Apply CodeRabbit AI suggestions for code improvements and optimizations #23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Push CI | |
| on: | |
| push: | |
| branches: [master] | |
| jobs: | |
| repo-guards: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Ensure .code/ and .env are not tracked | |
| shell: bash | |
| run: | | |
| tracked_code="$(git ls-files -- .code)" | |
| tracked_env="$(git ls-files -- .env)" | |
| if [ -n "$tracked_code" ] || [ -n "$tracked_env" ]; then | |
| echo "Local-only policy and secrets files must not be tracked." | |
| if [ -n "$tracked_code" ]; then | |
| echo "Tracked .code/ entries:" | |
| echo "$tracked_code" | |
| fi | |
| if [ -n "$tracked_env" ]; then | |
| echo "Tracked .env entries:" | |
| echo "$tracked_env" | |
| fi | |
| exit 1 | |
| fi | |
| python: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install dependencies | |
| run: pip install -r requirements.txt | |
| - name: Lint with ruff | |
| run: ruff check . | |
| - name: Run security tests | |
| run: python -m pytest tests/test_security.py tests/test_security_integration.py -v | |
| ui: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ui | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| cache-dependency-path: ui/package-lock.json | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Lint | |
| run: npm run lint | |
| - name: Type check & Build | |
| run: npm run build | |
| docker-image: | |
| needs: [python, ui] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| env: | |
| IMAGE_NAME: ghcr.io/${{ github.repository }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: docker/setup-buildx-action@v3 | |
| - uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: Dockerfile | |
| platforms: linux/amd64 | |
| push: true | |
| tags: | | |
| ${{ env.IMAGE_NAME }}:latest | |
| ${{ env.IMAGE_NAME }}:${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max |