feat(ci): add security workflow and wire into build pipeline #263
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # This workflow runs all code quality checks including linting, formatting, and type checking. | |
| # It must pass before any other workflows (test, e2e-test, build) can run. | |
| name: Code Quality | |
| on: | |
| workflow_dispatch: | |
| workflow_call: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - "**/*.py" | |
| - "**/pyproject.toml" | |
| - "**/uv.lock" | |
| - "**/Dockerfile" | |
| - "extractor/**/*.rs" | |
| - "extractor/**/Cargo.toml" | |
| - ".github/workflows/code-quality.yml" | |
| - ".pre-commit-config.yaml" | |
| pull_request: | |
| branches: | |
| - main | |
| paths: | |
| - "**/*.py" | |
| - "**/pyproject.toml" | |
| - "**/uv.lock" | |
| - "**/Dockerfile" | |
| - "extractor/**/*.rs" | |
| - "extractor/**/Cargo.toml" | |
| - ".github/workflows/code-quality.yml" | |
| - ".pre-commit-config.yaml" | |
| env: | |
| CI: true | |
| PYTHON_VERSION: "3.13" | |
| permissions: | |
| contents: read | |
| jobs: | |
| code-quality: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: ๐ท๏ธ Set lowercase image name | |
| id: image | |
| run: | | |
| echo "IMAGE_NAME=$(echo "${{ github.repository }}" | tr "[:upper:]" "[:lower:]")" >> "$GITHUB_ENV" | |
| - name: ๐ Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: ๐ง Setup Python and UV | |
| uses: ./.github/actions/setup-python-uv | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: ๐ง Setup Just | |
| uses: ./.github/actions/setup-just | |
| - name: ๐พ Cache pre-commit | |
| uses: actions/cache@v5 | |
| with: | |
| path: ~/.cache/pre-commit | |
| key: ${{ runner.os }}-pre-commit-v3-${{ hashFiles('.pre-commit-config.yaml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pre-commit-v3- | |
| # Tools cache (arkade) | |
| - name: ๐พ Cache tools | |
| uses: actions/cache@v5 | |
| with: | |
| path: ~/.arkade | |
| key: ${{ runner.os }}-tools-arkade-v1 | |
| restore-keys: | | |
| ${{ runner.os }}-tools-arkade- | |
| ${{ runner.os }}-tools- | |
| - name: ๐ง Install arkade | |
| uses: alexellis/arkade-get@1eef818e467c387d3f50cfe0d2c565d1cbe82b03 # master | |
| with: | |
| hadolint: latest | |
| - name: ๐ฆ Setup Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt, clippy | |
| - name: ๐พ Cache Rust dependencies | |
| uses: actions/cache@v5 | |
| with: | |
| path: | | |
| ~/.cargo/bin/ | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/git/db/ | |
| extractor/target/ | |
| key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo- | |
| - name: ๐ฆ Install dependencies | |
| run: | | |
| just install | |
| # Install workspace packages | |
| uv pip install -e api | |
| uv pip install -e common | |
| uv pip install -e curator | |
| uv pip install -e dashboard | |
| uv pip install -e explore | |
| - name: ๐งช Run pre-commit hooks | |
| run: | | |
| just lint |