-
Notifications
You must be signed in to change notification settings - Fork 0
160 lines (152 loc) · 6.5 KB
/
Copy pathci.yaml
File metadata and controls
160 lines (152 loc) · 6.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
name: CI
on:
# No matter for push or pull request events, it would trigger CI for safely saving the source code.
# For the push event, it only runs building and testing.
push:
branches:
- "master"
- "!**e2e"
- "!e2e**"
paths:
# For GitHub Action
- ".github/workflows/ci.yaml"
- ".github/workflows/rw_build_and_test.yaml"
- ".github/workflows/rw_run_all_test_and_record.yaml"
# For source code and test
- "agent_assembly/**/*.py"
- "!**/__pkg_info__.py"
- "test/**/*.py"
# For shell script for CI
- "scripts/run_all_tests.sh"
# For configurations for test or CI
- ".coveragerc"
- "codecov.yml"
- "pytest.ini"
- "sonar-project.properties"
# For Python project configuration
- "pyproject.toml"
- "uv.lock"
# For the push event, in addition to build and test would be run, it would trigger other service to keep the reports
# or other checking, i.e., record the test report by CodeCov and check the code quality by SonarQube.
pull_request:
branches:
- "master"
- "!**e2e"
- "!e2e**"
paths:
# For GitHub Action
- ".github/workflows/ci.yaml"
- ".github/workflows/rw_build_and_test.yaml"
- ".github/workflows/rw_run_all_test_and_record.yaml"
# For source code and test
- "agent_assembly/**/*.py"
- "!**/__pkg_info__.py"
- "test/**/*.py"
# For shell script for CI
- "scripts/run_all_tests.sh"
# For configurations for test or CI
- ".coveragerc"
- "codecov.yml"
- "pytest.ini"
- "sonar-project.properties"
# For Python project configuration
- "pyproject.toml"
- "uv.lock"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# AAASM-3993: least-privilege default token — this workflow only checks out and
# runs tests/builds; no job pushes, comments, or deploys.
permissions:
contents: read
jobs:
build-and-test_all:
# name: Run all tests and organize all test reports
uses: ./.github/workflows/rw_run_all_test_and_record.yaml
with:
# PRs run ubuntu-only to trim the 4-OS matrix; push/scheduled/release keep the full list.
operating-systems: >-
${{ github.event_name == 'pull_request'
&& '["ubuntu-latest"]'
|| '["ubuntu-latest", "ubuntu-22.04", "macos-latest", "macos-14"]' }}
secrets:
codecov_token: ${{ secrets.CODECOV_TOKEN }}
sonar_token: ${{ secrets.SONAR_TOKEN }}
# AAASM-3612: advisory gate. Fail CI when a (possibly transitive) dependency
# in the locked set carries a known advisory, so a poisoned dep cannot ride
# into a release through uv.lock. pip-audit resolves the synced environment
# against the PyPI Advisory + OSV databases; a non-empty result exits
# non-zero and fails the job.
dependency-audit:
name: Dependency advisory audit (pip-audit)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.12"
- name: Install uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
- name: Sync locked environment
run: uv sync --frozen
- name: Run pip-audit advisory gate
# Documented allowlist for advisories with NO available fix, mirroring
# go-sdk's KNOWN_UNFIXED. Add an entry ONLY when there is no fixed
# release, with a dated rationale, in the form:
# --ignore-vuln GHSA-xxxx-xxxx-xxxx # <date> <reason; awaiting fix>
# The list starts empty: every known-vuln dependency fails the gate.
run: |
set -euo pipefail
uvx pip-audit \
--strict \
--desc
# To allowlist an unfixable advisory, append flags above, e.g.:
# --ignore-vuln GHSA-xxxx-xxxx-xxxx # 2026-06-23 no fixed release yet
# AAASM-4034: dedicated leg that installs `langchain-core` (the non-default
# `langchain-test` group) so the AAASM-4014 `__getattr__` is exercised against
# the REAL `langchain_core.callbacks.BaseCallbackHandler`. The main test matrix
# deliberately stays langchain-free — installing it there would swap the base
# class under the whole suite — so the `importorskip`-guarded contract test only
# runs here. Kept as a focused single-file run so it cannot slow the main gate.
langchain-contract-test:
name: LangChain-installed __getattr__ contract test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.13"
- name: Install uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
- name: Sync locked environment with the langchain-test group
run: uv sync --frozen --group langchain-test
- name: Run the langchain-installed callback contract test
run: >-
uv run python -m pytest
test/unit/adapters/langchain/test_getattr_contract_with_langchain.py
-v
# Single aggregate required check. Collapses the reusable-workflow fan-out into one
# stable status so branch protection needs only this check, and it still reports a
# result (success on skip) instead of staying pending when path filters skip the
# underlying test jobs.
ci-success:
name: CI Success
needs: [build-and-test_all, dependency-audit, langchain-contract-test]
if: always()
runs-on: ubuntu-latest
steps:
- name: Verify upstream jobs did not fail or get cancelled
run: |
test_result="${{ needs.build-and-test_all.result }}"
audit_result="${{ needs.dependency-audit.result }}"
langchain_result="${{ needs.langchain-contract-test.result }}"
echo "build-and-test_all result: ${test_result}"
echo "dependency-audit result: ${audit_result}"
echo "langchain-contract-test result: ${langchain_result}"
for result in "${test_result}" "${audit_result}" "${langchain_result}"; do
if [ "${result}" = "failure" ] || [ "${result}" = "cancelled" ]; then
echo "::error::CI failed: build-and-test_all=${test_result} dependency-audit=${audit_result} langchain-contract-test=${langchain_result}"
exit 1
fi
done
echo "CI Success: all required upstream jobs passed or were skipped."