agentwrit-python/.github/workflows/ci.yml at e893644ac859f4fc7e7048338193b4870af243ff · devonartis/agentwrit-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
name: CI

on:
  push:
    branches: [develop, main]
  pull_request:
    branches: [develop, main]

permissions:
  contents: read
  pull-requests: read

jobs:
  lint:
    name: Lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: astral-sh/setup-uv@v4
        with:
          version: "latest"
      - run: uv sync --all-extras
      - run: uv run ruff check .

  typecheck:
    name: Type Check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: astral-sh/setup-uv@v4
        with:
          version: "latest"
      - run: uv sync --all-extras
      - run: uv run mypy --strict src/

  unit-tests:
    name: Unit Tests
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version: ["3.10", "3.11", "3.12", "3.13"]
    steps:
      - uses: actions/checkout@v4
      - uses: astral-sh/setup-uv@v4
        with:
          version: "latest"
      - run: uv python install ${{ matrix.python-version }}
      - run: uv sync --all-extras --python ${{ matrix.python-version }}
      - run: uv run pytest tests/unit/ -q

  integration-tests:
    name: Integration Tests
    runs-on: ubuntu-latest
    services:
      broker:
        image: devonartis/agentwrit:latest
        ports:
          - 8080:8080
        env:
          AA_PORT: "8080"
          AA_BIND_ADDRESS: "0.0.0.0"
          # Broker binary uses AA_ prefix (devonartis/agentwrit#44)
          AA_ADMIN_SECRET: ${{ secrets.AGENTWRIT_ADMIN_SECRET }}
        options: >-
          --health-cmd "wget --spider -q http://localhost:8080/v1/health"
          --health-interval 2s
          --health-timeout 3s
          --health-retries 10
    steps:
      - uses: actions/checkout@v4
      - uses: astral-sh/setup-uv@v4
        with:
          version: "latest"
      - run: uv sync --all-extras
      - name: Register test app with broker
        id: register-app
        env:
          AGENTWRIT_BROKER_URL: http://localhost:8080
          AA_ADMIN_SECRET: ${{ secrets.AGENTWRIT_ADMIN_SECRET }}
        run: |
          # Authenticate as admin
          ADMIN_TOKEN=$(curl -sf -X POST "${AGENTWRIT_BROKER_URL}/v1/admin/auth" \
            -H "Content-Type: application/json" \
            -d "{\"secret\":\"${AA_ADMIN_SECRET}\"}" | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])")

          # Register a test app with broad scope ceiling
          APP_JSON=$(curl -sf -X POST "${AGENTWRIT_BROKER_URL}/v1/admin/apps" \
            -H "Content-Type: application/json" \
            -H "Authorization: Bearer ${ADMIN_TOKEN}" \
            -d '{"name":"ci-integration","scopes":["read:data:*","write:data:*"]}')

          # Extract credentials and mask the secret
          CLIENT_ID=$(echo "${APP_JSON}" | python3 -c "import sys,json; print(json.load(sys.stdin)['client_id'])")
          CLIENT_SECRET=$(echo "${APP_JSON}" | python3 -c "import sys,json; print(json.load(sys.stdin)['client_secret'])")

          echo "::add-mask::${CLIENT_SECRET}"
          echo "client_id=${CLIENT_ID}" >> "$GITHUB_OUTPUT"
          echo "client_secret=${CLIENT_SECRET}" >> "$GITHUB_OUTPUT"
          echo "Registered test app: ${CLIENT_ID}"
      - name: Run integration tests (all 15 stories)
        env:
          AGENTWRIT_BROKER_URL: http://localhost:8080
          AGENTWRIT_ADMIN_SECRET: ${{ secrets.AGENTWRIT_ADMIN_SECRET }}
          AGENTWRIT_CLIENT_ID: ${{ steps.register-app.outputs.client_id }}
          AGENTWRIT_CLIENT_SECRET: ${{ steps.register-app.outputs.client_secret }}
        run: |
          result=$(uv run pytest -m integration -v 2>&1)
          echo "${result}"

          # Fail if any tests were skipped — no silent skips allowed
          if echo "${result}" | grep -q "skipped"; then
            echo "::error::Integration tests had skipped stories — all 15 must run"
            exit 1
          fi

  secrets-scan:
    name: Secrets Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  no-ignored-tracked:
    name: No Ignored Files Tracked
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Check for tracked files that should be ignored
        run: |
          tracked_ignored=$(git ls-files -i --exclude-standard 2>/dev/null || true)
          if [ -n "$tracked_ignored" ]; then
            echo "ERROR: These tracked files are in .gitignore:"
            echo "$tracked_ignored"
            exit 1
          fi
          echo "Clean — no tracked files match .gitignore patterns."