Skip to content
CI

CI #21

Sign in to view logs

CI

CI #21

Workflow file for this run

.github/workflows/ci.yml at cac8f47
# Copyright 2024 QuantCore Contributors
# SPDX-License-Identifier: Apache-2.0
name: CI
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
schedule:
# Nightly integration test run at 02:00 UTC
- cron: "0 2 * * *"
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
PYTHON_VERSION: "3.11"
FORCE_COLOR: "1"
jobs:
# ==========================================================================
# Linting and Type Checking
# ==========================================================================
lint:
name: Lint & Type Check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v3
with:
version: "latest"
- name: Set up Python
run: uv python install ${{ env.PYTHON_VERSION }}
- name: Install dependencies
run: uv sync --all-packages
- name: Run Ruff linter
run: uv run ruff check src/ tests/
- name: Run Ruff formatter check
run: uv run ruff format --check src/ tests/
- name: Run MyPy (critical path)
# Type-check the trading hot path: execution, risk, and kill switch.
# Broader codebase type coverage tracked in GitHub type-coverage label.
run: >
uv run mypy
src/quantstack/execution
--config-file pyproject.toml
# ==========================================================================
# Unit Tests (fast, in-memory DB, no external services)
# ==========================================================================
test:
name: Test (Python ${{ matrix.python-version }}, ${{ matrix.os }})
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest]
python-version: ["3.11", "3.12"]
exclude:
# Reduce matrix for faster CI — 3.11 on ubuntu is the primary target
- os: macos-latest
python-version: "3.11"
steps:
- uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v3
with:
version: "latest"
- name: Set up Python ${{ matrix.python-version }}
run: uv python install ${{ matrix.python-version }}
- name: Cache uv dependencies
uses: actions/cache@v4
with:
path: ~/.cache/uv
key: ${{ runner.os }}-uv-${{ matrix.python-version }}-${{ hashFiles('uv.lock') }}
restore-keys: |
${{ runner.os }}-uv-${{ matrix.python-version }}-
${{ runner.os }}-uv-
- name: Install dependencies
run: uv sync --all-packages --group dev
- name: Run unit tests with coverage
run: |
uv run pytest tests/ -v \
--cov=src/quantstack \
--cov-report=xml \
--cov-report=term-missing \
--cov-fail-under=60 \
-m "not slow and not integration and not requires_api and not requires_gpu"
- name: Upload coverage to Codecov
if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.11'
uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: ./coverage.xml
# Fail CI if Codecov upload fails — prevents silently missing coverage
fail_ci_if_error: true
verbose: true
# ==========================================================================
# Integration Tests (nightly — hit in-memory DB, no external services)
# Run on schedule OR when triggered manually. Not required for PR merges.
# ==========================================================================
integration:
name: Integration Tests
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
steps:
- uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v3
with:
version: "latest"
- name: Set up Python
run: uv python install ${{ env.PYTHON_VERSION }}
- name: Install dependencies
run: uv sync --all-packages
- name: Run integration tests
run: |
uv run pytest tests/ -v \
--cov=src/quantstack \
--cov-report=term-missing \
-m "integration"
# ==========================================================================
# Security Scanning
# ==========================================================================
security:
name: Security Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v3
with:
version: "latest"
- name: Set up Python
run: uv python install ${{ env.PYTHON_VERSION }}
- name: Install security tools
run: uv tool install bandit
- name: Run Bandit security scan
# -lll = HIGH severity only.
run: uvx bandit -r src/ -lll
- name: Install dependencies for audit
run: uv sync --all-packages
- name: Run pip-audit
uses: pypa/gh-action-pip-audit@v1.1.0
with:
vulnerability-service: pypi
ignore-vulns: .pip-audit-known-vulnerabilities
- name: Generate SBOM
run: uv run cyclonedx-py environment --output sbom.json --output-format json
- name: Upload SBOM artifact
uses: actions/upload-artifact@v4
with:
name: sbom-${{ github.sha }}
path: sbom.json
retention-days: 90
# ==========================================================================
# Docker Image Build + Trivy Scan
# ==========================================================================
docker:
name: Docker Build & Scan
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
- name: Build Docker image
run: docker build -t quantstack:${{ github.sha }} .
- name: Run Trivy vulnerability scan
uses: aquasecurity/trivy-action@master
with:
image-ref: quantstack:${{ github.sha }}
format: "table"
exit-code: "1"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
# ==========================================================================
# All required checks pass (gate for merges)
# ==========================================================================
all-checks:
name: All Checks Pass
if: always()
needs: [lint, test, security]
runs-on: ubuntu-latest
steps:
- name: Check all required jobs passed
uses: re-actors/alls-green@release/v1
with:
# integration and docker are not required for PR merges
jobs: ${{ toJSON(needs) }}