oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity

mv to gitea workflow
Some checks failed
AITBC CI/CD Pipeline / lint-and-test (3.13.5) (push) Has been cancelled
Details
AITBC CI/CD Pipeline / test-cli (push) Has been cancelled
Details
AITBC CI/CD Pipeline / test-services (push) Has been cancelled
Details
AITBC CI/CD Pipeline / test-production-services (push) Has been cancelled
Details
AITBC CI/CD Pipeline / security-scan (push) Has been cancelled
Details
AITBC CI/CD Pipeline / build (push) Has been cancelled
Details
AITBC CI/CD Pipeline / deploy-staging (push) Has been cancelled
Details
AITBC CI/CD Pipeline / deploy-production (push) Has been cancelled
Details
AITBC CI/CD Pipeline / performance-test (push) Has been cancelled
Details
AITBC CI/CD Pipeline / docs (push) Has been cancelled
Details
AITBC CI/CD Pipeline / release (push) Has been cancelled
Details
AITBC CI/CD Pipeline / notify (push) Has been cancelled
Details
Security Scanning / Bandit Security Scan (apps/coordinator-api/src) (push) Has been cancelled
Details
Security Scanning / Bandit Security Scan (cli/aitbc_cli) (push) Has been cancelled
Details
Security Scanning / Bandit Security Scan (packages/py/aitbc-core/src) (push) Has been cancelled
Details
Security Scanning / Bandit Security Scan (packages/py/aitbc-crypto/src) (push) Has been cancelled
Details
Security Scanning / Bandit Security Scan (packages/py/aitbc-sdk/src) (push) Has been cancelled
Details
Security Scanning / Bandit Security Scan (tests) (push) Has been cancelled
Details
Security Scanning / CodeQL Security Analysis (javascript) (push) Has been cancelled
Details
Security Scanning / CodeQL Security Analysis (python) (push) Has been cancelled
Details
Security Scanning / Dependency Security Scan (push) Has been cancelled
Details
Security Scanning / Container Security Scan (push) Has been cancelled
Details
Security Scanning / OSSF Scorecard (push) Has been cancelled
Details
Security Scanning / Security Summary Report (push) Has been cancelled
Details
AITBC CLI Level 1 Commands Test / test-cli-level1 (3.13.5) (push) Has been cancelled
Details
AITBC CLI Level 1 Commands Test / test-summary (push) Has been cancelled
Details
GPU Benchmark CI / gpu-benchmark (3.13.5) (push) Has been cancelled
Details

Browse Source
This commit is contained in:
aitbc1
2026-03-27 11:08:02 +01:00
parent 632f52c774
commit 9b5cfa775c
4 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

505
.github/workflows/ci-cd.yml vendored
View File

@@ -1,505 +0,0 @@
name: AITBC CI/CD Pipeline
on:
push:
branches: [ main, develop, feature/*, hotfix/* ]
pull_request:
branches: [ main, develop ]
release:
types: [ published ]
env:
PYTHON_VERSION: "3.13.5"
NODE_VERSION: "18"
jobs:
# Code Quality and Testing
lint-and-test:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.13.5"]
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python-version }}
- name: Cache pip dependencies
uses: actions/cache@v5
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ matrix.python-version }}-${{ hashFiles('**/requirements*.txt') }}
restore-keys: |
${{ runner.os }}-pip-${{ matrix.python-version }}-
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install -r requirements-dev.txt
pip install -r requirements-test.txt
- name: Lint Python code
run: |
flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
black --check .
isort --check-only --diff .
mypy . --ignore-missing-imports
- name: Run unit tests
run: |
pytest tests/unit/ -v --cov=aitbc_cli --cov-report=xml --cov-report=html --cov-report=term
- name: Run integration tests
run: |
pytest tests/integration/ -v --tb=short
- name: Run performance tests
run: |
pytest tests/performance/ -v --tb=short
- name: Run security tests
run: |
pytest tests/security/ -v --tb=short
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v3
with:
file: ./coverage.xml
flags: unittests
name: codecov-umbrella
# CLI Testing
test-cli:
runs-on: ubuntu-latest
needs: lint-and-test
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.13.5"
- name: Install CLI
run: |
cd cli
python -m pip install -e .
- name: Test CLI commands
run: |
cd cli
python -m aitbc_cli.main --help
python -m aitbc_cli.main wallet --help
python -m aitbc_cli.main blockchain --help
python -m aitbc_cli.main multisig --help
python -m aitbc_cli.main genesis-protection --help
python -m aitbc_cli.main transfer-control --help
python -m aitbc_cli.main compliance --help
python -m aitbc_cli.main exchange --help
python -m aitbc_cli.main oracle --help
python -m aitbc_cli.main market-maker --help
- name: Test CLI functionality
run: |
cd cli
python -m aitbc_cli.main --test-mode multisig create --threshold 3 --owners "owner1,owner2,owner3"
python -m aitbc_cli.main --test-mode transfer-control set-limit --wallet test_wallet --max-daily 1000
# Multi-Chain Service Testing
test-services:
runs-on: ubuntu-latest
needs: lint-and-test
services:
redis:
image: redis:7
ports:
- 6379:6379
postgres:
image: postgres:15
env:
POSTGRES_PASSWORD: postgres
POSTGRES_DB: aitbc_test
ports:
- 5432:5432
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.13.5"
- name: Install dependencies
run: |
pip install -r requirements.txt
pip install -r requirements-dev.txt
pip install -r requirements-test.txt
- name: Test blockchain service
run: |
cd apps/blockchain-node
python -m pytest tests/ -v -k "test_blockchain"
- name: Test coordinator service
run: |
cd apps/coordinator-api
python -m pytest tests/ -v -k "test_coordinator"
- name: Test consensus service
run: |
cd apps/consensus-node
python -m pytest tests/ -v -k "test_consensus"
- name: Test network service
run: |
cd apps/network-node
python -m pytest tests/ -v -k "test_network"
- name: Test explorer service
run: |
cd apps/explorer
python -m pytest tests/ -v -k "test_explorer"
# Production Services Testing
test-production-services:
runs-on: ubuntu-latest
needs: lint-and-test
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.13.5"
- name: Install dependencies
run: |
pip install -r requirements.txt
pip install -r requirements-dev.txt
pip install -r requirements-test.txt
- name: Test exchange service
run: |
cd apps/exchange-integration
python -m pytest tests/ -v -k "test_exchange"
- name: Test compliance service
run: |
cd apps/compliance-service
python -m pytest tests/ -v -k "test_compliance"
- name: Test trading engine
run: |
cd apps/trading-engine
python -m pytest tests/ -v -k "test_trading"
- name: Test plugin registry
run: |
cd apps/plugin-registry
python -m pytest tests/ -v -k "test_plugin_registry"
- name: Test plugin marketplace
run: |
cd apps/plugin-marketplace
python -m pytest tests/ -v -k "test_plugin_marketplace"
- name: Test global infrastructure
run: |
cd apps/global-infrastructure
python -m pytest tests/ -v -k "test_global_infrastructure"
- name: Test AI agents
run: |
cd apps/global-ai-agents
python -m pytest tests/ -v -k "test_ai_agents"
# Security Scanning
security-scan:
runs-on: ubuntu-latest
needs: lint-and-test
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-results.sarif'
- name: Run CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
languages: python
- name: Run Bandit security linter
run: |
pip install bandit
bandit -r . -f json -o bandit-report.json
bandit -r . -f text
- name: Run Safety check
run: |
pip install safety
safety check --json --output safety-report.json
- name: Run semgrep security scan
uses: semgrep/semgrep-action@v1
with:
config: >-
p:security
p:owertools
# Build and Package
build:
runs-on: ubuntu-latest
needs: [test-cli, test-services, test-production-services]
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.13.5"
- name: Build CLI package
run: |
cd cli
python -m build
- name: Build services packages
run: |
for service in apps/*/; do
if [ -f "$service/pyproject.toml" ]; then
cd "$service"
python -m build
cd - > /dev/null
fi
done
- name: Upload build artifacts
uses: actions/upload-artifact@v7
with:
name: build-artifacts
path: |
cli/dist/*
apps/*/dist/*
retention-days: 30
# Deployment to Staging
deploy-staging:
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/develop'
environment: staging
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Download build artifacts
uses: actions/download-artifact@v8
with:
name: build-artifacts
- name: Deploy CLI to staging
run: |
echo "Deploying CLI to staging environment"
# Add actual deployment commands here
- name: Deploy services to staging
run: |
echo "Deploying services to staging environment"
# Add actual deployment commands here
- name: Run smoke tests on staging
run: |
echo "Running smoke tests on staging"
# Add smoke test commands here
# Deployment to Production
deploy-production:
runs-on: ubuntu-latest
needs: deploy-staging
if: github.event_name == 'release'
environment: production
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Download build artifacts
uses: actions/download-artifact@v8
with:
name: build-artifacts
- name: Deploy CLI to production
run: |
echo "Deploying CLI to production environment"
# Add actual deployment commands here
- name: Deploy services to production
run: |
echo "Deploying services to production environment"
# Add actual deployment commands here
- name: Run health checks on production
run: |
echo "Running health checks on production"
# Add health check commands here
- name: Notify deployment success
run: |
echo "Deployment to production completed successfully"
# Performance Testing
performance-test:
runs-on: ubuntu-latest
needs: deploy-staging
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.13.5"
- name: Install dependencies
run: |
pip install -r requirements-test.txt
pip install locust
- name: Run performance tests
run: |
cd tests/performance
python -m pytest test_performance.py::TestPerformance::test_cli_performance -v
python -m pytest test_performance.py::TestPerformance::test_concurrent_cli_operations -v
- name: Run load tests
run: |
cd tests/performance
locust -f locustfile.py --headless -u 10 -r 1 -t 30s --host http://staging.aitbc.dev
# Documentation Generation
docs:
runs-on: ubuntu-latest
needs: lint-and-test
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.13.5"
- name: Install documentation dependencies
run: |
pip install sphinx sphinx-rtd-theme myst-parser
- name: Generate documentation
run: |
cd docs
make html
- name: Deploy documentation
uses: peaceiris/actions-gh-pages@v4
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./docs/_build/html
# Release Management
release:
runs-on: ubuntu-latest
needs: [build, security-scan]
if: github.event_name == 'release'
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Download build artifacts
uses: actions/download-artifact@v8
with:
name: build-artifacts
- name: Create Release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref }}
release_name: AITBC Release ${{ github.ref }}
draft: false
prerelease: false
- name: Upload CLI Release Asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: cli/dist/*
asset_name: aitbc-cli-${{ github.ref_name }}.tar.gz
asset_content_type: application/gzip
- name: Upload Services Release Asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: apps/*/dist/*
asset_name: aitbc-services-${{ github.ref_name }}.tar.gz
asset_content_type: application/gzip
# Notification
notify:
runs-on: ubuntu-latest
needs: [lint-and-test, test-cli, test-services, test-production-services, security-scan]
if: always()
steps:
- name: Notify on success
if: needs.lint-and-test.result == 'success' && needs.test-cli.result == 'success' && needs.test-services.result == 'success' && needs.test-production-services.result == 'success' && needs.security-scan.result == 'success'
run: |
echo "✅ All tests passed successfully!"
# Add Slack/Discord notification here
- name: Notify on failure
if: needs.lint-and-test.result == 'failure' || needs.test-cli.result == 'failure' || needs.test-services.result == 'failure' || needs.test-production-services.result == 'failure' || needs.security-scan.result == 'failure'
run: |
echo "❌ Some tests failed!"
# Add Slack/Discord notification here

159
.github/workflows/cli-level1-tests.yml vendored
View File

@@ -1,159 +0,0 @@
name: AITBC CLI Level 1 Commands Test
on:
push:
branches: [ main, develop ]
paths:
- 'cli/**'
- '.github/workflows/cli-level1-tests.yml'
pull_request:
branches: [ main, develop ]
paths:
- 'cli/**'
- '.github/workflows/cli-level1-tests.yml'
schedule:
- cron: '0 6 * * *' # Daily at 6 AM UTC
jobs:
test-cli-level1:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [3.13.5]
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python-version }}
- name: Cache pip dependencies
uses: actions/cache@v5
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements*.txt') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Install system dependencies
run: |
sudo apt-get update
sudo apt-get install -y python3-dev python3-pip python3-venv
- name: Create virtual environment
run: |
cd cli
python -m venv venv
source venv/bin/activate
- name: Install dependencies
run: |
cd cli
source venv/bin/activate
pip install --upgrade pip
pip install -e .
pip install pytest pytest-cov click httpx pyyaml
- name: Run Level 1 Commands Tests
run: |
cd cli/tests
python test_level1_commands.py
- name: Run tests with pytest (alternative)
run: |
cd cli
source venv/bin/activate
pytest tests/test_level1_commands.py -v --tb=short --cov=aitbc_cli --cov-report=xml
- name: Upload coverage to Codecov
if: matrix.python-version == '3.13'
uses: codecov/codecov-action@v3
with:
file: ./cli/coverage.xml
flags: unittests
name: codecov-umbrella
- name: Generate test report
if: always()
run: |
cd cli/tests
python -c "
import json
import subprocess
import sys
try:
result = subprocess.run([sys.executable, 'test_level1_commands.py'],
capture_output=True, text=True, timeout=300)
report = {
'exit_code': result.returncode,
'stdout': result.stdout,
'stderr': result.stderr,
'success': result.returncode == 0
}
with open('test_report.json', 'w') as f:
json.dump(report, f, indent=2)
print(f'Test completed with exit code: {result.returncode}')
if result.returncode == 0:
print('✅ All tests passed!')
else:
print('❌ Some tests failed!')
except Exception as e:
error_report = {
'exit_code': -1,
'error': str(e),
'success': False
}
with open('test_report.json', 'w') as f:
json.dump(error_report, f, indent=2)
print(f'❌ Test execution failed: {e}')
"
- name: Upload test artifacts
if: always()
uses: actions/upload-artifact@v7
with:
name: cli-test-results-python${{ matrix.python-version }}
path: |
cli/tests/test_report.json
cli/coverage.xml
retention-days: 7
test-summary:
runs-on: ubuntu-latest
needs: test-cli-level1
if: always()
steps:
- name: Download all artifacts
uses: actions/download-artifact@v8
- name: Summarize results
run: |
echo "## AITBC CLI Level 1 Commands Test Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
for py_version in 311 312 313; do
if [ -f "cli-test-results-python${py_version}/test_report.json" ]; then
echo "### Python ${py_version:0:1}.${py_version:1:2}" >> $GITHUB_STEP_SUMMARY
cat "cli-test-results-python${py_version}/test_report.json" | jq -r '.success' | \
if read success; then
if [ "$success" = "true" ]; then
echo "✅ **PASSED**" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **FAILED**" >> $GITHUB_STEP_SUMMARY
fi
else
echo "⚠️ **UNKNOWN**" >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
fi
done

145
.github/workflows/gpu-benchmark.yml vendored
View File

@@ -1,145 +0,0 @@
name: GPU Benchmark CI
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
# Run benchmarks daily at 2 AM UTC
- cron: '0 2 * * *'
jobs:
gpu-benchmark:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [3.13.5]
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python-version }}
- name: Install system dependencies
run: |
sudo apt-get update
sudo apt-get install -y \
build-essential \
python3-dev \
pkg-config \
libnvidia-compute-515 \
cuda-toolkit-12-2 \
nvidia-driver-515
- name: Cache pip dependencies
uses: actions/cache@v5
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Install Python dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install pytest pytest-benchmark torch torchvision torchaudio
pip install cupy-cuda12x
pip install nvidia-ml-py3
- name: Verify GPU availability
run: |
python -c "
import torch
print(f'PyTorch version: {torch.__version__}')
print(f'CUDA available: {torch.cuda.is_available()}')
if torch.cuda.is_available():
print(f'CUDA version: {torch.version.cuda}')
print(f'GPU count: {torch.cuda.device_count()}')
print(f'GPU name: {torch.cuda.get_device_name(0)}')
"
- name: Run GPU benchmarks
run: |
python -m pytest dev/gpu/test_gpu_performance.py \
--benchmark-only \
--benchmark-json=benchmark_results.json \
--benchmark-sort=mean \
-v
- name: Generate benchmark report
run: |
python dev/gpu/generate_benchmark_report.py \
--input benchmark_results.json \
--output benchmark_report.html \
--history-file benchmark_history.json
- name: Upload benchmark results
uses: actions/upload-artifact@v3
with:
name: benchmark-results-${{ matrix.python-version }}
path: |
benchmark_results.json
benchmark_report.html
benchmark_history.json
retention-days: 30
- name: Compare with baseline
run: |
python dev/gpu/compare_benchmarks.py \
--current benchmark_results.json \
--baseline .github/baselines/gpu_baseline.json \
--threshold 5.0 \
--output comparison_report.json
- name: Comment PR with results
if: github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
try {
const results = JSON.parse(fs.readFileSync('comparison_report.json', 'utf8'));
const comment = `
## 🚀 GPU Benchmark Results
**Performance Summary:**
- **Mean Performance**: ${results.mean_performance.toFixed(2)} ops/sec
- **Performance Change**: ${results.performance_change > 0 ? '+' : ''}${results.performance_change.toFixed(2)}%
- **Status**: ${results.status}
**Key Metrics:**
${results.metrics.map(m => `- **${m.name}**: ${m.value.toFixed(2)} ops/sec (${m.change > 0 ? '+' : ''}${m.change.toFixed(2)}%)`).join('\n')}
${results.regressions.length > 0 ? '⚠️ **Performance Regressions Detected**' : '✅ **No Performance Regressions**'}
[View detailed report](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})
`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: comment
});
} catch (error) {
console.log('Could not generate benchmark comment:', error.message);
}
- name: Update benchmark history
run: |
python dev/gpu/update_benchmark_history.py \
--results benchmark_results.json \
--history-file .github/baselines/benchmark_history.json \
--max-entries 100
- name: Fail on performance regression
run: |
python dev/gpu/check_performance_regression.py \
--results benchmark_results.json \
--baseline .github/baselines/gpu_baseline.json \
--threshold 10.0

258
.github/workflows/security-scanning.yml vendored
View File

@@ -1,258 +0,0 @@
name: Security Scanning
# Comprehensive security scanning workflow
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
schedule:
- cron: '0 2 * * *' # Daily at 2 AM UTC
jobs:
bandit-security-scan:
name: Bandit Security Scan
runs-on: ubuntu-latest
strategy:
matrix:
directory:
- apps/coordinator-api/src
- cli/aitbc_cli
- packages/py/aitbc-core/src
- packages/py/aitbc-crypto/src
- packages/py/aitbc-sdk/src
- tests
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: '3.13.5'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install bandit[toml]
- name: Run Bandit security scan
run: |
bandit -r ${{ matrix.directory }} -f json -o bandit-report-${{ matrix.directory }}.json
bandit -r ${{ matrix.directory }} -f text -o bandit-report-${{ matrix.directory }}.txt
- name: Upload Bandit reports
uses: actions/upload-artifact@v7
with:
name: bandit-report-${{ matrix.directory }}
path: |
bandit-report-${{ matrix.directory }}.json
bandit-report-${{ matrix.directory }}.txt
retention-days: 30
- name: Comment PR with Bandit findings
if: github.event_name == 'pull_request'
uses: actions/github-script@v8
with:
script: |
const fs = require('fs');
try {
const report = fs.readFileSync('bandit-report-${{ matrix.directory }}.txt', 'utf8');
if (report.includes('No issues found')) {
console.log('✅ No security issues found in ${{ matrix.directory }}');
} else {
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## 🔒 Bandit Security Scan Results\n\n**Directory**: ${{ matrix.directory }}\n\n\`\`\`\n${report}\n\`\`\`\n\nPlease review and address any security issues.`
});
}
} catch (error) {
console.log('Could not read Bandit report');
}
codeql-security-analysis:
name: CodeQL Security Analysis
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
matrix:
language: [ 'python', 'javascript' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
dependency-security-scan:
name: Dependency Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: '3.13.5'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install safety
- name: Run Safety security scan
run: |
safety check --json --output safety-report.json
safety check --output safety-report.txt
- name: Set up Node.js
uses: actions/setup-node@v6
with:
node-version: '18'
cache: 'npm'
- name: Run npm audit
run: |
cd apps/explorer-web && npm audit --json > ../npm-audit-report.json || true
cd ../.. && cd website && npm audit --json > ../npm-audit-website.json || true
- name: Upload dependency reports
uses: actions/upload-artifact@v7
with:
name: dependency-security-reports
path: |
safety-report.json
safety-report.txt
npm-audit-report.json
npm-audit-website.json
retention-days: 30
container-security-scan:
name: Container Security Scan
runs-on: ubuntu-latest
if: contains(github.event.head_commit.modified, 'Dockerfile') || contains(github.event.head_commit.modified, 'docker')
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
ossf-scorecard:
name: OSSF Scorecard
runs-on: ubuntu-latest
permissions:
security-events: write
id-token: write
actions: read
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Run OSSF Scorecard
uses: ossf/scorecard-action@v2.4.3
with:
results_file: results.sarif
results_format: sarif
- name: Upload OSSF Scorecard results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
security-summary:
name: Security Summary Report
runs-on: ubuntu-latest
needs: [bandit-security-scan, codeql-security-analysis, dependency-security-scan]
if: always()
steps:
- name: Download all artifacts
uses: actions/download-artifact@v4
- name: Generate security summary
run: |
echo "# 🔒 Security Scan Summary" > security-summary.md
echo "" >> security-summary.md
echo "Generated on: $(date)" >> security-summary.md
echo "" >> security-summary.md
echo "## Scan Results" >> security-summary.md
echo "" >> security-summary.md
# Check Bandit results
if [ -d "bandit-report-apps/coordinator-api/src" ]; then
echo "### Bandit Security Scan" >> security-summary.md
echo "- ✅ Completed for all directories" >> security-summary.md
echo "" >> security-summary.md
fi
# Check CodeQL results
echo "### CodeQL Analysis" >> security-summary.md
echo "- ✅ Completed for Python and JavaScript" >> security-summary.md
echo "" >> security-summary.md
# Check Dependency results
if [ -f "dependency-security-reports/safety-report.txt" ]; then
echo "### Dependency Security Scan" >> security-summary.md
echo "- ✅ Python dependencies scanned" >> security-summary.md
echo "- ✅ npm dependencies scanned" >> security-summary.md
echo "" >> security-summary.md
fi
echo "## Recommendations" >> security-summary.md
echo "1. Review any high-severity findings immediately" >> security-summary.md
echo "2. Update dependencies with known vulnerabilities" >> security-summary.md
echo "3. Address security best practice violations" >> security-summary.md
echo "4. Schedule regular security reviews" >> security-summary.md
- name: Upload security summary
uses: actions/upload-artifact@v7
with:
name: security-summary
path: security-summary.md
retention-days: 90
- name: Comment PR with security summary
if: github.event_name == 'pull_request'
uses: actions/github-script@v8
with:
script: |
const fs = require('fs');
try {
const summary = fs.readFileSync('security-summary.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: summary
});
} catch (error) {
console.log('Could not read security summary');
}