glasshat/.github/workflows/ci.yml at main · Two-Weeks-Team/glasshat · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: CI

on:
  push:
    branches: [main]
  pull_request:

concurrency:
  group: ci-${{ github.ref }}
  cancel-in-progress: true

jobs:
  lint-type-test:
    name: lint · typecheck · test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install uv
        uses: astral-sh/setup-uv@v6
        with:
          enable-cache: true

      - name: Install Python 3.12
        run: uv python install 3.12

      - name: Sync workspace
        run: uv sync --frozen

      - name: Ruff lint
        run: uv run ruff check .

      - name: Ruff format check
        run: uv run ruff format --check .

      - name: Mypy (strict)
        run: uv run mypy packages agents services apps/api

      - name: Pytest + coverage gate (>=90%)
        run: uv run pytest --cov=glasshat --cov-report=term-missing --cov-fail-under=90

  web:
    name: web (lint · typecheck · test · build)
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: apps/web
    steps:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v4
        with:
          version: 9
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: pnpm
          cache-dependency-path: apps/web/pnpm-lock.yaml
      - name: Install
        run: pnpm install --frozen-lockfile
      - name: Lint
        run: pnpm lint
      - name: Typecheck
        run: pnpm typecheck
      - name: Test
        run: pnpm test
      - name: Build
        run: pnpm build

  docker:
    name: docker build (api + web)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-buildx-action@v3
      - name: Build API image
        run: docker build -f infra/Dockerfile.api -t glasshat-api:ci .
      - name: Build web image
        run: docker build -f infra/Dockerfile.web -t glasshat-web:ci apps/web

  supply-chain:
    name: supply-chain (deploy-closure leak + secrets)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install uv
        uses: astral-sh/setup-uv@v6
        with:
          enable-cache: true

      - name: Install Python 3.12
        run: uv python install 3.12

      # The deployed API image is built with `--extra vertex --extra arize`
      # (infra/deploy.sh). Assert that closure ships NO general-purpose LLM SDKs —
      # the `phoenix` extra's transitive arize-phoenix would pull openai/anthropic,
      # which the Gemini/Google-only deploy must never bundle.
      - name: Deploy-closure dependency leak gate
        run: |
          set -euo pipefail
          leaked=$(uv export --frozen --no-dev --extra vertex --extra arize \
            | grep -iE '^(openai|anthropic|pydantic-ai)([=<>~ ]|$)' || true)
          if [ -n "$leaked" ]; then
            echo "::error::Forbidden LLM SDK in the deploy closure (Gemini/Google-only policy):"
            echo "$leaked"
            exit 1
          fi
          echo "OK — deploy closure (vertex+arize) ships no openai/anthropic/pydantic-ai."

      # Use the free gitleaks CLI (MIT) rather than the GitHub Action, which now
      # requires a paid license for organizations. Scan the working tree
      # (--no-git) so a committed secret fails the PR without history-scan noise.
      # Scope is the ships-to-prod source; .gitleaks.toml allowlists experiment /
      # scraped-corpus / build-artifact paths that never enter the deployed image
      # (~253 gitleaks hits live in spikes/ and should be reviewed before the repo
      # is made fully public — they are excluded here, not in production).
      - name: Secret scan (gitleaks CLI)
        run: |
          set -euo pipefail
          VERSION=8.18.4
          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \
            | tar -xz gitleaks
          ./gitleaks detect --source . --no-git --redact --no-banner --exit-code 1 --config .gitleaks.toml

      - name: Dependency audit (advisory)
        continue-on-error: true
        run: |
          uvx pip-audit --version || true
          uv export --frozen --no-dev --extra vertex --extra arize --format requirements-txt -o /tmp/reqs.txt
          uvx pip-audit -r /tmp/reqs.txt || echo "pip-audit advisory findings (non-blocking)"