portfolio-mcp

# CI Pipeline for portfolio-mcp # # Workflow Design: # - Triggers on PRs to main (required checks before merge) # - Triggers on push to main (post-merge verification) # - Does NOT trigger Docker builds (that's in cd.yml, only after CI passes) # # Branch Strategy: # - main: Production branch, protected, requires PR # - feature/*, fix/*, docs/*: Development branches # # Runner Support: # - Uses GitHub-hosted runners by default # - Can use self-hosted runners with `runs-on: self-hosted` label name: CI on: push: branches: [main] pull_request: branches: [main] types: [opened, synchronize, reopened] # Cancel in-progress runs for the same branch concurrency: group: ci-${{ github.ref }} cancel-in-progress: true env: UV_CACHE_DIR: /tmp/uv-cache PYTHON_VERSION: "3.12" jobs: lint: name: Lint & Format runs-on: ${{ vars.RUNNER_LABEL || 'ubuntu-latest' }} timeout-minutes: 10 steps: - name: Checkout repository uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: ${{ env.PYTHON_VERSION }} - name: Install uv uses: astral-sh/setup-uv@v5 with: enable-cache: true # Configure git to use GH_PAT for private repos - name: Configure git for private repos run: | git config --global url."https://${{ secrets.GH_PAT }}@github.com/".insteadOf "https://github.com/" - name: Install dependencies run: uv sync --all-groups - name: Run Ruff linter run: uv run ruff check . --output-format=github - name: Run Ruff formatter check run: uv run ruff format --check . test: name: Test (Python ${{ matrix.python-version }}) runs-on: ${{ vars.RUNNER_LABEL || 'ubuntu-latest' }} timeout-minutes: 15 strategy: fail-fast: false matrix: python-version: ["3.12", "3.13"] steps: - name: Checkout repository uses: actions/checkout@v4 - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - name: Install uv uses: astral-sh/setup-uv@v5 with: enable-cache: true - name: Configure git for private repos run: | git config --global url."https://${{ secrets.GH_PAT }}@github.com/".insteadOf "https://github.com/" - name: Install dependencies run: uv sync --all-groups - name: Run tests with coverage run: | uv run pytest --cov --cov-report=xml --cov-report=term-missing - name: Upload coverage reports if: matrix.python-version == '3.12' uses: codecov/codecov-action@v4 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.xml fail_ci_if_error: false security: name: Security Scan runs-on: ${{ vars.RUNNER_LABEL || 'ubuntu-latest' }} timeout-minutes: 10 steps: - name: Checkout repository uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: ${{ env.PYTHON_VERSION }} - name: Install uv uses: astral-sh/setup-uv@v5 with: enable-cache: true - name: Configure git for private repos run: | git config --global url."https://${{ secrets.GH_PAT }}@github.com/".insteadOf "https://github.com/" - name: Install dependencies run: uv sync --all-groups - name: Run pip-audit run: | uv pip install pip-audit uv run pip-audit --strict --ignore-vuln GHSA-xxxx-xxxx-xxxx || true continue-on-error: true # Don't fail CI on vulnerabilities, just report - name: Run bandit security linter run: | uv pip install bandit uv run bandit -r app/ -ll -ii # Summary job that other workflows can depend on ci-success: name: CI Success runs-on: ${{ vars.RUNNER_LABEL || 'ubuntu-latest' }} needs: [lint, test, security] if: always() steps: - name: Check all jobs passed run: | if [[ "${{ needs.lint.result }}" != "success" ]] || \ [[ "${{ needs.test.result }}" != "success" ]] || \ [[ "${{ needs.security.result }}" != "success" ]]; then echo "One or more CI jobs failed" exit 1 fi echo "All CI checks passed!"