Dex/.github/workflows/ci.yml at main · davekilleen/Dex · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
name: Dex CI
on: [push, pull_request]
jobs:
  quality:
    runs-on: macos-latest
    env:
      VAULT_PATH: core/tests/fixtures/vault
      COVERAGE_MIN_TOTAL: "15"
      COVERAGE_MIN_TOUCHED: "10"
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Install Python dependencies
        run: |
          pip install pytest pytest-cov ruff
          pip install mcp pyyaml python-dateutil requests
      - run: npm ci
      - name: Ensure policy scripts are executable
        run: chmod +x scripts/check-*.sh scripts/check-coverage-threshold.py scripts/check-path-contract-usage.sh scripts/security-gate.sh scripts/benchmark_large_vault.py
      - name: Hook harness tests
        run: npm run test:hooks
      - name: PR governance check
        if: github.event_name == 'pull_request'
        run: bash scripts/check-pr-governance.sh
      - name: Diff-aware test gate
        if: github.event_name == 'pull_request'
        run: bash scripts/check-test-delta.sh
      - name: Path-contract usage gate
        if: github.event_name == 'pull_request'
        run: bash scripts/check-path-contract-usage.sh
      - name: Documentation drift gate
        if: github.event_name == 'pull_request'
        run: bash scripts/check-doc-drift.sh
      - name: Create vault directories
        run: python -c "from core import paths; from pathlib import Path; [getattr(paths, n).mkdir(parents=True, exist_ok=True) for n in dir(paths) if n.endswith('_DIR') and isinstance(getattr(paths, n), Path)]"
      - name: Generate paths.json
        run: python core/paths.py
      - name: Test suites + coverage
        run: pytest core/tests/ core/mcp/tests/ core/migrations/tests/ -v --cov=core --cov-report=term --cov-report=json:coverage.json --cov-fail-under="${COVERAGE_MIN_TOTAL}"
      - name: Touched-file coverage gate
        if: github.event_name == 'pull_request'
        run: python scripts/check-coverage-threshold.py
      - name: Large-vault performance budget
        run: python scripts/benchmark_large_vault.py --files 1500 --budget-seconds 5.0
      - name: Security gate
        run: bash scripts/security-gate.sh
      - name: Ruff linting
        run: ruff check core/
      - name: Distribution safety check
        run: bash scripts/verify-distribution.sh
      - name: Path consistency check
        run: bash scripts/check-path-consistency.sh

  build-release:
    needs: quality
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
    runs-on: macos-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm ci
      - name: Configure git
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
      - name: Build release branch
        run: bash scripts/build-release.sh
      - name: Push release branch
        run: git push origin release --force