ci: gate publish on tests, add Trivy scanning, docs deploy, and Codecov

Zie619 · claude · Zie619 · commit c4fea79bfe2d · 2026-02-14T19:14:58.000+02:00
TRU-342: Add test job as gate before PyPI publish in publish.yml
TRU-343: Add Trivy vulnerability scanning to docker.yml (build→scan→push)
TRU-344: Add docs.yml for auto-deploying mkdocs to GitHub Pages
TRU-345: Add Codecov upload to ci.yml, replace static badge in README

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -74,6 +74,15 @@ jobs:
         run: |
           coverage report --fail-under=80
 
+      - name: Upload coverage to Codecov
+        if: matrix.python-version == '3.12'
+        uses: codecov/codecov-action@v5
+        with:
+          files: coverage.xml
+          flags: ai-bom
+          token: ${{ secrets.CODECOV_TOKEN }}
+          fail_ci_if_error: false
+
   security:
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -9,23 +9,17 @@ on:
 permissions:
   contents: read
   packages: write
+  security-events: write
 
 jobs:
-  build-and-push:
+  build-scan-push:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Log in to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Extract metadata
         id: meta
         uses: docker/metadata-action@v5
@@ -36,7 +30,47 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
             type=raw,value=latest
 
-      - name: Build and push
+      - name: Build image (local)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          load: true
+          tags: ghcr.io/${{ github.repository }}:scan
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ github.repository }}:scan
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
+          exit-code: 1
+        continue-on-error: true
+        id: trivy
+
+      - name: Upload Trivy SARIF
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
+          category: trivy
+
+      - name: Fail on critical vulnerabilities
+        if: steps.trivy.outcome == 'failure'
+        run: |
+          echo "::error::Trivy found CRITICAL or HIGH vulnerabilities"
+          exit 1
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push image
         uses: docker/build-push-action@v6
         with:
           context: .
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -0,0 +1,34 @@
+name: Documentation
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'docs/**'
+      - 'mkdocs.yml'
+      - '.github/workflows/docs.yml'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  deploy:
+    name: Deploy docs
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+          cache: 'pip'
+
+      - name: Install dependencies
+        run: pip install -e ".[docs]"
+
+      - name: Deploy to GitHub Pages
+        run: mkdocs gh-deploy --force
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -12,7 +12,29 @@ permissions:
   contents: read
 
 jobs:
+  test:
+    name: Test before publish
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+          cache: 'pip'
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]"
+
+      - name: Lint
+        run: ruff check src/ tests/
+
+      - name: Run tests with coverage
+        run: pytest -v --cov=ai_bom --cov-report=term-missing --cov-fail-under=80
+
   publish:
+    needs: [test]
     runs-on: ubuntu-latest
     environment: pypi
 
diff --git a/README.md b/README.md
@@ -16,7 +16,7 @@
     <img src="https://img.shields.io/badge/license-Apache%202.0-blue.svg" alt="License" />
     <img src="https://img.shields.io/badge/CycloneDX-1.6-green.svg" alt="CycloneDX 1.6" />
     <img src="https://img.shields.io/badge/tests-651%20passing-brightgreen.svg" alt="Tests" />
-    <img src="https://img.shields.io/badge/coverage-81%25-brightgreen.svg" alt="Coverage" />
+    <a href="https://codecov.io/gh/Trusera/ai-bom"><img src="https://codecov.io/gh/Trusera/ai-bom/graph/badge.svg" alt="Coverage" /></a>
     <img src="https://img.shields.io/badge/PRs-welcome-orange.svg" alt="PRs Welcome" />
   </p>
   <h2 align="center">🎬 Demo</h2>
