Fix #1155: Refactor TaskExecutor to reduce complexity and improve maintainability #2592
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: SecuScan CI | |
| on: | |
| push: | |
| pull_request: | |
| permissions: | |
| contents: read | |
| jobs: | |
| detect-changes: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| run_backend: ${{ steps.filter.outputs.run_backend }} | |
| run_frontend: ${{ steps.filter.outputs.run_frontend }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Fetch base branch for diff | |
| if: github.event_name == 'pull_request' | |
| run: git fetch origin "${{ github.base_ref }}" --depth=1 | |
| # Test-selection policy (which suites run for which changes, plus the | |
| # full-suite fallbacks) is documented in docs/ci-test-selection.md | |
| - name: Determine test selection | |
| id: filter | |
| env: | |
| GITHUB_EVENT_NAME: ${{ github.event_name }} | |
| run: python3 scripts/select_tests.py | |
| formatting-hygiene: | |
| needs: detect-changes | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Check formatting hygiene on changed files | |
| run: | | |
| git fetch origin "${{ github.base_ref }}" --depth=1 | |
| git diff --check "origin/${{ github.base_ref }}"...HEAD | |
| issue-template-label-validation: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Validate issue template labels | |
| run: python scripts/validate_issue_template_labels.py | |
| doc-anchor-validation: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Validate documentation anchors | |
| run: python scripts/validate_doc_anchors.py | |
| backend-lint: | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.run_backend == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Install backend system dependencies | |
| run: sudo apt-get update && sudo apt-get install -y libcairo2-dev pkg-config | |
| - name: Install backend development dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r backend/requirements.txt -r backend/requirements-dev.txt | |
| - name: Run backend lint baseline | |
| run: ruff check backend testing/backend | |
| backend-unit: | |
| needs: [detect-changes, backend-lint, formatting-hygiene] | |
| if: | | |
| always() && | |
| needs.detect-changes.outputs.run_backend == 'true' && | |
| (needs.backend-lint.result == 'success' || needs.backend-lint.result == 'skipped') && | |
| (needs.formatting-hygiene.result == 'success' || needs.formatting-hygiene.result == 'skipped') | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Install backend system dependencies | |
| run: sudo apt-get update && sudo apt-get install -y libcairo2-dev pkg-config | |
| - name: Install backend dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r backend/requirements.txt -r backend/requirements-dev.txt | |
| - name: Run unit tests | |
| run: pytest testing/backend/unit -q -m "not benchmark" | |
| backend-integration: | |
| needs: [detect-changes, backend-lint, formatting-hygiene] | |
| if: | | |
| always() && | |
| needs.detect-changes.outputs.run_backend == 'true' && | |
| (needs.backend-lint.result == 'success' || needs.backend-lint.result == 'skipped') && | |
| (needs.formatting-hygiene.result == 'success' || needs.formatting-hygiene.result == 'skipped') | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Install backend system dependencies | |
| run: sudo apt-get update && sudo apt-get install -y libcairo2-dev pkg-config | |
| - name: Install backend dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r backend/requirements.txt -r backend/requirements-dev.txt | |
| - name: Run integration tests | |
| run: pytest testing/backend/integration -q -m "not benchmark" | |
| parser-contracts: | |
| needs: [detect-changes, backend-lint, formatting-hygiene] | |
| if: | | |
| always() && | |
| needs.detect-changes.outputs.run_backend == 'true' && | |
| (needs.backend-lint.result == 'success' || needs.backend-lint.result == 'skipped') && | |
| (needs.formatting-hygiene.result == 'success' || needs.formatting-hygiene.result == 'skipped') | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| capability_group: | |
| - network | |
| - intrusive | |
| - credentials | |
| - exploit | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Install backend system dependencies | |
| run: sudo apt-get update && sudo apt-get install -y libcairo2-dev pkg-config | |
| - name: Install backend dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r backend/requirements.txt -r backend/requirements-dev.txt | |
| - name: Run parser contract tests for capability group ${{ matrix.capability_group }} | |
| run: | | |
| echo "Running parser contract tests for capability group: ${{ matrix.capability_group }}" | |
| PARSER_CAPABILITY_GROUP=${{ matrix.capability_group }} pytest testing/backend/integration/test_parser_output_contract.py -q | |
| backend-tests: | |
| needs: | |
| - backend-unit | |
| - backend-integration | |
| - parser-contracts | |
| runs-on: ubuntu-latest | |
| if: | | |
| always() && | |
| (needs.backend-unit.result == 'success' || needs.backend-unit.result == 'skipped') && | |
| (needs.backend-integration.result == 'success' || needs.backend-integration.result == 'skipped') && | |
| (needs.parser-contracts.result == 'success' || needs.parser-contracts.result == 'skipped') | |
| steps: | |
| - name: Backend test suites completed | |
| run: echo "backend-unit, backend-integration, and parser-contracts completed" | |
| backend-audit: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Install backend system dependencies | |
| run: sudo apt-get update && sudo apt-get install -y libcairo2-dev pkg-config | |
| - name: Install backend dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r backend/requirements.txt -r backend/requirements-dev.txt | |
| - name: Run pip-audit on backend | |
| id: pip_audit | |
| run: | | |
| mkdir -p ${{ github.workspace }}/backend | |
| pip-audit -r backend/requirements.txt --desc --format json > ${{ github.workspace }}/backend/pip-audit-report.json || { | |
| EXIT_CODE=$? | |
| echo "EXIT_CODE=$EXIT_CODE" >> $GITHUB_OUTPUT | |
| exit 0 # Check severity next | |
| } | |
| continue-on-error: true | |
| - name: Check pip-audit results | |
| run: | | |
| python ${{ github.workspace }}/scripts/check_pip_audit.py \ | |
| --report ${{ github.workspace }}/backend/pip-audit-report.json \ | |
| --config ${{ github.workspace }}/.audit-config.yaml | |
| - name: Generate CycloneDX SBOM | |
| run: | | |
| python ${{ github.workspace }}/scripts/generate_sbom.py --output ${{ github.workspace }}/sbom.json --include-dev | |
| - name: Upload pip-audit report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: pip-audit-report | |
| path: ${{ github.workspace }}/backend/pip-audit-report.json | |
| - name: Upload SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom | |
| path: ${{ github.workspace }}/sbom.json | |
| benchmark: | |
| runs-on: ubuntu-latest | |
| needs: [backend-lint] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: Install backend system dependencies | |
| run: sudo apt-get update && sudo apt-get install -y libcairo2-dev pkg-config | |
| - name: Install backend dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r backend/requirements.txt -r backend/requirements-dev.txt | |
| - name: Run benchmarks | |
| id: run_benchmarks | |
| run: python3 scripts/run_benchmarks.py | |
| continue-on-error: true | |
| - name: Upload benchmark comparison artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: benchmark-threshold-comparison | |
| path: | | |
| benchmark_results.json | |
| benchmark_threshold_comparison.json | |
| - name: Add warning annotation on failure | |
| if: steps.run_benchmarks.outcome == 'failure' | |
| run: | | |
| echo "::warning::Performance benchmark thresholds exceeded or benchmarks failed to run. Check the job logs for details." | |
| frontend-run-checks: | |
| needs: [detect-changes, formatting-hygiene] | |
| if: | | |
| always() && | |
| needs.detect-changes.outputs.run_frontend == 'true' && | |
| (needs.formatting-hygiene.result == 'success' || needs.formatting-hygiene.result == 'skipped') | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| node-version: [20, 22] | |
| defaults: | |
| run: | |
| working-directory: frontend | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| cache: "npm" | |
| cache-dependency-path: frontend/package-lock.json | |
| - name: Install frontend dependencies | |
| run: npm ci | |
| - name: Run npm audit | |
| id: npm_audit | |
| run: | | |
| npm audit --json > ${{ github.workspace }}/frontend/npm-audit-report.json || { | |
| EXIT_CODE=$? | |
| echo "EXIT_CODE=$EXIT_CODE" >> $GITHUB_OUTPUT | |
| exit 0 # Check severity next | |
| } | |
| continue-on-error: true | |
| - name: Install Python YAML library | |
| run: pip install pyyaml | |
| - name: Check npm audit results | |
| run: python ${{ github.workspace }}/scripts/check_npm_audit.py --report ${{ github.workspace }}/frontend/npm-audit-report.json --config ${{ github.workspace }}/.audit-config.yaml | |
| - name: Upload npm-audit report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: npm-audit-report | |
| path: frontend/npm-audit-report.json | |
| - name: Run frontend TypeScript typecheck | |
| run: npm run typecheck | |
| - name: Note TypeScript typecheck in job summary | |
| if: always() | |
| run: | | |
| echo "Frontend TypeScript typecheck: npm run typecheck" >> "$GITHUB_STEP_SUMMARY" | |
| - name: Run frontend quality gate | |
| run: npm run quality | |
| - name: Run unit tests | |
| run: npm run test | |
| - name: Build frontend | |
| run: npm run build | |
| frontend-checks: | |
| needs: [frontend-run-checks] | |
| if: always() | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check matrix results | |
| run: | | |
| if [ "${{ needs.frontend-run-checks.result }}" = "success" ] || [ "${{ needs.frontend-run-checks.result }}" = "skipped" ]; then | |
| echo "Frontend checks completed successfully or skipped" | |
| exit 0 | |
| else | |
| echo "Frontend checks failed" | |
| exit 1 | |
| fi |