Skip to content
CI

Fix kargs module schema in BlueBuild recipe #26

Sign in to view logs

Fix kargs module schema in BlueBuild recipe

Fix kargs module schema in BlueBuild recipe #26

Workflow file for this run

.github/workflows/ci.yml at 70a457c
name: CI
on:
push:
branches: [main]
paths-ignore:
- "**.md"
pull_request:
paths-ignore:
- "**.md"
workflow_dispatch:
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
# Minimal permissions by default
permissions:
contents: read
jobs:
go-build-and-test:
name: Go Build & Test
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
matrix:
service: [registry, tool-firewall, airlock]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: "1.23"
cache-dependency-path: services/${{ matrix.service }}/go.sum
- name: Build
working-directory: services/${{ matrix.service }}
run: CGO_ENABLED=0 go build -ldflags="-s -w" -o /dev/null .
- name: Test
working-directory: services/${{ matrix.service }}
run: go test -v -race -count=1 ./...
- name: Vet
working-directory: services/${{ matrix.service }}
run: go vet ./...
go-securectl:
name: Build securectl CLI
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: "1.23"
cache-dependency-path: services/registry/go.sum
- name: Build securectl
working-directory: services/registry
run: CGO_ENABLED=0 go build -ldflags="-s -w" -o /dev/null ./cmd/securectl/
python-test:
name: Python Test & Lint
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "3.12"
- name: Install dependencies
run: pip install pyyaml flask requests pytest
- name: Lint (syntax check)
run: |
python -m py_compile services/quarantine/quarantine/pipeline.py
python -m py_compile services/quarantine/quarantine/watcher.py
python -m py_compile services/ui/ui/app.py
python -m py_compile services/search-mediator/app.py
python -m py_compile services/diffusion-worker/app.py
python -m py_compile services/common/audit_chain.py
python -m py_compile services/common/auth.py
python -m py_compile services/common/mlock_helper.py
- name: Test
run: python -m pytest tests/ -v
shellcheck:
name: Shell Script Lint
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Lint shell scripts
run: |
shellcheck -s bash \
files/system/usr/libexec/secure-ai/*.sh \
files/scripts/build-services.sh \
files/scripts/generate-mok.sh
policy-validate:
name: Validate YAML configs
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "3.12"
- name: Install pyyaml
run: pip install pyyaml
- name: Validate YAML files
run: |
python -c "
import yaml, sys, glob
errors = 0
for pattern in ['files/system/etc/secure-ai/**/*.yaml', 'recipes/*.yml']:
for f in glob.glob(pattern, recursive=True):
try:
with open(f) as fh:
yaml.safe_load(fh)
print(f'OK: {f}')
except Exception as e:
print(f'FAIL: {f}: {e}')
errors += 1
sys.exit(errors)
"
check-pins:
name: Verify action pins
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- run: bash .github/scripts/check-action-pins.sh