217d2a0d0d5b74f5e2f
Co-developed-by: Claude <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
0 commit comments