teaAgent/.github/workflows/ci.yml at main · TeaEntityLab/teaAgent · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read

jobs:
  use-case-matrix:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v7

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: "3.12"

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"

      - name: Check circular imports
        run: python3 scripts/check_circular_imports.py

      - name: Check competitive docs are up to date
        run: python3 scripts/refresh_competitive_docs.py --check

      - name: Sync acceptance tiers section
        run: python3 scripts/sync_acceptance_tiers_doc.py

      - name: Validate docs consistency
        run: python3 scripts/validate_docs_consistency.py

      - name: Validate H4/H5/H6 wiring labels
        run: python3 scripts/validate_wiring.py

      - name: Upload use-case matrix artifact
        uses: actions/upload-artifact@v7
        with:
          name: use-case-matrix
          path: docs/use-case-matrix.md

  acceptance-p0:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v7
      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: "3.12"
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"
      - name: Run acceptance P0
        run: python3 scripts/run_acceptance_tier.py --tier p0

  acceptance-p1:
    runs-on: ubuntu-latest
    needs: acceptance-p0
    steps:
      - uses: actions/checkout@v7
      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: "3.12"
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"
      - name: Run acceptance P1
        run: python3 scripts/run_acceptance_tier.py --tier p1

  acceptance-all:
    runs-on: ubuntu-latest
    needs: acceptance-p1
    if: github.ref == 'refs/heads/main'
    steps:
      - uses: actions/checkout@v7
      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: "3.12"
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"
      - name: Run full acceptance suite
        run: python3 scripts/run_acceptance_tier.py --tier all

  test:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
        python-version: ["3.10", "3.11", "3.12"]
        exclude:
          # Reduce CI minutes — only test all Python versions on ubuntu
          - os: macos-latest
            python-version: "3.10"
          - os: macos-latest
            python-version: "3.11"
          - os: windows-latest
            python-version: "3.10"
          - os: windows-latest
            python-version: "3.11"

    steps:
      - uses: actions/checkout@v7

      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@v6
        with:
          python-version: ${{ matrix.python-version }}

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"

      - name: Run smoke tier
        if: matrix.os != 'ubuntu-latest' || matrix.python-version != '3.12'
        continue-on-error: ${{ matrix.os == 'windows-latest' }}
        env:
          PYTHONHASHSEED: "0"
        run: python3 scripts/run_test_tier.py --tier smoke

      - name: Run full suite with coverage
        # Nightly/full tier on canonical ubuntu 3.12 cell (WDG-002).
        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.12'
        env:
          PYTHONHASHSEED: "0"
        # Use xdist -n auto to parallelize and avoid OOM on GH runners
        run: pytest --random-order -n auto --dist worksteal --cov=teaagent --cov-report=term-missing --cov-fail-under=75

  test-telemetry:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v7

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: "3.12"

      - name: Install dependencies with telemetry extras
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev,telemetry]"

      - name: Run telemetry tests
        run: pytest tests/test_telemetry.py -q

  lint:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        os: [ubuntu-latest]

    steps:
      - uses: actions/checkout@v7
        with:
          fetch-depth: 0  # full history so the A1 gate can diff against the base ref

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: "3.12"

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"

      - name: Check public API docstrings
        run: python3 scripts/check_public_docstrings.py

      - name: Config access audit
        run: python3 scripts/audit_config_access.py --max 65

      - name: Complexity baseline
        run: python3 scripts/check_complexity.py --max 99

      - name: Lint with ruff
        run: ruff check .

      - name: Check formatting with ruff
        run: ruff format --check .

      - name: Type check with mypy
        run: mypy teaagent/ tests/ --explicit-package-bases

      - name: SAST with bandit
        # Blocking: fail the CI run on Medium+ findings (S-P2-4).
        # Override: TEAAGENT_BANDIT_WARN_ONLY=1 for a grace period during migration.
        run: bandit -r teaagent/ -c pyproject.toml --severity-level medium

      - name: Audit test quality
        run: python3 scripts/audit_test_quality.py --fail-on severe

      - name: Test assertion regression gate (A1)
        # Fails if the change weakens/deletes existing test assertions.
        # Override: ALLOW_TEST_WEAKENING=1 or an "Allow-test-weakening:" commit trailer.
        run: |
          BASE="${{ github.event.pull_request.base.sha || github.event.before }}"
          if [ -z "$BASE" ] || ! git cat-file -e "${BASE}^{commit}" 2>/dev/null; then
            BASE="HEAD~1"
          fi
          echo "Comparing test assertions against base: $BASE"
          python3 scripts/check_test_assertion_regression.py --base "$BASE"

      - name: Agent contribution contract gate (V4-a)
        # Validates agent-authored commits comply with contribution contract.
        # NO SELF-SERVICE BYPASS: Agents cannot bypass their own governance gate (V4-c fix).
        # Manual bypass requires human intervention via GitHub UI only.
        run: python3 scripts/check_agent_contribution_contract.py --commit HEAD

  governance-gate:
    runs-on: ubuntu-latest
    # Run after lint passes, before package build
    needs: lint

    steps:
      - uses: actions/checkout@v7

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: "3.12"

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"

      - name: Run governance fuzz tests
        run: pytest tests/test_governance_fuzz.py -v

      - name: Run tranche BC and approval queue integration tests
        run: pytest tests/test_tranche_bc_governance.py tests/test_subagent_approval_queue_integration.py -v

      - name: Run security selftest
        run: teaagent selftest --root .

      - name: Run tool lint validation
        run: teaagent tool lint --root .

      - name: Validate permission matrix tests
        run: pytest tests/policy/test_permission_matrix.py -v

      - name: Check plan-before-write enforcement
        run: pytest tests/test_tranche_b_governance.py -k "plan" -v

      - name: Run Phase 5 unit tests
        run: pytest tests/test_phase5_context_bus.py tests/test_phase5_workflow_engine.py tests/test_phase5_jit_approval_server.py tests/test_federated_sync.py tests/test_signature_relay.py tests/test_remediation_p1_p2.py -v

      - name: Run Phase 4-5 acceptance and adversarial governance tests
        run: pytest tests/acceptance/test_consensus_flow.py tests/acceptance/test_sandbox_enhancement_flow.py tests/test_governance_adversarial_runtime.py tests/test_skill_executor.py -v

  review-institution:
    runs-on: ubuntu-latest
    needs: lint

    steps:
      - uses: actions/checkout@v7

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: "3.12"

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"

      - name: Audit schema conformance (G-P0-1)
        run: python3 scripts/check_audit_schema_conformance.py

      - name: Review institution gate (G2/G4/G9)
        # Validates PR description contains action ID, risk class, and
        # self-review checklist. High-risk PRs require docs/reviews/<pr>-risk.md.
        if: github.event_name == 'pull_request'
        env:
          PR_NUMBER: ${{ github.event.pull_request.number }}
          PR_BODY: ${{ github.event.pull_request.body }}
          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        run: python3 scripts/check_review_institution_gate.py

      - name: Action register link check (G9)
        run: |
          BASE="${{ github.event.pull_request.base.sha || github.event.before }}"
          if [ -z "$BASE" ]; then BASE="HEAD~1"; fi
          python3 scripts/check_action_register_link.py --base "$BASE"

  docker-smoke:
    runs-on: ubuntu-latest
    needs: lint
    # Advisory: Docker/Podman not guaranteed on all forks; failures do not block merge.
    continue-on-error: true

    steps:
      - uses: actions/checkout@v7

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: "3.12"

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[dev]"

      - name: Run docker sandbox smoke tests
        run: pytest tests/test_phase6_docker.py -v

  package:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v7

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: "3.12"

      - name: Install package tooling
        run: |
          python -m pip install --upgrade pip
          pip install -e ".[release]"

      - name: Build package distributions
        run: python -m build

      - name: Check package distributions
        run: python -m twine check dist/*

      - name: Install wheel and smoke test metadata
        run: |
          python -m venv /tmp/teaagent-wheel-smoke
          /tmp/teaagent-wheel-smoke/bin/python -m pip install --upgrade pip
          /tmp/teaagent-wheel-smoke/bin/python -m pip install dist/*.whl
          /tmp/teaagent-wheel-smoke/bin/python - <<'PY'
          import importlib.resources
          import teaagent

          assert teaagent.__version__
          assert importlib.resources.files('teaagent').joinpath('py.typed').is_file()
          PY