-
Notifications
You must be signed in to change notification settings - Fork 6
60 lines (49 loc) · 1.95 KB
/
Copy pathpr-fast.yml
File metadata and controls
60 lines (49 loc) · 1.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
name: PR Fast
on:
pull_request:
branches: [main]
permissions:
contents: read
jobs:
pr-fast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Set up Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: '3.12'
- name: Set up Node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: '22'
- name: Install ffmpeg
run: sudo apt-get update && sudo apt-get install -y ffmpeg
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install ruff pytest pip-audit bandit
pip install -e ".[standard]"
- name: Install CEP panel dependencies
working-directory: extension/com.opencut.panel
run: npm ci
# Static security scan (RESEARCH_FEATURE_PLAN_2026-05-25.md E3 follow-on).
# Bandit catches SSRF, path-traversal, eval(), shell=True, weak hash
# patterns the audit batches still find by hand. --severity-level high
# keeps the gate actionable (low-severity B404/B603 are noisy in a repo
# with this many subprocess calls).
- name: Bandit security lint
run: |
bandit -r opencut/ \
--severity-level high \
--exclude opencut/core/__pycache__
# PR-fast runs the supply-chain triad (pip-audit, npm-advisory, esbuild-pin)
# so a vulnerable dep introduced in a PR fails fast on every push.
# Cross-OS / heavyweight gates (panel-source, adobe-premierepro-versions)
# stay on Release Full where they have time + cross-platform runners.
# (RESEARCH_FEATURE_PLAN_2026-05-25.md E3.)
- name: Run fast release smoke
run: |
python scripts/release_smoke.py --json \
--skip panel-source \
--skip adobe-premierepro-versions