Time-Shift Proxmox CI/CD #23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Time-Shift Proxmox CI/CD | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main ] | |
| schedule: | |
| # Run security scans weekly | |
| - cron: '0 2 * * 1' | |
| env: | |
| PYTHON_VERSION: '3.11' | |
| POETRY_VERSION: '1.6.1' | |
| jobs: | |
| # Code Quality and Linting | |
| quality: | |
| name: Code Quality & Linting | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Install Poetry | |
| uses: snok/install-poetry@v1 | |
| with: | |
| version: ${{ env.POETRY_VERSION }} | |
| - name: Install dependencies | |
| run: | | |
| poetry install --with dev | |
| - name: Run Black (code formatting) | |
| run: poetry run black --check --diff . | |
| - name: Run isort (import sorting) | |
| run: poetry run isort --check-only --diff . | |
| - name: Run flake8 (linting) | |
| run: poetry run flake8 . | |
| - name: Run mypy (type checking) | |
| run: poetry run mypy lib/ bin/ | |
| continue-on-error: true # Type checking may have missing stubs | |
| - name: Run bandit (security linting) | |
| run: | | |
| poetry run bandit -r . -f json -o bandit-report.json | |
| poetry run bandit -r . -f txt | |
| continue-on-error: true | |
| - name: Upload security report | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: security-report | |
| path: bandit-report.json | |
| # Testing | |
| test: | |
| name: Tests | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, ubuntu-20.04] | |
| python-version: ['3.8', '3.9', '3.10', '3.11'] | |
| exclude: | |
| # Reduce test matrix size | |
| - os: ubuntu-20.04 | |
| python-version: '3.9' | |
| - os: ubuntu-20.04 | |
| python-version: '3.10' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Install Poetry | |
| uses: snok/install-poetry@v1 | |
| with: | |
| version: ${{ env.POETRY_VERSION }} | |
| - name: Install system dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y jq pandoc | |
| - name: Install Python dependencies | |
| run: | | |
| poetry install --with dev | |
| - name: Run tests with coverage | |
| run: | | |
| poetry run pytest tests/ \ | |
| --cov=lib \ | |
| --cov=bin \ | |
| --cov-report=xml \ | |
| --cov-report=term-missing \ | |
| --junitxml=test-results.xml | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@v3 | |
| with: | |
| file: ./coverage.xml | |
| flags: unittests | |
| name: codecov-umbrella | |
| - name: Upload test results | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: test-results-${{ matrix.os }}-${{ matrix.python-version }} | |
| path: test-results.xml | |
| # Security Scanning | |
| security: | |
| name: Security Scanning | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'schedule' || github.event_name == 'push' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Install Poetry | |
| uses: snok/install-poetry@v1 | |
| with: | |
| version: ${{ env.POETRY_VERSION }} | |
| - name: Install dependencies | |
| run: poetry install --with dev | |
| - name: Run Safety (dependency vulnerability scan) | |
| run: | | |
| poetry run safety check --json --output safety-report.json | |
| poetry run safety check | |
| continue-on-error: true | |
| - name: Run Semgrep (static analysis) | |
| uses: returntocorp/semgrep-action@v1 | |
| with: | |
| config: auto | |
| generateSarif: "1" | |
| continue-on-error: true | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@v2 | |
| if: always() | |
| with: | |
| sarif_file: semgrep.sarif | |
| - name: Upload security reports | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: security-reports | |
| path: | | |
| safety-report.json | |
| semgrep.sarif | |
| # Docker Build and Test | |
| docker: | |
| name: Docker Build & Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Docker image | |
| run: | | |
| docker build -t time-shift-proxmox:test . | |
| - name: Test Docker image | |
| run: | | |
| docker run --rm time-shift-proxmox:test --version | |
| - name: Scan Docker image for vulnerabilities | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'time-shift-proxmox:test' | |
| format: 'sarif' | |
| output: 'docker-security.sarif' | |
| - name: Upload Docker security scan | |
| uses: github/codeql-action/upload-sarif@v2 | |
| if: always() | |
| with: | |
| sarif_file: docker-security.sarif | |
| # Documentation | |
| docs: | |
| name: Documentation | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Install documentation dependencies | |
| run: | | |
| pip install mkdocs mkdocs-material mkdocs-mermaid2-plugin | |
| - name: Check documentation links | |
| run: | | |
| # Check for broken internal links | |
| grep -r "\[.*\](" docs/ README.md || true | |
| - name: Generate API documentation | |
| run: | | |
| # This would generate API docs from docstrings | |
| echo "API documentation generation would go here" | |
| - name: Validate configuration schemas | |
| run: | | |
| python3 -c " | |
| import sys, json | |
| sys.path.insert(0, 'lib') | |
| try: | |
| from config_models import TimeShiftConfig | |
| schema = TimeShiftConfig.schema() | |
| with open('docs/config-schema.json', 'w') as f: | |
| json.dump(schema, f, indent=2) | |
| print('✅ Configuration schema generated') | |
| except ImportError: | |
| print('⚠️ Pydantic not installed, skipping schema generation') | |
| " | |
| # Integration Tests (only on main branch) | |
| integration: | |
| name: Integration Tests | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' | |
| needs: [quality, test] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Install system dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y jq pandoc texlive-latex-base | |
| - name: Run integration tests | |
| run: | | |
| # Mock integration tests | |
| echo "Integration tests would run here" | |
| echo "Testing CLI commands, configuration validation, etc." | |
| # Test script executability | |
| chmod +x bin/*.py | |
| python3 bin/modern_setup.py --help | |
| # Test configuration validation | |
| python3 -c " | |
| import sys, json | |
| sys.path.insert(0, 'lib') | |
| try: | |
| with open('etc/time-shift-config.json') as f: | |
| config_data = json.load(f) | |
| print('✅ Configuration file is valid JSON') | |
| except Exception as e: | |
| print(f'❌ Configuration validation failed: {e}') | |
| sys.exit(1) | |
| " | |
| # Release (only on tags) | |
| release: | |
| name: Release | |
| runs-on: ubuntu-latest | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| needs: [quality, test, security, docker] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Install Poetry | |
| uses: snok/install-poetry@v1 | |
| with: | |
| version: ${{ env.POETRY_VERSION }} | |
| - name: Build package | |
| run: | | |
| poetry build | |
| - name: Create GitHub Release | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| files: | | |
| dist/* | |
| generate_release_notes: true | |
| draft: false | |
| prerelease: ${{ contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc') }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Publish to PyPI | |
| if: "!contains(github.ref, 'alpha') && !contains(github.ref, 'beta') && !contains(github.ref, 'rc')" | |
| run: | | |
| poetry config pypi-token.pypi ${{ secrets.PYPI_TOKEN }} | |
| poetry publish | |
| continue-on-error: true | |
| # Dependency Updates (scheduled) | |
| dependency-update: | |
| name: Dependency Updates | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'schedule' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Install Poetry | |
| uses: snok/install-poetry@v1 | |
| with: | |
| version: ${{ env.POETRY_VERSION }} | |
| - name: Update dependencies | |
| run: | | |
| poetry update | |
| - name: Create Pull Request | |
| uses: peter-evans/create-pull-request@v5 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| commit-message: 'chore: update dependencies' | |
| title: 'chore: automated dependency updates' | |
| body: | | |
| Automated dependency updates by GitHub Actions. | |
| Please review the changes and ensure all tests pass before merging. | |
| branch: automated-dependency-updates | |
| delete-branch: true |