fix: harden renderer defaults and add audit regression coverage #12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| lint: | |
| name: Lint and Type Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Setup tools with mise | |
| uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 | |
| with: | |
| install: true | |
| cache: true | |
| - name: Setup project | |
| run: just ci-setup | |
| - name: Run all checks | |
| run: just check | |
| rust-lint: | |
| name: Rust Lint (clippy) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Setup Rust cache | |
| uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 | |
| with: | |
| workspaces: rust | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable | |
| with: | |
| toolchain: 1.94.1 | |
| components: clippy | |
| - name: Run clippy | |
| run: cd rust && cargo clippy --locked --all-targets --all-features -- -D warnings | |
| test: | |
| name: Run Unit Tests | |
| runs-on: ubuntu-latest | |
| needs: [lint] | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Setup tools with mise | |
| uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 | |
| with: | |
| install: true | |
| cache: true | |
| - name: Setup project | |
| run: just ci-setup | |
| - name: Run unit tests | |
| run: just test-unit | |
| - name: Upload coverage | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 | |
| with: | |
| name: coverage-report | |
| path: .coverage | |
| retention-days: 7 | |
| if: always() | |
| security: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Setup tools with mise | |
| uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 | |
| with: | |
| install: true | |
| cache: true | |
| - name: Setup project | |
| run: just ci-setup | |
| - name: Scan locked Python environment | |
| run: uv run --frozen --with pip-audit pip-audit | |
| build-binary: | |
| name: Build binary ${{ matrix.platform }} | |
| runs-on: ${{ matrix.os }} | |
| needs: [lint, rust-lint] | |
| timeout-minutes: 30 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| platform: linux-x64 | |
| - os: ubuntu-24.04-arm | |
| platform: linux-arm64 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Install system dependencies (Linux) | |
| if: runner.os == 'Linux' | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libcurl4-openssl-dev pkg-config | |
| - name: Setup Rust cache | |
| uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 | |
| with: | |
| workspaces: rust | |
| cache-directories: | | |
| ~/.cargo | |
| - name: Setup tools with mise | |
| uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 | |
| with: | |
| install: true | |
| cache: true | |
| - name: Build binary | |
| run: just ci-build-binary ${{ matrix.platform }} | |
| - name: Upload binary | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 | |
| with: | |
| name: binary-${{ matrix.platform }} | |
| path: mlnative/bin/* | |
| smoke-test: | |
| name: Smoke Test | |
| runs-on: ubuntu-latest | |
| needs: build-binary | |
| timeout-minutes: 5 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Install system dependencies (runtime) | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| mesa-vulkan-drivers \ | |
| libcurl4 \ | |
| libglfw3 \ | |
| libuv1 \ | |
| zlib1g | |
| - name: Setup tools with mise | |
| uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 | |
| with: | |
| install: true | |
| cache: true | |
| - name: Setup project | |
| run: just ci-setup | |
| - name: Download binary | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| with: | |
| name: binary-linux-x64 | |
| path: mlnative/bin/ | |
| - name: Fix binary permissions | |
| run: chmod +x mlnative/bin/mlnative-render-linux-x64 | |
| - name: Run smoke test | |
| run: | | |
| uv run python -c " | |
| from mlnative import Map | |
| with Map(256, 256) as m: | |
| png = m.render(center=[0, 0], zoom=1) | |
| assert len(png) > 1000, 'PNG too small' | |
| assert png[:4] == b'\\x89PNG', 'Invalid PNG header' | |
| print('Smoke test passed!') | |
| " | |
| integration-test: | |
| name: Integration Tests | |
| runs-on: ubuntu-latest | |
| needs: build-binary | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Install system dependencies (runtime) | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| mesa-vulkan-drivers \ | |
| libcurl4 \ | |
| libglfw3 \ | |
| libuv1 \ | |
| zlib1g | |
| - name: Setup tools with mise | |
| uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 | |
| with: | |
| install: true | |
| cache: true | |
| - name: Setup project | |
| run: just ci-setup | |
| - name: Download binary | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| with: | |
| name: binary-linux-x64 | |
| path: mlnative/bin/ | |
| - name: Fix binary permissions | |
| run: chmod +x mlnative/bin/mlnative-render-linux-x64 | |
| - name: Run integration tests | |
| run: uv run python -m pytest tests/ -v -m "integration" --tb=short |