fix: sanitize subprocess call in llm.py #1841
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: ["v1", "v2", "v3", "v4", "v5", "v6", "v7", "v8", "main"] | |
| pull_request: | |
| branches: ["v1", "v2", "v3", "v4", "v5", "v6", "v7", "v8", "main"] | |
| workflow_dispatch: | |
| jobs: | |
| skillgen-check: | |
| # Fast lint-style guard: the skill files under graphify/ are generated from | |
| # the fragments in tools/skillgen/. This fails if someone hand-edited a | |
| # generated file or forgot to re-run the generator and bless expected/, and it | |
| # runs the build-time validators that guard per-host coverage, the file_type | |
| # enum, the monolith round-trips, and the always-on round-trips. | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| # The audit-coverage, monolith-roundtrip, and always-on-roundtrip | |
| # validators read blobs from origin/v8. A shallow checkout omits that | |
| # ref, so fetch the full history here and the validators run for real | |
| # (rather than skipping). The other jobs stay shallow. | |
| fetch-depth: 0 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v8.1.0 | |
| with: | |
| python-version: "3.12" | |
| # --frozen keeps uv from re-resolving and rewriting uv.lock as a side | |
| # effect of `uv run`; the lock is committed and must not churn in CI. | |
| - name: Check generated skill artifacts are up to date | |
| run: uv run --frozen python -m tools.skillgen --check | |
| - name: Audit per-host v8 coverage | |
| run: uv run --frozen python -m tools.skillgen --audit-coverage | |
| - name: Check the file_type enum is a singleton | |
| run: uv run --frozen python -m tools.skillgen --schema-singleton | |
| - name: Round-trip the monoliths against v8 | |
| run: uv run --frozen python -m tools.skillgen --monolith-roundtrip | |
| - name: Round-trip the always-on blocks against v8 | |
| run: uv run --frozen python -m tools.skillgen --always-on-roundtrip | |
| test: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| python-version: ["3.10", "3.12"] | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| # test_skillgen.py reads pre-split skill bodies from the immutable | |
| # baseline commit via `git show`; a shallow checkout omits that history | |
| # and the baseline tests fail. Full history mirrors the skillgen-check job. | |
| fetch-depth: 0 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v8.1.0 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| # --frozen installs straight from the committed uv.lock without re-resolving | |
| # or rewriting it, so CI never churns the lock. | |
| - name: Install dependencies | |
| run: uv sync --all-extras --frozen | |
| - name: Run tests | |
| run: uv run --frozen pytest tests/ -q --tb=short | |
| - name: Verify install works end-to-end | |
| run: | | |
| uv run --frozen graphify --help | |
| uv run --frozen graphify install | |
| security-scan: | |
| # The dev deps include bandit and pip-audit. Run them in CI so a new | |
| # HIGH-severity finding or vulnerable dependency is caught on the PR that | |
| # introduces it, rather than at the next manual audit. | |
| # Non-blocking for now (continue-on-error) to avoid breaking CI on | |
| # pre-existing findings; remove continue-on-error after the initial | |
| # cleanup pass. | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v8.1.0 | |
| with: | |
| python-version: "3.12" | |
| - name: Install dependencies | |
| run: uv sync --frozen | |
| - name: bandit (static security analysis) | |
| continue-on-error: true | |
| run: uv run --frozen bandit -r graphify -ll | |
| - name: pip-audit (dependency vulnerabilities) | |
| continue-on-error: true | |
| run: uv run --frozen pip-audit --strict |