Spotify MCP Server

name: CI on: push: branches: [ main, develop ] pull_request: branches: [ main, develop ] jobs: test: runs-on: ubuntu-latest needs: [lint] # Don't test broken code strategy: matrix: python-version: ["3.12", "3.13"] steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - name: Install uv uses: astral-sh/setup-uv@v4 with: # Install a specific uv version version: "latest" # Install uv globally enable-cache: true - name: Set up project run: uv sync --dev - name: Run type checking run: uv run mypy src/ - name: Run tests run: uv run pytest lint: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.12" - name: Install uv uses: astral-sh/setup-uv@v4 with: version: "latest" enable-cache: true - name: Set up project run: uv sync --dev - name: Run ruff linter run: uv run ruff check src/ tests/ - name: Run ruff formatter check run: uv run ruff format --check src/ tests/ security: runs-on: ubuntu-latest needs: [lint] # Don't scan broken code steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.12" - name: Install uv uses: astral-sh/setup-uv@v4 with: version: "latest" enable-cache: true - name: Set up project run: uv sync --dev - name: Run bandit security linter run: uv run bandit -r src/ build: runs-on: ubuntu-latest needs: [test, lint, security] # Require all quality gates if: github.event_name == 'push' && github.ref == 'refs/heads/main' steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.12" - name: Install uv uses: astral-sh/setup-uv@v4 with: version: "latest" enable-cache: true - name: Set up project run: uv sync --dev - name: Build package run: uv build - name: Store build artifacts uses: actions/upload-artifact@v4 with: name: dist path: dist/ docker: runs-on: ubuntu-latest needs: [test, lint, security] steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build Docker image uses: docker/build-push-action@v6 with: context: . file: ./Dockerfile push: false load: true # Load image into Docker daemon for testing tags: spotify-mcp:test cache-from: type=gha cache-to: type=gha,mode=max - name: Test Docker image run: | # Test that image was built and can run basic commands docker run --rm spotify-mcp:test python --version # Test that entry point is installed and accessible docker run --rm spotify-mcp:test which spotify-mcp # Test that application starts without errors (with proper env vars) docker run --rm -e SPOTIFY_CLIENT_ID=test -e SPOTIFY_CLIENT_SECRET=test -e SPOTIFY_REDIRECT_URI=http://localhost:8888 spotify-mcp:test python -c "print('✅ Docker image works correctly')" # Test security: ensure running as non-root user docker run --rm spotify-mcp:test sh -c 'whoami | grep -v root'