Skip to content

refactor(runner): extract authorization pipeline to shared governed-e… #798

refactor(runner): extract authorization pipeline to shared governed-e…

refactor(runner): extract authorization pipeline to shared governed-e… #798

Workflow file for this run

name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
jobs:
use-case-matrix:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.12"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Check circular imports
run: python3 scripts/check_circular_imports.py
- name: Check competitive docs are up to date
run: python3 scripts/refresh_competitive_docs.py --check
- name: Sync acceptance tiers section
run: python3 scripts/sync_acceptance_tiers_doc.py
- name: Validate docs consistency
run: python3 scripts/validate_docs_consistency.py
- name: Validate H4/H5/H6 wiring labels
run: python3 scripts/validate_wiring.py
- name: Upload use-case matrix artifact
uses: actions/upload-artifact@v7
with:
name: use-case-matrix
path: docs/use-case-matrix.md
acceptance-p0:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.12"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Run acceptance P0
run: python3 scripts/run_acceptance_tier.py --tier p0
acceptance-p1:
runs-on: ubuntu-latest
needs: acceptance-p0
steps:
- uses: actions/checkout@v7
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.12"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Run acceptance P1
run: python3 scripts/run_acceptance_tier.py --tier p1
acceptance-all:
runs-on: ubuntu-latest
needs: acceptance-p1
if: github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v7
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.12"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Run full acceptance suite
run: python3 scripts/run_acceptance_tier.py --tier all
test:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
python-version: ["3.10", "3.11", "3.12"]
exclude:
# Reduce CI minutes — only test all Python versions on ubuntu
- os: macos-latest
python-version: "3.10"
- os: macos-latest
python-version: "3.11"
- os: windows-latest
python-version: "3.10"
- os: windows-latest
python-version: "3.11"
steps:
- uses: actions/checkout@v7
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Run smoke tier
if: matrix.os != 'ubuntu-latest' || matrix.python-version != '3.12'
continue-on-error: ${{ matrix.os == 'windows-latest' }}
env:
PYTHONHASHSEED: "0"
run: python3 scripts/run_test_tier.py --tier smoke
- name: Run full suite with coverage
# Nightly/full tier on canonical ubuntu 3.12 cell (WDG-002).
if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.12'
env:
PYTHONHASHSEED: "0"
# Use xdist -n auto to parallelize and avoid OOM on GH runners
run: pytest --random-order -n auto --dist worksteal --cov=teaagent --cov-report=term-missing --cov-fail-under=75
test-telemetry:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.12"
- name: Install dependencies with telemetry extras
run: |
python -m pip install --upgrade pip
pip install -e ".[dev,telemetry]"
- name: Run telemetry tests
run: pytest tests/test_telemetry.py -q
lint:
runs-on: ubuntu-latest
strategy:
matrix:
os: [ubuntu-latest]
steps:
- uses: actions/checkout@v7
with:
fetch-depth: 0 # full history so the A1 gate can diff against the base ref
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.12"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Check public API docstrings
run: python3 scripts/check_public_docstrings.py
- name: Config access audit
run: python3 scripts/audit_config_access.py --max 65
- name: Complexity baseline
run: python3 scripts/check_complexity.py --max 99
- name: Lint with ruff
run: ruff check .
- name: Check formatting with ruff
run: ruff format --check .
- name: Type check with mypy
run: mypy teaagent/ tests/ --explicit-package-bases
- name: SAST with bandit
# Blocking: fail the CI run on Medium+ findings (S-P2-4).
# Override: TEAAGENT_BANDIT_WARN_ONLY=1 for a grace period during migration.
run: bandit -r teaagent/ -c pyproject.toml --severity-level medium
- name: Audit test quality
run: python3 scripts/audit_test_quality.py --fail-on severe
- name: Test assertion regression gate (A1)
# Fails if the change weakens/deletes existing test assertions.
# Override: ALLOW_TEST_WEAKENING=1 or an "Allow-test-weakening:" commit trailer.
run: |
BASE="${{ github.event.pull_request.base.sha || github.event.before }}"
if [ -z "$BASE" ] || ! git cat-file -e "${BASE}^{commit}" 2>/dev/null; then
BASE="HEAD~1"
fi
echo "Comparing test assertions against base: $BASE"
python3 scripts/check_test_assertion_regression.py --base "$BASE"
- name: Agent contribution contract gate (V4-a)
# Validates agent-authored commits comply with contribution contract.
# NO SELF-SERVICE BYPASS: Agents cannot bypass their own governance gate (V4-c fix).
# Manual bypass requires human intervention via GitHub UI only.
run: python3 scripts/check_agent_contribution_contract.py --commit HEAD
governance-gate:
runs-on: ubuntu-latest
# Run after lint passes, before package build
needs: lint
steps:
- uses: actions/checkout@v7
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.12"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Run governance fuzz tests
run: pytest tests/test_governance_fuzz.py -v
- name: Run tranche BC and approval queue integration tests
run: pytest tests/test_tranche_bc_governance.py tests/test_subagent_approval_queue_integration.py -v
- name: Run security selftest
run: teaagent selftest --root .
- name: Run tool lint validation
run: teaagent tool lint --root .
- name: Validate permission matrix tests
run: pytest tests/policy/test_permission_matrix.py -v
- name: Check plan-before-write enforcement
run: pytest tests/test_tranche_b_governance.py -k "plan" -v
- name: Run Phase 5 unit tests
run: pytest tests/test_phase5_context_bus.py tests/test_phase5_workflow_engine.py tests/test_phase5_jit_approval_server.py tests/test_federated_sync.py tests/test_signature_relay.py tests/test_remediation_p1_p2.py -v
- name: Run Phase 4-5 acceptance and adversarial governance tests
run: pytest tests/acceptance/test_consensus_flow.py tests/acceptance/test_sandbox_enhancement_flow.py tests/test_governance_adversarial_runtime.py tests/test_skill_executor.py -v
review-institution:
runs-on: ubuntu-latest
needs: lint
steps:
- uses: actions/checkout@v7
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.12"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Audit schema conformance (G-P0-1)
run: python3 scripts/check_audit_schema_conformance.py
- name: Review institution gate (G2/G4/G9)
# Validates PR description contains action ID, risk class, and
# self-review checklist. High-risk PRs require docs/reviews/<pr>-risk.md.
if: github.event_name == 'pull_request'
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
PR_BODY: ${{ github.event.pull_request.body }}
PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
run: python3 scripts/check_review_institution_gate.py
- name: Action register link check (G9)
run: |
BASE="${{ github.event.pull_request.base.sha || github.event.before }}"
if [ -z "$BASE" ]; then BASE="HEAD~1"; fi
python3 scripts/check_action_register_link.py --base "$BASE"
docker-smoke:
runs-on: ubuntu-latest
needs: lint
# Advisory: Docker/Podman not guaranteed on all forks; failures do not block merge.
continue-on-error: true
steps:
- uses: actions/checkout@v7
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.12"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Run docker sandbox smoke tests
run: pytest tests/test_phase6_docker.py -v
package:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.12"
- name: Install package tooling
run: |
python -m pip install --upgrade pip
pip install -e ".[release]"
- name: Build package distributions
run: python -m build
- name: Check package distributions
run: python -m twine check dist/*
- name: Install wheel and smoke test metadata
run: |
python -m venv /tmp/teaagent-wheel-smoke
/tmp/teaagent-wheel-smoke/bin/python -m pip install --upgrade pip
/tmp/teaagent-wheel-smoke/bin/python -m pip install dist/*.whl
/tmp/teaagent-wheel-smoke/bin/python - <<'PY'
import importlib.resources
import teaagent
assert teaagent.__version__
assert importlib.resources.files('teaagent').joinpath('py.typed').is_file()
PY