Add CI/CD workflows matching GNAT#12
Conversation
- python-tests: pytest matrix on 3.11 + 3.12 - python-lint-fast: Ruff check + format on PR/push - python-typecheck: mypy on redgnat/ (blocking) - python-security: Bandit + pip-audit on PR/push/weekly schedule - semgrep: SAST on PR/push/weekly schedule - dco_check: DCO sign-off enforcement on PRs - dependency-review: pip-audit on PRs - pylint: Pylint on all pushes across 3.11 + 3.12 - security-hygiene: technique + engagement tests on relevant path changes https://claude.ai/code/session_01DGwbYiq7PnxMxMXtnTEmov
There was a problem hiding this comment.
Pull request overview
Adds a set of GitHub Actions workflows to align this repo’s CI/CD checks with GNAT-style automation, covering tests, linting, type checking, and security scanning.
Changes:
- Introduces Python CI workflows for pytest (3.11/3.12), Ruff, mypy, and pylint.
- Adds security-focused workflows: Bandit, pip-audit (two workflows), Semgrep, and a targeted “security hygiene” test workflow.
- Enforces DCO sign-off on pull requests via a dedicated workflow.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/python-tests.yml | Runs pytest in a 3.11/3.12 matrix on PRs and main pushes. |
| .github/workflows/python-lint-fast.yml | Adds fast lint + formatting checks via Ruff on PRs and main pushes. |
| .github/workflows/python-typecheck.yml | Adds blocking mypy type checking for redgnat/. |
| .github/workflows/pylint.yml | Runs pylint on every push across 3.11/3.12. |
| .github/workflows/python-security.yml | Adds Bandit and pip-audit on PR/push plus a weekly schedule. |
| .github/workflows/dependency-review.yml | Adds a PR-only pip-audit workflow (duplicates the pip-audit in python-security). |
| .github/workflows/semgrep.yml | Adds Semgrep SAST on PR/push plus a weekly schedule. |
| .github/workflows/security-hygiene.yml | Runs a targeted subset of tests when technique/engagement paths change. |
| .github/workflows/dco_check.yml | Enforces DCO sign-off on PRs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: tim-actions/dco@master |
There was a problem hiding this comment.
tim-actions/dco is referenced via @master, which is an unpinned floating ref. Pin this action to a specific release tag or (preferably) a commit SHA to avoid supply-chain risk and unexpected behavior changes.
| - uses: tim-actions/dco@master | |
| - uses: tim-actions/dco@v1 |
| - name: Run pip-audit | ||
| uses: pypa/gh-action-pip-audit@v1.1.0 | ||
| with: | ||
| inputs: "." |
There was a problem hiding this comment.
This pip-audit job doesn’t set up Python or install the project’s dependencies, and the repo doesn’t include a requirements/lock file. As written, inputs: "." is unlikely to audit the actual runtime dependency set. Consider setting up Python, installing the package (e.g. pip install -e .), and running pip-audit against the environment, or generate/provide a pinned requirements/lock file and audit that instead.
| - name: Run pip-audit | |
| uses: pypa/gh-action-pip-audit@v1.1.0 | |
| with: | |
| inputs: "." | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.x" | |
| - name: Install pip-audit and project dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install pip-audit | |
| python -m pip install -e . | |
| - name: Run pip-audit | |
| run: python -m pip_audit |
| pip-audit: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - name: Check out code | ||
| uses: actions/checkout@v4 | ||
| - name: Run pip-audit | ||
| uses: pypa/gh-action-pip-audit@v1.1.0 | ||
| with: | ||
| inputs: "." |
There was a problem hiding this comment.
pip-audit is already configured to run on pull requests via .github/workflows/dependency-review.yml. Keeping a second PR-triggered pip-audit job here will run duplicate audits for every PR, increasing CI time and noise. Consider removing the PR trigger for one of them, or deleting one of the duplicate jobs and keeping a single source of truth.
| - name: Run pip-audit | ||
| uses: pypa/gh-action-pip-audit@v1.1.0 | ||
| with: | ||
| inputs: "." |
There was a problem hiding this comment.
This pip-audit job doesn’t set up Python or install the project’s dependencies, and the repo doesn’t include a requirements/lock file. As written, inputs: "." is unlikely to audit the actual runtime dependency set. Consider setting up Python, installing the package (e.g. pip install -e .), and running pip-audit against the environment, or generate/provide a pinned requirements/lock file and audit that instead.
| - name: Run pip-audit | |
| uses: pypa/gh-action-pip-audit@v1.1.0 | |
| with: | |
| inputs: "." | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Install pip-audit | |
| run: pip install pip-audit | |
| - name: Install project dependencies | |
| run: pip install -e . | |
| - name: Run pip-audit | |
| run: pip-audit |
https://claude.ai/code/session_01DGwbYiq7PnxMxMXtnTEmov