--- name: CI on: push: branches: [main, master] pull_request: jobs: lint-and-test: runs-on: ubuntu-latest container: image: python:3.11-bullseye services: postgres: image: postgres:15 env: POSTGRES_USER: poteuser POSTGRES_PASSWORD: testpass123 POSTGRES_DB: potedb_test options: >- --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 steps: - name: Check out code uses: actions/checkout@v4 - name: Install system dependencies run: | apt-get update apt-get install -y postgresql-client - name: Install Python dependencies run: | pip install --upgrade pip pip install -e ".[dev]" - name: Run linters run: | echo "Running ruff..." ruff check src/ tests/ || true echo "Running black check..." black --check src/ tests/ || true echo "Running mypy..." mypy src/ --install-types --non-interactive || true - name: Run tests with coverage env: DATABASE_URL: postgresql://poteuser:testpass123@postgres:5432/potedb_test run: | pytest tests/ -v --cov=src/pote --cov-report=term --cov-report=xml - name: Test scripts env: DATABASE_URL: postgresql://poteuser:testpass123@postgres:5432/potedb_test run: | echo "Testing database migrations..." alembic upgrade head echo "Testing price loader..." python scripts/fetch_sample_prices.py || true security-scan: runs-on: ubuntu-latest container: image: python:3.11-bullseye steps: - name: Check out code uses: actions/checkout@v4 - name: Install dependencies run: | pip install --upgrade pip pip install safety bandit - name: Run safety check run: | pip install -e . safety check --json || true continue-on-error: true - name: Run bandit security scan run: | bandit -r src/ -f json -o bandit-report.json || true bandit -r src/ -f screen continue-on-error: true dependency-scan: runs-on: ubuntu-latest container: image: aquasec/trivy:latest steps: - name: Install Node.js for checkout action run: | apk add --no-cache nodejs npm curl - name: Check out code uses: actions/checkout@v4 - name: Scan dependencies run: trivy fs --scanners vuln --exit-code 0 . docker-build-test: runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build Docker image uses: docker/build-push-action@v5 with: context: . push: false tags: pote:test cache-from: type=gha cache-to: type=gha,mode=max - name: Test Docker image run: | docker run --rm pote:test python -c "import pote; print('POTE import successful')" workflow-summary: runs-on: ubuntu-latest needs: [lint-and-test, security-scan, dependency-scan, docker-build-test] if: always() steps: - name: Generate workflow summary run: | echo "## ๐Ÿ” CI Workflow Summary" >> $GITHUB_STEP_SUMMARY || true echo "" >> $GITHUB_STEP_SUMMARY || true echo "### Job Results" >> $GITHUB_STEP_SUMMARY || true echo "" >> $GITHUB_STEP_SUMMARY || true echo "| Job | Status |" >> $GITHUB_STEP_SUMMARY || true echo "|-----|--------|" >> $GITHUB_STEP_SUMMARY || true echo "| ๐Ÿงช Lint & Test | ${{ needs.lint-and-test.result }} |" >> $GITHUB_STEP_SUMMARY || true echo "| ๐Ÿ”’ Security Scan | ${{ needs.security-scan.result }} |" >> $GITHUB_STEP_SUMMARY || true echo "| ๐Ÿ“ฆ Dependency Scan | ${{ needs.dependency-scan.result }} |" >> $GITHUB_STEP_SUMMARY || true echo "| ๐Ÿณ Docker Build | ${{ needs.docker-build-test.result }} |" >> $GITHUB_STEP_SUMMARY || true echo "" >> $GITHUB_STEP_SUMMARY || true echo "### ๐Ÿ“Š Summary" >> $GITHUB_STEP_SUMMARY || true echo "" >> $GITHUB_STEP_SUMMARY || true echo "All checks have completed. Review individual job logs for details." >> $GITHUB_STEP_SUMMARY || true