Add Semgrep CI #36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test Suite | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| # PR tests handled by pr-ci.yml to avoid duplicate runs | |
| permissions: | |
| contents: write # Allow pushing auto-fixes | |
| env: | |
| AUDIO_TEST_MODE: 1 # Enable mock provider for CI | |
| UV_VERSION: '0.5.11' # Pin UV version for consistency | |
| PYTHON_VERSION_DEFAULT: '3.11' | |
| jobs: | |
| auto-fix: | |
| name: Auto-fix Linting & Formatting | |
| runs-on: ubuntu-latest | |
| # Only auto-fix on push to main/develop, not on PRs (to avoid conflicts) | |
| if: github.event_name == 'push' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| version: ${{ env.UV_VERSION }} | |
| enable-cache: true | |
| - name: Install dependencies | |
| run: uv sync --locked --all-extras --dev | |
| - name: Auto-fix with ruff | |
| run: | | |
| uv run ruff check src tests --fix || true | |
| uv run ruff format src tests || true | |
| - name: Auto-format with black | |
| run: uv run black src tests || true | |
| - name: Commit and push fixes | |
| run: | | |
| git config --local user.email "github-actions[bot]@users.noreply.github.com" | |
| git config --local user.name "github-actions[bot]" | |
| git add -A | |
| git diff --staged --quiet || git commit -m "style: auto-fix linting and formatting [skip ci]" | |
| git push || true | |
| unit-tests: | |
| name: Unit Tests | |
| runs-on: ubuntu-latest | |
| needs: [auto-fix] | |
| if: always() # Run even if auto-fix was skipped (PRs) | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| python-version: ["3.11", "3.12"] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} # Get latest including auto-fixes | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| version: ${{ env.UV_VERSION }} | |
| enable-cache: true | |
| cache-dependency-glob: "uv.lock" | |
| - name: Debug environment | |
| run: | | |
| uv --version | |
| python --version | |
| which python | |
| echo "UV cache location: $(uv cache dir)" | |
| - name: Install dependencies | |
| run: | | |
| # Try to sync with lock, fall back if needed | |
| uv sync --locked --all-extras --dev || { | |
| echo "::warning::Lock file sync failed, regenerating..." | |
| uv lock | |
| uv sync --locked --all-extras --dev | |
| } | |
| - name: Run unit tests | |
| run: | | |
| # Run default test profile (excludes e2e, integration, etc.) | |
| uv run pytest --tb=short --cov=src --cov-report=xml | |
| - name: Upload coverage | |
| if: matrix.python-version == '3.12' | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| file: ./coverage.xml | |
| fail_ci_if_error: false | |
| integration-tests: | |
| name: Integration Tests | |
| runs-on: ubuntu-latest | |
| # Only run integration tests on push to main/develop, not on PRs | |
| # PRs use pr-ci.yml which runs fast unit tests only | |
| if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| enable-cache: true | |
| - name: Install FFmpeg | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y ffmpeg | |
| - name: Install dependencies | |
| run: | | |
| uv sync --locked --all-extras --dev | |
| - name: Run integration tests | |
| run: | | |
| uv run pytest -m integration --tb=short | |
| static-analysis: | |
| name: Static Analysis | |
| runs-on: ubuntu-latest | |
| needs: [auto-fix] | |
| if: always() | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} # Get latest including auto-fixes | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| enable-cache: true | |
| - name: Install dependencies | |
| run: | | |
| uv sync --locked --all-extras --dev | |
| - name: Run linting (verify only) | |
| run: | | |
| uv run ruff check src tests || echo "::warning::Linting issues found (auto-fix should handle these)" | |
| - name: Check formatting (verify only) | |
| run: | | |
| uv run black --check src tests || echo "::warning::Formatting issues found (auto-fix should handle these)" | |
| - name: Security scan | |
| run: | | |
| uv run bandit -r src -ll | |
| - name: Check import layers | |
| run: | | |
| uv run lint-imports | |
| e2e-tests: | |
| name: E2E Tests (Optional) | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| enable-cache: true | |
| - name: Install system dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y ffmpeg | |
| - name: Install dependencies | |
| run: | | |
| uv sync --locked --all-extras --dev | |
| - name: Run E2E tests | |
| env: | |
| RUN_E2E: 1 | |
| run: | | |
| uv run pytest -m e2e --tb=short | |
| continue-on-error: true # Don't fail the build for E2E tests | |
| benchmark-tests: | |
| name: Performance Benchmarks | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| enable-cache: true | |
| - name: Install dependencies | |
| run: | | |
| uv sync --locked --all-extras --dev | |
| - name: Run benchmarks | |
| run: | | |
| uv run pytest -m benchmark --tb=short | |
| continue-on-error: true # Don't fail the build for benchmarks |