updates to workflows

Magic-Man-us · Magic-Man-us · commit 7422bc2f30fa · 2025-11-02T16:31:36.000-05:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -8,7 +8,3 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-  - package-ecosystem: "github-pre-commit"
-    directory: "/"
-    schedule:
-      interval: "weekly"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,13 +6,35 @@ on:
   pull_request:
     branches: [ main ]
 
+# Cancel redundant runs per-branch/PR
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# Least-privilege for the jobs below
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test / Lint / Typecheck (uv)
     runs-on: ubuntu-latest
+    # Write perms only where needed
+    permissions:
+      contents: read
     strategy:
+      fail-fast: false
       matrix:
-        python-version: ["3.11", "3.12", "3.13", "3.14"]
+        include:
+          - python-version: "3.11"
+            experimental: false
+          - python-version: "3.12"
+            experimental: false
+          - python-version: "3.13"
+            experimental: false
+          - python-version: "3.14"   # treat 3.14 as experimental so CI doesn't block if it breaks
+            experimental: true
+    continue-on-error: ${{ matrix.experimental }}
 
     steps:
       - name: Checkout
@@ -23,11 +45,12 @@ jobs:
         with:
           enable-cache: true
 
-      - name: Set up Python ${{ matrix.python-version }}
+      - name: Set up Python
         run: uv python install ${{ matrix.python-version }}
 
-      - name: Sync dependencies with uv
-        run: uv sync --all-extras
+      # Ensure dev tools (ruff, mypy, pytest, bandit, safety, pytest-cov) are declared in pyproject dev deps.
+      - name: Sync dependencies
+        run: uv sync --all-extras --dev
 
       - name: Lint (ruff)
         run: uv run ruff check .
@@ -38,14 +61,15 @@ jobs:
       - name: Tests (pytest)
         run: uv run pytest --cov --cov-report=xml --cov-report=html
 
-      - name: Security scan for dangerous APIs
+      - name: Dangerous API scan (grep)
+        continue-on-error: true
+        shell: bash
         run: |
           set -euo pipefail
-          if grep -R --line-number -E "\beval\(|\bexec\(|pickle\.loads|yaml\.load|subprocess\.(Popen|call)" src/ tests/ || true; then
-            echo "⚠️  Potentially dangerous API usage detected. Please review before merging." >&2
+          if grep -R --line-number -E "\beval\(|\bexec\(|pickle\.loads|yaml\.load(?!_safe)|subprocess\.(Popen|call)" src/ tests/ || true; then
+            echo "⚠️ Potentially dangerous API usage detected. Please review." >&2
             exit 2
           fi
-        continue-on-error: true
 
       - name: Upload coverage.xml
         uses: actions/upload-artifact@v4
@@ -59,95 +83,71 @@ jobs:
           name: coverage-html-${{ matrix.python-version }}
           path: htmlcov
 
+      # Upload Codecov once to avoid noisy duplicate uploads
+      - name: Upload to Codecov
+        if: matrix.python-version == '3.11'
+        uses: codecov/codecov-action@v4
+        with:
+          files: coverage.xml
+          flags: unittests
+          fail_ci_if_error: false
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
   security:
-    name: Security Scan
+    name: Security Scan (Bandit + Safety)
     runs-on: ubuntu-latest
+    needs: test
+    # Grant code scanning upload only here
+    permissions:
+      contents: read
+      security-events: write
+
     env:
       SECURITY_FAIL_LEVEL: MEDIUM
+
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
 
       - name: Install uv
         uses: astral-sh/setup-uv@v4
         with:
           enable-cache: true
 
-      - name: Set up Python 3.11
+      - name: Set up Python
         run: uv python install 3.11
 
-      - name: Sync deps and install security tools
-        run: |
-          uv sync --all-extras
-          uv pip install bandit safety
+      - name: Sync dependencies
+        run: uv sync --all-extras --dev
 
-      - name: Run Bandit and export SARIF
+      - name: Run Bandit (JSON + SARIF)
         run: |
-          uv run bandit -r src/ -f json -o bandit-report.json
-          uv run bandit -r src/ -f sarif -o bandit-report.sarif
-        continue-on-error: true
+          uv run bandit -r src/ -f json  -o bandit-report.json || true
+          uv run bandit -r src/ -f sarif -o bandit-report.sarif || true
 
       - name: Upload Bandit SARIF to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: bandit-report.sarif
         continue-on-error: true
 
-      - name: Run Safety (fail on any vulnerability)
-        run: |
-          uv run safety check --json > safety-report.json || true
-          python - <<'PY'
-          import json,sys,os
-          try:
-              data=json.load(open('safety-report.json'))
-              if data.get('vulnerabilities'):
-                  print('Safety reported vulnerabilities')
-                  sys.exit(2)
-              print('No safety vulnerabilities')
-          except Exception as e:
-              print(f'Error parsing safety output: {e}')
-              sys.exit(0)
-          PY
-        continue-on-error: true
+      - name: Run Safety (JSON)
+        run: uv run safety check --json > safety-report.json || true
 
       - name: Apply Bandit threshold
-        run: |
-          python - <<'PY'
-          import json,sys,os
-          level=os.environ.get('SECURITY_FAIL_LEVEL','MEDIUM').upper()
-          try:
-              data=json.load(open('bandit-report.json'))
-              sevs=[issue.get('issue_severity','') for issue in data.get('results',[])]
-              if level=='NONE':
-                  print('SECURITY_FAIL_LEVEL=NONE: not failing on bandit issues')
-                  sys.exit(0)
-              if level=='HIGH':
-                  if 'HIGH' in sevs:
-                      print('Failing on HIGH bandit issues')
-                      sys.exit(2)
-                  else:
-                      print('No HIGH bandit issues')
-                      sys.exit(0)
-              if level=='MEDIUM':
-                  if any(s in ('HIGH','MEDIUM') for s in sevs):
-                      print('Failing on MEDIUM or HIGH bandit issues')
-                      sys.exit(2)
-                  else:
-                      print('No MEDIUM/HIGH bandit issues')
-                      sys.exit(0)
-              print('Unknown SECURITY_FAIL_LEVEL:', level)
-              sys.exit(1)
-          except Exception as e:
-              print(f'Error parsing bandit report: {e}')
-              sys.exit(0)
-          PY
+        run: uv run python scripts/security_bandit_check.py
         continue-on-error: true
 
+      - name: Fail on Safety vulnerabilities
+        run: uv run python scripts/security_safety_check.py
+
       - name: Upload security reports
+        if: always()
         uses: actions/upload-artifact@v4
         with:
           name: security-reports
           path: |
             bandit-report.json
             bandit-report.sarif
             safety-report.json
-        if: always()
diff --git a/.github/workflows/docs-pages.yml b/.github/workflows/docs-pages.yml
@@ -22,6 +22,9 @@ jobs:
       - name: Sync dependencies with uv
         run: uv sync --all-extras
 
+      - name: Install sphinx
+        run: uv pip install sphinx sphinx-rtd-theme
+
       - name: Build docs
         run: uv run sphinx-build -b html docs docs/_build/html
 
