zettelforge/.github/workflows/ci.yml at master · rolandpg/zettelforge · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
name: CI

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]

permissions:
  contents: read

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

    - name: Set up Python
      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
      with:
        python-version: '3.12'

    - name: Install linting tools
      run: pip install ruff

    - name: Lint with ruff
      run: ruff check src/zettelforge/

    - name: Format check with ruff
      run: ruff format --check src/zettelforge/

  # GOV-009 §"Vulnerability Response": runs on every PR, fails on
  # HIGH/CRITICAL. Token-free complement to Snyk (which gates on
  # SNYK_TOKEN being set as a repo secret). Audit H-5.
  pip-audit:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
    - name: Set up Python
      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
      with:
        python-version: '3.12'
    - name: Install pip-audit
      run: pip install pip-audit==2.9.0
    - name: Audit dependencies (any reported vuln blocks)
      run: |
        pip install -e ".[dev]" || pip install -e "."
        # pip-audit fails non-zero on any reported vuln. Add
        # --ignore-vuln=CVE-... with a citation when the finding is
        # explicitly accepted per GOV-009 §"Vulnerability Response".
        #
        # CVE-2026-3219: vulnerability in `pip` itself (the package
        # manager), not a project dependency. The runner's pip is
        # supplied by GitHub's setup-python image and is not something
        # ZettelForge's pyproject can pin or upgrade. Risk-accepted
        # because the pip vulnerability surface is exposed during
        # install, not at runtime; CI builds in ephemeral runners with
        # no persistent state. Re-evaluate when GitHub's images ship a
        # patched pip.
        pip-audit --strict \
          --ignore-vuln=CVE-2026-3219

  test:
    runs-on: ubuntu-latest
    needs: lint
    strategy:
      fail-fast: false
      matrix:
        python-version: ['3.12', '3.13']

    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

    - name: Set up Python ${{ matrix.python-version }}
      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
      with:
        python-version: ${{ matrix.python-version }}

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        # If [dev] install fails, fall back to bare install + manually
        # add the pytest deps. Parenthesizing the fallback prevents shell
        # precedence from running the "pytest pytest-cov pytest-asyncio"
        # step when [dev] already succeeded (audit L-4).
        pip install -e ".[dev]" || (pip install -e "." && pip install pytest pytest-cov pytest-asyncio)

    - name: Pre-download fastembed model
      run: |
        python -c "from fastembed import TextEmbedding; TextEmbedding('nomic-ai/nomic-embed-text-v1.5-Q')"

    - name: Test with pytest
      env:
        ZETTELFORGE_BACKEND: sqlite
        ZETTELFORGE_EMBEDDING_PROVIDER: fastembed
      run: |
        # GOV-007 §"Coverage Requirements" mandates ≥80% line / ≥70% branch.
        # We start the ratchet at 67 (matches governance/controls.yaml's
        # current declaration) so today's pipeline does not break, and #51
        # tracks raising it toward 80% across v2.5.x. Audit finding H-2.
        pytest tests/ -v --cov=zettelforge --cov-report=xml --cov-report=term-missing --cov-fail-under=67

    - name: Upload coverage
      if: matrix.python-version == '3.12'
      continue-on-error: true
      env:
        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
      run: |
        python -m pip install codecov-cli
        codecovcli upload-process -f ./coverage.xml

  governance:
    runs-on: ubuntu-latest
    needs: lint
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

    - name: Set up Python
      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
      with:
        python-version: '3.12'

    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        # See "Install dependencies" comment above (audit L-4).
        pip install -e ".[dev]" || (pip install -e "." && pip install pytest pytest-cov)

    - name: GOV-012 — Logging compliance tests
      env:
        ZETTELFORGE_BACKEND: sqlite
      run: |
        pytest tests/test_logging_compliance.py -v

    - name: Governance spec-drift check
      run: |
        pytest tests/test_governance_spec_drift.py -v

  build:
    runs-on: ubuntu-latest
    needs: [test, governance]

    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

    - name: Set up Python
      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
      with:
        python-version: '3.12'

    - name: Install build dependencies
      run: |
        python -m pip install --upgrade pip
        pip install build twine

    - name: Build package
      run: python -m build

    - name: Check package
      run: twine check dist/*