feat: Refactor agent tool management and enhance frontend tool initia… #116
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ main, develop, "feat/**" ] | |
| pull_request: | |
| branches: [ main, develop, "feat/**" ] | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| jobs: | |
| # Full lint job with comprehensive checks | |
| lint: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| python-version: ["3.10", "3.11", "3.12", "3.13"] | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| version: "latest" | |
| - name: Install dependencies | |
| run: | | |
| uv sync --dev --frozen | |
| - name: Lint with ruff (check) | |
| run: | | |
| uv run ruff check src/ --output-format=github | |
| - name: Format check with ruff | |
| run: | | |
| uv run ruff format --check src/ | |
| - name: Type check with mypy | |
| run: | | |
| uv run mypy src/ --strict --show-error-codes | |
| - name: Security check with bandit | |
| run: | | |
| echo "🔍 Running Bandit security scan..." | |
| uv run bandit -r src/adk_agui_middleware -f json -o bandit-report.json --exclude "*/.venv/*,*/venv/*,*/env/*,*/.env/*,*/__pycache__/*" --skip B101,B601 || echo "Bandit JSON report generated" | |
| uv run bandit -r src/adk_agui_middleware --severity-level low --confidence-level medium --exclude "*/.venv/*,*/venv/*,*/env/*,*/.env/*,*/__pycache__/*" --skip B101,B601 -f txt -o bandit-summary.txt | |
| echo "📊 Bandit scan completed. Check artifacts for detailed reports." | |
| # Display summary in GitHub Actions log | |
| echo "=== Bandit Security Scan Summary ===" | |
| uv run bandit -r src/adk_agui_middleware --severity-level low --confidence-level medium --exclude "*/.venv/*,*/venv/*,*/env/*,*/.env/*,*/__pycache__/*" --skip B101,B601 || exit_code=$? | |
| # Only fail if there are high severity issues | |
| if [ "${exit_code:-0}" -eq 1 ]; then | |
| echo "❌ High severity security issues found. Please review and fix." | |
| exit 1 | |
| elif [ "${exit_code:-0}" -eq 0 ]; then | |
| echo "✅ No security issues found." | |
| else | |
| echo "⚠️ Low/Medium severity issues found. Review recommended but not blocking." | |
| fi | |
| continue-on-error: false | |
| - name: Upload bandit reports | |
| uses: actions/upload-artifact@v5 | |
| if: always() | |
| with: | |
| name: bandit-reports-${{ matrix.python-version }} | |
| path: | | |
| bandit-report.json | |
| bandit-summary.txt | |
| # Comprehensive test job | |
| test: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| python-version: ["3.10", "3.11", "3.12", "3.13"] | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| version: "latest" | |
| - name: Install dependencies | |
| run: | | |
| uv sync --dev --frozen | |
| - name: Run unittest | |
| run: | | |
| PYTHONPATH=$PWD/src uv run python -m unittest discover -s tests -p "test_*.py" -v | |
| - name: Run tests with coverage | |
| run: | | |
| PYTHONPATH=$PWD/src uv run coverage run --source=src -m unittest discover -s tests -p "test_*.py" -v | |
| uv run coverage xml | |
| uv run coverage html | |
| uv run coverage report --show-missing | |
| continue-on-error: false | |
| - name: Upload coverage reports to Codecov | |
| uses: codecov/codecov-action@v5 | |
| with: | |
| file: ./coverage.xml | |
| flags: unittests | |
| name: codecov-umbrella | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| continue-on-error: true | |
| - name: Upload coverage HTML report | |
| uses: actions/upload-artifact@v5 | |
| if: always() | |
| with: | |
| name: coverage-report-${{ matrix.python-version }} | |
| path: htmlcov/ | |
| # Dedicated security scan job | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Set up Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: "3.13" | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| version: "latest" | |
| - name: Install dependencies | |
| run: | | |
| uv sync --dev --frozen | |
| - name: Comprehensive Bandit security scan | |
| run: | | |
| echo "🔐 Running comprehensive security analysis..." | |
| # Generate detailed JSON report | |
| uv run bandit -r src/adk_agui_middleware -f json -o bandit-detailed.json -v --exclude "*/.venv/*,*/venv/*,*/env/*,*/.env/*,*/__pycache__/*" --skip B101,B601 | |
| # Generate readable text report | |
| uv run bandit -r src/adk_agui_middleware -f txt -o bandit-detailed.txt --exclude "*/.venv/*,*/venv/*,*/env/*,*/.env/*,*/__pycache__/*" --skip B101,B601 | |
| # Generate XML report for further processing | |
| uv run bandit -r src/adk_agui_middleware -f xml -o bandit-detailed.xml --exclude "*/.venv/*,*/venv/*,*/env/*,*/.env/*,*/__pycache__/*" --skip B101,B601 || echo "XML report generated" | |
| # Run with different confidence levels for analysis | |
| echo "=== High Confidence Issues ===" | |
| uv run bandit -r src/adk_agui_middleware --confidence-level high --severity-level medium --exclude "*/.venv/*,*/venv/*,*/env/*,*/.env/*,*/__pycache__/*" --skip B101,B601 || echo "High confidence scan completed" | |
| echo "=== All Issues Summary ===" | |
| uv run bandit -r src/adk_agui_middleware --confidence-level low --severity-level low --exclude "*/.venv/*,*/venv/*,*/env/*,*/.env/*,*/__pycache__/*" --skip B101,B601 || echo "Full scan completed" | |
| echo "📈 Security scan artifacts generated" | |
| - name: Upload security reports | |
| uses: actions/upload-artifact@v5 | |
| if: always() | |
| with: | |
| name: security-reports | |
| path: | | |
| bandit-detailed.json | |
| bandit-detailed.txt | |
| bandit-detailed.xml | |
| # pyscn code-quality analysis (complexity, dead code, clones, deps) | |
| pyscn: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Set up Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: "3.13" | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| version: "latest" | |
| - name: Show pyscn version | |
| run: | | |
| uvx pyscn --version || true | |
| - name: Run pyscn check (quality gate) | |
| id: pyscn_check | |
| continue-on-error: true | |
| run: | | |
| set -o pipefail | |
| echo "🔎 Running pyscn quality gate (check)..." | |
| uvx pyscn check . | tee pyscn-check.txt | |
| status=${PIPESTATUS[0]} | |
| echo "PYSCN_STATUS=$status" >> $GITHUB_ENV | |
| if [ "$status" -eq 0 ]; then | |
| echo "result=success" >> $GITHUB_OUTPUT | |
| else | |
| echo "result=failure" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Run pyscn analyze (JSON report) | |
| run: | | |
| echo "📊 Running pyscn analyze (JSON)..." | |
| uvx pyscn analyze --json . > pyscn-report.json || true | |
| - name: Attach HTML report if generated | |
| run: | | |
| # Collect potential HTML reports from common locations | |
| mkdir -p pyscn-artifacts | |
| if [ -d .pyscn ]; then cp -R .pyscn pyscn-artifacts/.pyscn || true; fi | |
| if ls *.html >/dev/null 2>&1; then cp *.html pyscn-artifacts/ || true; fi | |
| if [ -d htmlcov ]; then cp -R htmlcov pyscn-artifacts/htmlcov || true; fi | |
| cp -f pyscn-check.txt pyscn-artifacts/ || true | |
| cp -f pyscn-report.json pyscn-artifacts/ || true | |
| - name: Upload pyscn artifacts | |
| uses: actions/upload-artifact@v5 | |
| if: always() | |
| with: | |
| name: pyscn-reports | |
| path: | | |
| pyscn-artifacts/** | |
| - name: Post pyscn summary and conclude | |
| if: always() | |
| run: | | |
| echo "## pyscn Quality Gate" >> $GITHUB_STEP_SUMMARY | |
| echo "- Result: ${{ steps.pyscn_check.outputs.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "- Config: .pyscn.toml (strict)" >> $GITHUB_STEP_SUMMARY | |
| echo "- Artifacts: see 'pyscn-reports'" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### pyscn check output" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| sed -e 's/^/ /' pyscn-check.txt >> $GITHUB_STEP_SUMMARY || true | |
| # Fail job if quality gate failed | |
| if [ "${PYSCN_STATUS:-1}" -ne 0 ]; then | |
| echo "❌ pyscn quality gate failed" >&2 | |
| exit 1 | |
| else | |
| echo "✅ pyscn quality gate passed" | |
| fi | |
| # Summary job to provide overall status | |
| summary: | |
| runs-on: ubuntu-latest | |
| needs: [lint, test, security, pyscn] | |
| if: always() | |
| steps: | |
| - name: Check results | |
| run: | | |
| echo "=== CI Results Summary ===" | |
| echo "Lint: ${{ needs.lint.result }}" | |
| echo "Test: ${{ needs.test.result }}" | |
| echo "Security: ${{ needs.security.result }}" | |
| echo "pyscn: ${{ needs.pyscn.result }}" | |
| if [ "${{ needs.lint.result }}" == "success" ] && [ "${{ needs.test.result }}" == "success" ] && [ "${{ needs.security.result }}" == "success" ] && [ "${{ needs.pyscn.result }}" == "success" ]; then | |
| echo "✅ All checks passed!" | |
| exit 0 | |
| else | |
| echo "❌ Some checks failed. Please review the errors above." | |
| exit 1 | |
| fi |