diff --git a/.github/workflows/agentops-fleet.yml b/.github/workflows/agentops-fleet.yml new file mode 100644 index 0000000..3088da4 --- /dev/null +++ b/.github/workflows/agentops-fleet.yml @@ -0,0 +1,22 @@ +name: AgentOps Fleet Gate + +on: + push: + pull_request: + workflow_dispatch: + schedule: + - cron: '31 8 * * 1' + +permissions: + contents: read + actions: read + security-events: write + pull-requests: read + +jobs: + agentops: + uses: donny-devops/github-actions-templates/.github/workflows/reusable-agentops.yml@main + with: + python-version: '3.12' + node-version: '22' + run-security-audit: true diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 64eb9a5..f29fe95 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,36 +6,25 @@ on: pull_request: branches: [main] -env: - FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true - -permissions: - contents: read - jobs: lint: name: Lint (ruff) runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - - uses: actions/setup-python@v5 + - uses: actions/setup-python@v6 with: python-version: "3.12" cache: pip - - run: pip install ruff - - - name: Lint with ruff - run: ruff check . --output-format=github - - - name: Format check with ruff - run: ruff format --check . + - run: ruff check . --output-format=github + - run: ruff format --check . test: name: Test (pytest + PostgreSQL) runs-on: ubuntu-latest needs: lint + services: postgres: image: postgres:16-alpine @@ -50,13 +39,15 @@ jobs: --health-retries 5 ports: - 5432:5432 + env: DATABASE_URL: postgresql://testuser:testpass@localhost:5432/testdb SECRET_KEY: test-secret + steps: - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@v6 with: python-version: "3.12" cache: pip @@ -67,37 +58,38 @@ jobs: pip install -r requirements.txt - name: Run migrations - run: flask db upgrade + run: | + flask db upgrade env: FLASK_APP: "app:create_app()" - name: Run pytest - run: pytest --cov=app --cov-report=xml --cov-fail-under=85 -v + run: | + pytest --cov=app --cov-report=xml --cov-fail-under=85 -v - name: Upload coverage - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: coverage-report path: coverage.xml - retention-days: 7 docker: name: Build & Push Docker Image runs-on: ubuntu-latest needs: test + if: github.event_name == 'push' && github.ref == 'refs/heads/main' permissions: contents: read packages: write - security-events: write - if: github.event_name == 'push' && github.ref == 'refs/heads/main' + steps: - uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} @@ -105,7 +97,7 @@ jobs: - name: Extract metadata id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@v6 with: images: ghcr.io/${{ github.repository }} tags: | @@ -113,27 +105,10 @@ jobs: type=raw,value=latest - name: Build and push - id: build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} cache-from: type=gha cache-to: type=gha,mode=max - provenance: true - sbom: true - - - name: Trivy image scan - uses: aquasecurity/trivy-action@master - with: - image-ref: ghcr.io/${{ github.repository }}:latest - format: sarif - output: trivy.sarif - severity: HIGH,CRITICAL - exit-code: '0' - - - name: Upload Trivy results - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: trivy.sarif