oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity

chore(security): enhance environment configuration, CI workflows, and wallet daemon with security improvements

Browse Source 
- Restructure .env.example with security-focused documentation, service-specific environment file references, and AWS Secrets Manager integration
- Update CLI tests workflow to single Python 3.13 version, add pytest-mock dependency, and consolidate test execution with coverage
- Add comprehensive security validation to package publishing workflow with manual approval gates, secret scanning, and release
This commit is contained in:
oib
2026-03-03 10:33:46 +01:00
parent 00d00cb964
commit f353e00172
220 changed files with 42506 additions and 921 deletions
Download Patch File Download Diff File Expand all files Collapse all files

391
.github/workflows/comprehensive-tests.yml vendored Normal file
View File

@@ -0,0 +1,391 @@
name: Comprehensive Tests
on:
push:
branches: ["main", "develop"]
pull_request:
branches: ["main", "develop"]
schedule:
# Run comprehensive tests daily at 3 AM UTC
- cron: '0 3 * * *'
jobs:
# Unit tests - fast, isolated tests
unit-tests:
runs-on: ubuntu-latest
name: Unit Tests
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.13'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install pytest pytest-cov pytest-asyncio pytest-mock
- name: Run unit tests
run: |
python -m pytest -m "unit and not slow" --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: unit
name: unit-tests
# Integration tests - may require external services
integration-tests:
runs-on: ubuntu-latest
name: Integration Tests
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.13'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install fastapi uvicorn sqlmodel pydantic-settings aiosqlite
pip install pytest pytest-cov pytest-asyncio pytest-mock
- name: Run integration tests
run: |
python -m pytest -m "integration and not slow" --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
env:
DATABASE_URL: sqlite:///./test_coordinator.db
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: integration
name: integration-tests
# CLI-specific tests
cli-tests:
runs-on: ubuntu-latest
name: CLI Tests
strategy:
matrix:
python-version: ['3.11', '3.12', '3.13']
fail-fast: false
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install fastapi uvicorn sqlmodel pydantic-settings aiosqlite slowapi orjson prometheus-client
pip install pytest pytest-cov pytest-asyncio pytest-mock
- name: Run CLI tests
run: |
python -m pytest tests/cli/ -m "cli" --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: cli
name: cli-tests
# API tests
api-tests:
runs-on: ubuntu-latest
name: API Tests
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.13'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install fastapi uvicorn sqlmodel pydantic-settings aiosqlite
pip install pytest pytest-cov pytest-asyncio pytest-mock httpx
- name: Run API tests
run: |
python -m pytest -m "api" --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
env:
DATABASE_URL: sqlite:///./test_coordinator.db
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: api
name: api-tests
# Blockchain tests
blockchain-tests:
runs-on: ubuntu-latest
name: Blockchain Tests
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install pytest pytest-cov pytest-asyncio pytest-mock
- name: Run blockchain tests
run: |
python -m pytest -m "blockchain" --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: blockchain
name: blockchain-tests
# Slow tests - run separately
slow-tests:
runs-on: ubuntu-latest
name: Slow Tests
if: github.event_name != 'pull_request' # Don't run on PRs to save time
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install pytest pytest-cov pytest-asyncio pytest-mock
- name: Run slow tests
run: |
python -m pytest -m "slow" --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: slow
name: slow-tests
# Performance tests
performance-tests:
runs-on: ubuntu-latest
name: Performance Tests
if: github.event_name != 'pull_request' # Don't run on PRs to save time
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install pytest pytest-cov pytest-asyncio pytest-mock pytest-benchmark
- name: Run performance tests
run: |
python -m pytest -m "performance" --cov=aitbc_cli --cov-report=term-missing --cov-report=xml --benchmark-only
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: performance
name: performance-tests
# Security tests
security-tests:
runs-on: ubuntu-latest
name: Security Tests
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e .
pip install -e packages/py/aitbc-crypto
pip install pytest pytest-cov pytest-asyncio pytest-mock bandit safety
- name: Run security tests
run: |
python -m pytest -m "security" --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
- name: Run Bandit security scan
run: |
bandit -r . -f json -o bandit-report.json || true
bandit -r . -f txt -o bandit-report.txt || true
- name: Run Safety dependency check
run: |
safety check --json --output safety-report.json || true
safety check || true
- name: Upload security reports
uses: actions/upload-artifact@v4
with:
name: security-reports
path: |
bandit-report.json
bandit-report.txt
safety-report.json
retention-days: 30
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
file: ./coverage.xml
flags: security
name: security-tests
# Test summary and coverage aggregation
test-summary:
runs-on: ubuntu-latest
name: Test Summary
needs: [unit-tests, integration-tests, cli-tests, api-tests, blockchain-tests]
if: always()
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Download all coverage reports
uses: actions/download-artifact@v4
with:
pattern: "*-coverage-report"
merge-multiple: true
- name: Generate test summary
run: |
echo "# 🧪 Test Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "## Test Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Unit tests
if [ "${{ needs.unit-tests.result }}" == "success" ]; then
echo "✅ **Unit Tests**: Passed" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **Unit Tests**: Failed" >> $GITHUB_STEP_SUMMARY
fi
# Integration tests
if [ "${{ needs.integration-tests.result }}" == "success" ]; then
echo "✅ **Integration Tests**: Passed" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **Integration Tests**: Failed" >> $GITHUB_STEP_SUMMARY
fi
# CLI tests
if [ "${{ needs.cli-tests.result }}" == "success" ]; then
echo "✅ **CLI Tests**: Passed" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **CLI Tests**: Failed" >> $GITHUB_STEP_SUMMARY
fi
# API tests
if [ "${{ needs.api-tests.result }}" == "success" ]; then
echo "✅ **API Tests**: Passed" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **API Tests**: Failed" >> $GITHUB_STEP_SUMMARY
fi
# Blockchain tests
if [ "${{ needs.blockchain-tests.result }}" == "success" ]; then
echo "✅ **Blockchain Tests**: Passed" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **Blockchain Tests**: Failed" >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
echo "## Test Configuration" >> $GITHUB_STEP_SUMMARY
echo "- **Python Version**: 3.13 (standardized)" >> $GITHUB_STEP_SUMMARY
echo "- **Test Framework**: pytest with pyproject.toml configuration" >> $GITHUB_STEP_SUMMARY
echo "- **Coverage**: All test suites with coverage reporting" >> $GITHUB_STEP_SUMMARY
echo "- **Markers**: unit, integration, cli, api, blockchain, slow, performance, security" >> $GITHUB_STEP_SUMMARY
- name: Comment PR with test results
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
// Read the summary
const summary = fs.readFileSync(process.env.GITHUB_STEP_SUMMARY, 'utf8');
// Create PR comment
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: summary
});