Minor Readme updates (#136) #131

Workflow file for this run

.github/workflows/main-validation.yml at 0bfac1a

	name: Main Branch Validation

	on:
	push:
	branches: [main]

	permissions:
	id-token: write
	contents: read

	jobs:
	# =========================
	# QUICK VALIDATION
	# =========================
	validate:
	name: Validate Package
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: "3.11"

	- name: Install dependencies
	run: \|
	python -m pip install --upgrade pip
	pip install -e ".[dev]"

	# - name: Verify imports
	# run: \|
	# python -c "from cleancloud.cli import main; print('✅ CLI imports')"
	# python -c "from cleancloud.core.finding import Finding; print('✅ Models import')"
	# python -c "from cleancloud.providers.aws.session import create_aws_session; print('✅ AWS imports')"
	# python -c "from cleancloud.providers.azure.session import create_azure_session; print('✅ Azure imports')"

	- name: Run linting
	run: \|
	pip install ruff black
	ruff check cleancloud/ \|\| echo "⚠️ Linting warnings found"
	black --check cleancloud/ \|\| echo "⚠️ Formatting issues found"

	# =========================
	# INTEGRATION TESTS (REQUIRED - Must pass)
	# =========================
	integration-test-aws:
	name: Integration Test - AWS (Required)
	runs-on: ubuntu-latest
	needs: validate
	environment: cleancloud-test

	steps:
	- uses: actions/checkout@v4

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: "3.11"

	- name: Install CleanCloud
	run: \|
	python -m pip install --upgrade pip
	pip install -e ".[dev]"

	# AWS via OIDC (no static secrets)
	- name: Configure AWS credentials (OIDC)
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/CleanCloudCIReadOnly
	aws-region: us-east-1

	- name: Test AWS doctor
	run: \|
	set -e # Exit on any error
	cleancloud doctor --provider aws --region us-east-1

	- name: Test AWS scan
	run: \|
	set -e # Exit on any error
	cleancloud scan --provider aws --region us-east-1 --output json --output-file test-results.json

	- name: Upload test results
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: aws-integration-main
	path: test-results.json

	integration-test-aws-multi-account:
	name: Integration Test - AWS Multi-Account (Required)
	runs-on: ubuntu-latest
	needs: validate
	environment: cleancloud-test

	steps:
	- uses: actions/checkout@v4

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: "3.11"

	- name: Install CleanCloud
	run: \|
	python -m pip install --upgrade pip
	pip install -e ".[dev]"

	- name: Configure AWS credentials (OIDC)
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/CleanCloudCIReadOnly
	aws-region: us-east-1

	- name: Test multi-account scan
	run: \|
	set -e
	cleancloud scan \
	--provider aws \
	--accounts ${{ vars.AWS_ACCOUNT_ID }},${{ vars.AWS_SPOKE_ACCOUNT_ID }} \
	--all-regions \
	--output json \
	--output-file multi-account-results.json

	- name: Upload test results
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: aws-multi-account-main
	path: multi-account-results.json

	integration-test-azure:
	name: Integration Test - Azure (Required)
	runs-on: ubuntu-latest
	needs: validate
	environment: cleancloud-test

	steps:
	- uses: actions/checkout@v4

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: "3.11"

	- name: Install CleanCloud
	run: \|
	python -m pip install --upgrade pip
	pip install -e ".[dev]"

	- name: Azure Login via OIDC
	uses: azure/login@v2
	with:
	client-id: ${{ secrets.AZURE_CLIENT_ID }} # App registration ID
	tenant-id: ${{ secrets.AZURE_TENANT_ID }} # Azure AD tenant
	subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	enable-AzPSSession: false
	allow-no-subscriptions: false

	- name: Test Azure doctor (strict)
	run: \|
	set -e # Exit on any error
	cleancloud doctor --provider azure

	- name: Test Azure scan (strict)
	run: \|
	set -e # Exit on any error
	cleancloud scan --provider azure --output json --output-file test-results.json

	- name: Upload test results
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: azure-integration-main
	path: test-results.json

	integration-test-azure-multi-subscription:
	name: Integration Test - Azure Multi-Subscription (Required)
	runs-on: ubuntu-latest
	needs: validate
	environment: cleancloud-test

	steps:
	- uses: actions/checkout@v4

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: "3.11"

	- name: Install CleanCloud
	run: \|
	python -m pip install --upgrade pip
	pip install -e ".[dev]"

	- name: Azure Login via OIDC (no subscription pin — scans all)
	uses: azure/login@v2
	with:
	client-id: ${{ secrets.AZURE_CLIENT_ID }}
	tenant-id: ${{ secrets.AZURE_TENANT_ID }}
	enable-AzPSSession: false
	allow-no-subscriptions: true

	- name: Test Azure multi-subscription scan
	run: \|
	set -e
	cleancloud scan \
	--provider azure \
	--output json \
	--output-file multi-subscription-results.json

	- name: Upload test results
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: azure-multi-subscription-main
	path: multi-subscription-results.json

	integration-test-gcp:
	name: Integration Test - GCP (Required)
	runs-on: ubuntu-latest
	needs: validate
	environment: cleancloud-test

	steps:
	- uses: actions/checkout@v4

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: "3.11"

	- name: Install CleanCloud
	run: \|
	python -m pip install --upgrade pip
	pip install -e ".[dev]"

	- name: Authenticate to GCP (Workload Identity Federation)
	uses: google-github-actions/auth@v2
	with:
	workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
	service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}

	- name: Test GCP doctor
	run: \|
	set -e
	cleancloud doctor --provider gcp --project ${{ vars.GCP_PROJECT_ID }}

	- name: Test GCP scan
	run: \|
	set -e
	cleancloud scan \
	--provider gcp \
	--project ${{ vars.GCP_PROJECT_ID }} \
	--output json \
	--output-file test-results.json

	- name: Upload test results
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: gcp-integration-main
	path: test-results.json

	# =========================
	# NOTIFY ON FAILURE
	# =========================
	notify-failure:
	name: Create Issue on Failure
	runs-on: ubuntu-latest
	needs: [validate, integration-test-aws, integration-test-aws-multi-account, integration-test-azure, integration-test-azure-multi-subscription, integration-test-gcp]
	if: failure()

	steps:
	- name: Create issue
	uses: actions/github-script@v7
	with:
	script: \|
	const runUrl = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;

	await github.rest.issues.create({
	owner: context.repo.owner,
	repo: context.repo.repo,
	title: '🚨 Main branch validation failed',
	body: `Main branch validation failed.\n\nWorkflow run: ${runUrl}\nCommit: ${context.sha}\n\n⚠️ Main branch may not be production-ready.`,
	labels: ['bug', 'ci-failure', 'urgent']
	});

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Minor Readme updates (#136) #131

Workflow file

Minor Readme updates (#136) #131

Uh oh!

Workflow file for this run