recotem/.github/workflows/test.yml at main · codelibs/recotem · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
name: recotem / test

# Triggered on push to main (post-merge gate) and PRs targeting main.
# Avoids duplicate runs on feature branches that already have an open PR.
# No untrusted input (issue titles, PR bodies, etc.) is used in run: steps.
on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
    paths:
      - "src/**"
      - "tests/**"
      - "pyproject.toml"
      - "uv.lock"
      - ".github/workflows/test.yml"

permissions:
  contents: read

jobs:
  ruff:
    name: ruff lint + format check
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v6

      - uses: astral-sh/setup-uv@v8.2.0
        with:
          enable-cache: true

      - name: Install dev dependencies
        run: uv sync --frozen --dev

      - name: ruff check
        run: uv run ruff check src/ tests/

      - name: ruff format (check only)
        run: uv run ruff format --check src/ tests/

  pytest:
    name: pytest (unit + integration + fuzz)
    runs-on: ubuntu-24.04
    strategy:
      fail-fast: false
      matrix:
        # irspack 0.4.2 ships abi3 (stable ABI) wheels tagged cp312-abi3 that
        # also satisfy Python 3.13 and 3.14 (non-free-threaded), plus dedicated
        # cp314t wheels for free-threaded builds.  Matrix below covers the
        # supported GIL builds.
        python-version: ["3.12", "3.13", "3.14"]
    steps:
      - uses: actions/checkout@v6

      - uses: astral-sh/setup-uv@v8.2.0
        with:
          enable-cache: true
          python-version: ${{ matrix.python-version }}

      - name: Install dependencies (all extras)
        run: uv sync --frozen --dev --extra bigquery --extra s3 --extra gcs --extra metrics --extra postgres --extra mysql --extra sqlite

      - name: Driver import smoke test
        run: |
          uv run python -c "import sqlalchemy; import psycopg; import pymysql; import sqlite3"

      - name: Run unit + integration + fuzz tests
        run: |
          uv run pytest tests/unit tests/integration tests/fuzz \
            --tb=short \
            -q \
            -m "not slow" \
            --cov=src/recotem \
            --cov-report=term-missing \
            --cov-report=xml:coverage.xml

      - name: Upload coverage
        uses: actions/upload-artifact@v7
        if: always()
        with:
          name: coverage-${{ matrix.python-version }}
          path: coverage.xml

  e2e:
    name: e2e (train → serve → predict)
    runs-on: ubuntu-24.04
    needs: pytest
    steps:
      - uses: actions/checkout@v6

      - uses: astral-sh/setup-uv@v8.2.0
        with:
          enable-cache: true

      - name: Install dependencies
        run: uv sync --frozen --dev --extra bigquery --extra s3 --extra gcs --extra metrics --extra postgres --extra mysql --extra sqlite

      - name: Install recotem
        run: uv pip install --no-deps .

      - name: Run e2e script
        run: |
          chmod +x tests/e2e/run.sh
          # Capture combined stdout/stderr to a log file for the downstream
          # secrets-in-logs grep job, while still streaming to the runner.
          uv run bash tests/e2e/run.sh 2>&1 | tee /tmp/recotem-e2e-output.log
          # Propagate exit code from the bash pipeline (uv run, not tee).
          exit "${PIPESTATUS[0]}"
        env:
          RECOTEM_LOG_FORMAT: json
          # Test signing key — not a production value.
          RECOTEM_SIGNING_KEYS: "test-key:0000000000000000000000000000000000000000000000000000000000000000"

      - name: Upload e2e logs
        uses: actions/upload-artifact@v7
        if: always()
        with:
          name: e2e-logs
          path: /tmp/recotem-e2e-*.log

  secrets-in-logs:
    name: secrets-in-logs grep check
    runs-on: ubuntu-24.04
    needs: e2e
    steps:
      - uses: actions/download-artifact@v8
        with:
          name: e2e-logs
          path: /tmp/e2e-logs

      - name: Check for secrets in captured logs
        # No untrusted input used — only scans static log files from prior job.
        shell: bash
        run: |
          set +e
          FAIL=0
          LOG_DIR="/tmp/e2e-logs"

          if [ ! -d "$LOG_DIR" ] || [ -z "$(ls -A "$LOG_DIR" 2>/dev/null)" ]; then
            echo "No e2e log files found — skipping secrets check."
            exit 0
          fi

          echo "Scanning log files in $LOG_DIR ..."

          # Pattern 1: raw sha256 hex digest (signing key or hash leaked).
          # Excludes the public X-Recotem-Model-Version header and the
          # corresponding JSON "model_version" response field, which carry
          # the artifact content hash by design and are not secrets.
          pat1_hits=$(grep -rEn 'sha256:[0-9a-f]{64}' "$LOG_DIR" \
            | grep -v '"model_version"[[:space:]]*:[[:space:]]*"sha256:' \
            | grep -vi 'x-recotem-model-version:[[:space:]]*sha256:' \
            || true)
          if [ -n "$pat1_hits" ]; then
            echo "FAIL: Found sha256:<hex64> in log output."
            echo "$pat1_hits" | head -5
            FAIL=1
          fi

          # Pattern 2: AWS access key id
          if grep -rEq 'AKIA[0-9A-Z]{16}' "$LOG_DIR"; then
            echo "FAIL: Found AWS access key ID in log output."
            grep -rEn 'AKIA[0-9A-Z]{16}' "$LOG_DIR" | head -5
            FAIL=1
          fi

          # Pattern 3: literal signing key env var assignment.
          # Matches both the historical singular spelling and the actual
          # variable name RECOTEM_SIGNING_KEYS (plural).
          if grep -rEq 'RECOTEM_SIGNING_KEYS?=' "$LOG_DIR"; then
            echo "FAIL: Found RECOTEM_SIGNING_KEY(S)= in log output."
            grep -rEn 'RECOTEM_SIGNING_KEYS?=' "$LOG_DIR" | head -5
            FAIL=1
          fi

          # Pattern 4: AWS_SECRET value context
          if grep -rEq 'AWS_SECRET' "$LOG_DIR"; then
            echo "FAIL: Found AWS_SECRET in log output."
            grep -rEn 'AWS_SECRET' "$LOG_DIR" | head -5
            FAIL=1
          fi

          # Pattern 5: signing/API key leaked as a JSON value under a known
          # sensitive key name.  Matches the formats the app logs when the
          # redaction processor fails:
          #   "recotem_signing_keys" : "kid:<hex64>"
          #   "recotem_api_keys"     : "kid:sha256:<hex64>"
          # A broader kid:<hex64> pattern would false-positive on benign
          # fields such as "recipe_hash", "artifact", and fsspec paths that
          # contain 64-character hex strings (e.g. sha256 digests in paths).
          if grep -rEqi '"recotem_signing_keys"\s*:\s*"[A-Za-z0-9_.-]+:[0-9a-f]{64}"' "$LOG_DIR"; then
            echo "FAIL: Found RECOTEM_SIGNING_KEYS value in JSON log output."
            grep -rEni '"recotem_signing_keys"\s*:\s*"[A-Za-z0-9_.-]+:[0-9a-f]{64}"' "$LOG_DIR" | head -5
            FAIL=1
          fi
          if grep -rEqi '"recotem_api_keys"\s*:\s*"[A-Za-z0-9_.-]+:sha256:[0-9a-f]{64}"' "$LOG_DIR"; then
            echo "FAIL: Found RECOTEM_API_KEYS value in JSON log output."
            grep -rEni '"recotem_api_keys"\s*:\s*"[A-Za-z0-9_.-]+:sha256:[0-9a-f]{64}"' "$LOG_DIR" | head -5
            FAIL=1
          fi

          if [ "$FAIL" -eq 0 ]; then
            echo "OK: No secrets found in log output."
          fi

          exit $FAIL