diff --git a/.gitea/workflows/audit.yml b/.gitea/workflows/audit.yml new file mode 100644 index 00000000..71afc2eb --- /dev/null +++ b/.gitea/workflows/audit.yml @@ -0,0 +1,16 @@ +name: audit + +on: + push: + +jobs: + audit: + runs-on: incus-debian + + steps: + - uses: actions/checkout@v4 + + - run: npm install + + - name: Audit dependencies + run: npm audit || true diff --git a/.gitea/workflows/ci-cd.yml b/.gitea/workflows/ci-cd.yml index 9a5a7cc1..74bc29cc 100644 --- a/.gitea/workflows/ci-cd.yml +++ b/.gitea/workflows/ci-cd.yml @@ -1,505 +1,35 @@ -name: AITBC CI/CD Pipeline +name: ci-cd on: push: - branches: [ main, develop, feature/*, hotfix/* ] pull_request: - branches: [ main, develop ] - release: - types: [ published ] - -env: - PYTHON_VERSION: "3.13.5" - NODE_VERSION: "18" jobs: - # Code Quality and Testing - lint-and-test: - runs-on: ubuntu-latest - strategy: - matrix: - python-version: ["3.13.5"] - - steps: - - name: Checkout code - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 - with: - python-version: ${{ matrix.python-version }} - - - name: Cache pip dependencies - uses: actions/cache@v5 - with: - path: ~/.cache/pip - key: ${{ runner.os }}-pip-${{ matrix.python-version }}-${{ hashFiles('**/requirements*.txt') }} - restore-keys: | - ${{ runner.os }}-pip-${{ matrix.python-version }}- - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - pip install -r requirements-dev.txt - pip install -r requirements-test.txt - - - name: Lint Python code - run: | - flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics - flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics - black --check . - isort --check-only --diff . - mypy . --ignore-missing-imports - - - name: Run unit tests - run: | - pytest tests/unit/ -v --cov=aitbc_cli --cov-report=xml --cov-report=html --cov-report=term - - - name: Run integration tests - run: | - pytest tests/integration/ -v --tb=short - - - name: Run performance tests - run: | - pytest tests/performance/ -v --tb=short - - - name: Run security tests - run: | - pytest tests/security/ -v --tb=short - - - name: Upload coverage to Codecov - uses: codecov/codecov-action@v3 - with: - file: ./coverage.xml - flags: unittests - name: codecov-umbrella - - # CLI Testing - test-cli: - runs-on: ubuntu-latest - needs: lint-and-test - - steps: - - name: Checkout code - uses: actions/checkout@v6 - - - name: Set up Python - uses: actions/setup-python@v6 - with: - python-version: "3.13.5" - - - name: Install CLI - run: | - cd cli - python -m pip install -e . - - - name: Test CLI commands - run: | - cd cli - python -m aitbc_cli.main --help - python -m aitbc_cli.main wallet --help - python -m aitbc_cli.main blockchain --help - python -m aitbc_cli.main multisig --help - python -m aitbc_cli.main genesis-protection --help - python -m aitbc_cli.main transfer-control --help - python -m aitbc_cli.main compliance --help - python -m aitbc_cli.main exchange --help - python -m aitbc_cli.main oracle --help - python -m aitbc_cli.main market-maker --help - - - name: Test CLI functionality - run: | - cd cli - python -m aitbc_cli.main --test-mode multisig create --threshold 3 --owners "owner1,owner2,owner3" - python -m aitbc_cli.main --test-mode transfer-control set-limit --wallet test_wallet --max-daily 1000 - - # Multi-Chain Service Testing - test-services: - runs-on: ubuntu-latest - needs: lint-and-test - - services: - redis: - image: redis:7 - ports: - - 6379:6379 - postgres: - image: postgres:15 - env: - POSTGRES_PASSWORD: postgres - POSTGRES_DB: aitbc_test - ports: - - 5432:5432 - - steps: - - name: Checkout code - uses: actions/checkout@v6 - - - name: Set up Python - uses: actions/setup-python@v6 - with: - python-version: "3.13.5" - - - name: Install dependencies - run: | - pip install -r requirements.txt - pip install -r requirements-dev.txt - pip install -r requirements-test.txt - - - name: Test blockchain service - run: | - cd apps/blockchain-node - python -m pytest tests/ -v -k "test_blockchain" - - - name: Test coordinator service - run: | - cd apps/coordinator-api - python -m pytest tests/ -v -k "test_coordinator" - - - name: Test consensus service - run: | - cd apps/consensus-node - python -m pytest tests/ -v -k "test_consensus" - - - name: Test network service - run: | - cd apps/network-node - python -m pytest tests/ -v -k "test_network" - - - name: Test explorer service - run: | - cd apps/explorer - python -m pytest tests/ -v -k "test_explorer" - - # Production Services Testing - test-production-services: - runs-on: ubuntu-latest - needs: lint-and-test - - steps: - - name: Checkout code - uses: actions/checkout@v6 - - - name: Set up Python - uses: actions/setup-python@v6 - with: - python-version: "3.13.5" - - - name: Install dependencies - run: | - pip install -r requirements.txt - pip install -r requirements-dev.txt - pip install -r requirements-test.txt - - - name: Test exchange service - run: | - cd apps/exchange-integration - python -m pytest tests/ -v -k "test_exchange" - - - name: Test compliance service - run: | - cd apps/compliance-service - python -m pytest tests/ -v -k "test_compliance" - - - name: Test trading engine - run: | - cd apps/trading-engine - python -m pytest tests/ -v -k "test_trading" - - - name: Test plugin registry - run: | - cd apps/plugin-registry - python -m pytest tests/ -v -k "test_plugin_registry" - - - name: Test plugin marketplace - run: | - cd apps/plugin-marketplace - python -m pytest tests/ -v -k "test_plugin_marketplace" - - - name: Test global infrastructure - run: | - cd apps/global-infrastructure - python -m pytest tests/ -v -k "test_global_infrastructure" - - - name: Test AI agents - run: | - cd apps/global-ai-agents - python -m pytest tests/ -v -k "test_ai_agents" - - # Security Scanning - security-scan: - runs-on: ubuntu-latest - needs: lint-and-test - - steps: - - name: Checkout code - uses: actions/checkout@v6 - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - scan-ref: '.' - format: 'sarif' - output: 'trivy-results.sarif' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v4 - with: - sarif_file: 'trivy-results.sarif' - - - name: Run CodeQL Analysis - uses: github/codeql-action/analyze@v4 - with: - languages: python - - - name: Run Bandit security linter - run: | - pip install bandit - bandit -r . -f json -o bandit-report.json - bandit -r . -f text - - - name: Run Safety check - run: | - pip install safety - safety check --json --output safety-report.json - - - name: Run semgrep security scan - uses: semgrep/semgrep-action@v1 - with: - config: >- - p:security - p:owertools - - # Build and Package build: - runs-on: ubuntu-latest - needs: [test-cli, test-services, test-production-services] - - steps: - - name: Checkout code - uses: actions/checkout@v6 - - - name: Set up Python - uses: actions/setup-python@v6 - with: - python-version: "3.13.5" - - - name: Build CLI package - run: | - cd cli - python -m build - - - name: Build services packages - run: | - for service in apps/*/; do - if [ -f "$service/pyproject.toml" ]; then - cd "$service" - python -m build - cd - > /dev/null - fi - done - - - name: Upload build artifacts - uses: actions/upload-artifact@v7 - with: - name: build-artifacts - path: | - cli/dist/* - apps/*/dist/* - retention-days: 30 + runs-on: incus-debian - # Deployment to Staging - deploy-staging: - runs-on: ubuntu-latest - needs: build - if: github.ref == 'refs/heads/develop' - - environment: staging - steps: - - name: Checkout code - uses: actions/checkout@v6 - - - name: Download build artifacts - uses: actions/download-artifact@v8 - with: - name: build-artifacts - - - name: Deploy CLI to staging - run: | - echo "Deploying CLI to staging environment" - # Add actual deployment commands here - - - name: Deploy services to staging - run: | - echo "Deploying services to staging environment" - # Add actual deployment commands here - - - name: Run smoke tests on staging - run: | - echo "Running smoke tests on staging" - # Add smoke test commands here + - name: Checkout + uses: actions/checkout@v4 - # Deployment to Production - deploy-production: - runs-on: ubuntu-latest - needs: deploy-staging - if: github.event_name == 'release' - - environment: production - - steps: - - name: Checkout code - uses: actions/checkout@v6 - - - name: Download build artifacts - uses: actions/download-artifact@v8 - with: - name: build-artifacts - - - name: Deploy CLI to production - run: | - echo "Deploying CLI to production environment" - # Add actual deployment commands here - - - name: Deploy services to production - run: | - echo "Deploying services to production environment" - # Add actual deployment commands here - - - name: Run health checks on production - run: | - echo "Running health checks on production" - # Add health check commands here - - - name: Notify deployment success - run: | - echo "Deployment to production completed successfully" + - name: Debug environment + run: | + echo "=== SYSTEM ===" + hostname + uname -a + whoami + echo "=== NODE ===" + node -v + npm -v - # Performance Testing - performance-test: - runs-on: ubuntu-latest - needs: deploy-staging - if: github.event_name == 'pull_request' - - steps: - - name: Checkout code - uses: actions/checkout@v6 - - - name: Set up Python - uses: actions/setup-python@v6 - with: - python-version: "3.13.5" - - - name: Install dependencies - run: | - pip install -r requirements-test.txt - pip install locust - - - name: Run performance tests - run: | - cd tests/performance - python -m pytest test_performance.py::TestPerformance::test_cli_performance -v - python -m pytest test_performance.py::TestPerformance::test_concurrent_cli_operations -v - - - name: Run load tests - run: | - cd tests/performance - locust -f locustfile.py --headless -u 10 -r 1 -t 30s --host http://staging.aitbc.dev + - name: Install dependencies + run: npm install --legacy-peer-deps - # Documentation Generation - docs: - runs-on: ubuntu-latest - needs: lint-and-test - - steps: - - name: Checkout code - uses: actions/checkout@v6 - - - name: Set up Python - uses: actions/setup-python@v6 - with: - python-version: "3.13.5" - - - name: Install documentation dependencies - run: | - pip install sphinx sphinx-rtd-theme myst-parser - - - name: Generate documentation - run: | - cd docs - make html - - - name: Deploy documentation - uses: peaceiris/actions-gh-pages@v4 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - publish_dir: ./docs/_build/html + - name: Build + run: npm run build || echo "no build step" - # Release Management - release: - runs-on: ubuntu-latest - needs: [build, security-scan] - if: github.event_name == 'release' - - steps: - - name: Checkout code - uses: actions/checkout@v6 - - - name: Download build artifacts - uses: actions/download-artifact@v8 - with: - name: build-artifacts - - - name: Create Release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ github.ref }} - release_name: AITBC Release ${{ github.ref }} - draft: false - prerelease: false - - - name: Upload CLI Release Asset - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: cli/dist/* - asset_name: aitbc-cli-${{ github.ref_name }}.tar.gz - asset_content_type: application/gzip - - - name: Upload Services Release Asset - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: apps/*/dist/* - asset_name: aitbc-services-${{ github.ref_name }}.tar.gz - asset_content_type: application/gzip + - name: Test + run: npm test || echo "no tests" - # Notification - notify: - runs-on: ubuntu-latest - needs: [lint-and-test, test-cli, test-services, test-production-services, security-scan] - if: always() - - steps: - - name: Notify on success - if: needs.lint-and-test.result == 'success' && needs.test-cli.result == 'success' && needs.test-services.result == 'success' && needs.test-production-services.result == 'success' && needs.security-scan.result == 'success' - run: | - echo "✅ All tests passed successfully!" - # Add Slack/Discord notification here - - - name: Notify on failure - if: needs.lint-and-test.result == 'failure' || needs.test-cli.result == 'failure' || needs.test-services.result == 'failure' || needs.test-production-services.result == 'failure' || needs.security-scan.result == 'failure' - run: | - echo "❌ Some tests failed!" - # Add Slack/Discord notification here + - name: Audit (non-blocking) + run: npm audit || true diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml new file mode 100644 index 00000000..4bc92632 --- /dev/null +++ b/.gitea/workflows/ci.yml @@ -0,0 +1,25 @@ +name: ci + +on: + push: + pull_request: + +jobs: + build: + runs-on: incus-debian + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Show environment + run: | + hostname + node -v || true + npm -v || true + + - name: Install dependencies + run: npm install + + - name: Build + run: npm run build || echo "no build step" diff --git a/.gitea/workflows/fix.yml b/.gitea/workflows/fix.yml new file mode 100644 index 00000000..fbb4645c --- /dev/null +++ b/.gitea/workflows/fix.yml @@ -0,0 +1,16 @@ +name: autofix + +on: + workflow_dispatch: + +jobs: + fix: + runs-on: incus-debian + + steps: + - uses: actions/checkout@v4 + + - run: npm install + + - name: Auto fix vulnerabilities + run: npm audit fix || true diff --git a/.gitea/workflows/gpu-benchmark.yml b/.gitea/workflows/gpu-benchmark.yml deleted file mode 100644 index c08b5061..00000000 --- a/.gitea/workflows/gpu-benchmark.yml +++ /dev/null @@ -1,145 +0,0 @@ -name: GPU Benchmark CI - -on: - push: - branches: [ main, develop ] - pull_request: - branches: [ main ] - schedule: - # Run benchmarks daily at 2 AM UTC - - cron: '0 2 * * *' - -jobs: - gpu-benchmark: - runs-on: ubuntu-latest - strategy: - matrix: - python-version: [3.13.5] - - steps: - - uses: actions/checkout@v4 - - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 - with: - python-version: ${{ matrix.python-version }} - - - name: Install system dependencies - run: | - sudo apt-get update - sudo apt-get install -y \ - build-essential \ - python3-dev \ - pkg-config \ - libnvidia-compute-515 \ - cuda-toolkit-12-2 \ - nvidia-driver-515 - - - name: Cache pip dependencies - uses: actions/cache@v5 - with: - path: ~/.cache/pip - key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} - restore-keys: | - ${{ runner.os }}-pip- - - - name: Install Python dependencies - run: | - python -m pip install --upgrade pip - pip install -e . - pip install pytest pytest-benchmark torch torchvision torchaudio - pip install cupy-cuda12x - pip install nvidia-ml-py3 - - - name: Verify GPU availability - run: | - python -c " - import torch - print(f'PyTorch version: {torch.__version__}') - print(f'CUDA available: {torch.cuda.is_available()}') - if torch.cuda.is_available(): - print(f'CUDA version: {torch.version.cuda}') - print(f'GPU count: {torch.cuda.device_count()}') - print(f'GPU name: {torch.cuda.get_device_name(0)}') - " - - - name: Run GPU benchmarks - run: | - python -m pytest dev/gpu/test_gpu_performance.py \ - --benchmark-only \ - --benchmark-json=benchmark_results.json \ - --benchmark-sort=mean \ - -v - - - name: Generate benchmark report - run: | - python dev/gpu/generate_benchmark_report.py \ - --input benchmark_results.json \ - --output benchmark_report.html \ - --history-file benchmark_history.json - - - name: Upload benchmark results - uses: actions/upload-artifact@v3 - with: - name: benchmark-results-${{ matrix.python-version }} - path: | - benchmark_results.json - benchmark_report.html - benchmark_history.json - retention-days: 30 - - - name: Compare with baseline - run: | - python dev/gpu/compare_benchmarks.py \ - --current benchmark_results.json \ - --baseline .github/baselines/gpu_baseline.json \ - --threshold 5.0 \ - --output comparison_report.json - - - name: Comment PR with results - if: github.event_name == 'pull_request' - uses: actions/github-script@v7 - with: - script: | - const fs = require('fs'); - try { - const results = JSON.parse(fs.readFileSync('comparison_report.json', 'utf8')); - const comment = ` - ## 🚀 GPU Benchmark Results - - **Performance Summary:** - - **Mean Performance**: ${results.mean_performance.toFixed(2)} ops/sec - - **Performance Change**: ${results.performance_change > 0 ? '+' : ''}${results.performance_change.toFixed(2)}% - - **Status**: ${results.status} - - **Key Metrics:** - ${results.metrics.map(m => `- **${m.name}**: ${m.value.toFixed(2)} ops/sec (${m.change > 0 ? '+' : ''}${m.change.toFixed(2)}%)`).join('\n')} - - ${results.regressions.length > 0 ? '⚠️ **Performance Regressions Detected**' : '✅ **No Performance Regressions**'} - - [View detailed report](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}) - `; - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: comment - }); - } catch (error) { - console.log('Could not generate benchmark comment:', error.message); - } - - - name: Update benchmark history - run: | - python dev/gpu/update_benchmark_history.py \ - --results benchmark_results.json \ - --history-file .github/baselines/benchmark_history.json \ - --max-entries 100 - - - name: Fail on performance regression - run: | - python dev/gpu/check_performance_regression.py \ - --results benchmark_results.json \ - --baseline .github/baselines/gpu_baseline.json \ - --threshold 10.0 diff --git a/.gitea/workflows/security-scanning.yml b/.gitea/workflows/security-scanning.yml index fb00e8e2..adc55e6b 100644 --- a/.gitea/workflows/security-scanning.yml +++ b/.gitea/workflows/security-scanning.yml @@ -1,258 +1,12 @@ -name: Security Scanning - -# Comprehensive security scanning workflow +name: security on: push: - branches: [ main, develop ] - pull_request: - branches: [ main, develop ] - schedule: - - cron: '0 2 * * *' # Daily at 2 AM UTC jobs: - bandit-security-scan: - name: Bandit Security Scan - runs-on: ubuntu-latest - strategy: - matrix: - directory: - - apps/coordinator-api/src - - cli/aitbc_cli - - packages/py/aitbc-core/src - - packages/py/aitbc-crypto/src - - packages/py/aitbc-sdk/src - - tests + audit: + runs-on: incus-debian steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Set up Python - uses: actions/setup-python@v6 - with: - python-version: '3.13.5' - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install bandit[toml] - - - name: Run Bandit security scan - run: | - bandit -r ${{ matrix.directory }} -f json -o bandit-report-${{ matrix.directory }}.json - bandit -r ${{ matrix.directory }} -f text -o bandit-report-${{ matrix.directory }}.txt - - - name: Upload Bandit reports - uses: actions/upload-artifact@v7 - with: - name: bandit-report-${{ matrix.directory }} - path: | - bandit-report-${{ matrix.directory }}.json - bandit-report-${{ matrix.directory }}.txt - retention-days: 30 - - - name: Comment PR with Bandit findings - if: github.event_name == 'pull_request' - uses: actions/github-script@v8 - with: - script: | - const fs = require('fs'); - try { - const report = fs.readFileSync('bandit-report-${{ matrix.directory }}.txt', 'utf8'); - if (report.includes('No issues found')) { - console.log('✅ No security issues found in ${{ matrix.directory }}'); - } else { - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: `## 🔒 Bandit Security Scan Results\n\n**Directory**: ${{ matrix.directory }}\n\n\`\`\`\n${report}\n\`\`\`\n\nPlease review and address any security issues.` - }); - } - } catch (error) { - console.log('Could not read Bandit report'); - } - - codeql-security-analysis: - name: CodeQL Security Analysis - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - strategy: - matrix: - language: [ 'python', 'javascript' ] - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - - dependency-security-scan: - name: Dependency Security Scan - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Set up Python - uses: actions/setup-python@v6 - with: - python-version: '3.13.5' - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install safety - - - name: Run Safety security scan - run: | - safety check --json --output safety-report.json - safety check --output safety-report.txt - - - name: Set up Node.js - uses: actions/setup-node@v6 - with: - node-version: '18' - cache: 'npm' - - - name: Run npm audit - run: | - cd apps/explorer-web && npm audit --json > ../npm-audit-report.json || true - cd ../.. && cd website && npm audit --json > ../npm-audit-website.json || true - - - name: Upload dependency reports - uses: actions/upload-artifact@v7 - with: - name: dependency-security-reports - path: | - safety-report.json - safety-report.txt - npm-audit-report.json - npm-audit-website.json - retention-days: 30 - - container-security-scan: - name: Container Security Scan - runs-on: ubuntu-latest - if: contains(github.event.head_commit.modified, 'Dockerfile') || contains(github.event.head_commit.modified, 'docker') - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - scan-ref: '.' - format: 'sarif' - output: 'trivy-results.sarif' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' - - ossf-scorecard: - name: OSSF Scorecard - runs-on: ubuntu-latest - permissions: - security-events: write - id-token: write - actions: read - contents: read - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - persist-credentials: false - - - name: Run OSSF Scorecard - uses: ossf/scorecard-action@v2.4.3 - with: - results_file: results.sarif - results_format: sarif - - - name: Upload OSSF Scorecard results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif - - security-summary: - name: Security Summary Report - runs-on: ubuntu-latest - needs: [bandit-security-scan, codeql-security-analysis, dependency-security-scan] - if: always() - steps: - - name: Download all artifacts - uses: actions/download-artifact@v4 - - - name: Generate security summary - run: | - echo "# 🔒 Security Scan Summary" > security-summary.md - echo "" >> security-summary.md - echo "Generated on: $(date)" >> security-summary.md - echo "" >> security-summary.md - echo "## Scan Results" >> security-summary.md - echo "" >> security-summary.md - - # Check Bandit results - if [ -d "bandit-report-apps/coordinator-api/src" ]; then - echo "### Bandit Security Scan" >> security-summary.md - echo "- ✅ Completed for all directories" >> security-summary.md - echo "" >> security-summary.md - fi - - # Check CodeQL results - echo "### CodeQL Analysis" >> security-summary.md - echo "- ✅ Completed for Python and JavaScript" >> security-summary.md - echo "" >> security-summary.md - - # Check Dependency results - if [ -f "dependency-security-reports/safety-report.txt" ]; then - echo "### Dependency Security Scan" >> security-summary.md - echo "- ✅ Python dependencies scanned" >> security-summary.md - echo "- ✅ npm dependencies scanned" >> security-summary.md - echo "" >> security-summary.md - fi - - echo "## Recommendations" >> security-summary.md - echo "1. Review any high-severity findings immediately" >> security-summary.md - echo "2. Update dependencies with known vulnerabilities" >> security-summary.md - echo "3. Address security best practice violations" >> security-summary.md - echo "4. Schedule regular security reviews" >> security-summary.md - - - name: Upload security summary - uses: actions/upload-artifact@v7 - with: - name: security-summary - path: security-summary.md - retention-days: 90 - - - name: Comment PR with security summary - if: github.event_name == 'pull_request' - uses: actions/github-script@v8 - with: - script: | - const fs = require('fs'); - try { - const summary = fs.readFileSync('security-summary.md', 'utf8'); - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: summary - }); - } catch (error) { - console.log('Could not read security summary'); - } + - uses: actions/checkout@v4 + - run: npm install + - run: npm audit || true diff --git a/.gitea/workflows/test.yml b/.gitea/workflows/test.yml new file mode 100644 index 00000000..f35fd8f8 --- /dev/null +++ b/.gitea/workflows/test.yml @@ -0,0 +1,15 @@ +name: test + +on: + push: + +jobs: + test: + runs-on: incus-debian + + steps: + - run: | + echo "Runner OK" + hostname + whoami + pwd