ci: add GitHub Actions workflow — lint, typecheck, unit tests, integration, secrets scan

Claude-harness-bot · devonartis · commit 10db10a8105f · 2026-04-14T09:50:41.000-04:00
Gates: - Lint (ruff check) - Type check (mypy --strict src/) - Unit tests across Python 3.10-3.13 - Integration tests against devonartis/agentwrit Docker image - Secrets scan (gitleaks) - No-ignored-tracked files check Runs on push to develop/main and all PRs. Ref: devonartis/agentwrit#31
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,103 @@
+name: CI
+
+on:
+  push:
+    branches: [develop, main]
+  pull_request:
+    branches: [develop, main]
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+      - run: uv sync --all-extras
+      - run: uv run ruff check .
+
+  typecheck:
+    name: Type Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+      - run: uv sync --all-extras
+      - run: uv run mypy --strict src/
+
+  unit-tests:
+    name: Unit Tests
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+      - run: uv python install ${{ matrix.python-version }}
+      - run: uv sync --all-extras --python ${{ matrix.python-version }}
+      - run: uv run pytest tests/unit/ -q
+
+  integration-tests:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+    services:
+      broker:
+        image: devonartis/agentwrit:latest
+        ports:
+          - 8080:8080
+        env:
+          AA_PORT: "8080"
+          AA_BIND_ADDRESS: "0.0.0.0"
+          AA_ADMIN_SECRET: ${{ secrets.AA_ADMIN_SECRET }}
+        options: >-
+          --health-cmd "wget --spider -q http://localhost:8080/v1/health"
+          --health-interval 2s
+          --health-timeout 3s
+          --health-retries 10
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+      - run: uv sync --all-extras
+      - name: Run integration tests
+        env:
+          AGENTAUTH_BROKER_URL: http://localhost:8080
+          AGENTAUTH_ADMIN_SECRET: ${{ secrets.AA_ADMIN_SECRET }}
+        run: uv run pytest -m integration -q
+
+  secrets-scan:
+    name: Secrets Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  no-ignored-tracked:
+    name: No Ignored Files Tracked
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check for tracked files that should be ignored
+        run: |
+          tracked_ignored=$(git ls-files -i --exclude-standard 2>/dev/null || true)
+          if [ -n "$tracked_ignored" ]; then
+            echo "ERROR: These tracked files are in .gitignore:"
+            echo "$tracked_ignored"
+            exit 1
+          fi
+          echo "Clean — no tracked files match .gitignore patterns."
