chore: import upstream snapshot with attribution
CI / test (3.10) (push) Failing after 1s
CI / test (3.12) (push) Failing after 0s
CI / skillgen-check (push) Failing after 0s
CI / security-scan (push) Failing after 0s

This commit is contained in:
wehub-resource-sync
2026-07-13 12:09:14 +08:00
commit d88fd01084
727 changed files with 235247 additions and 0 deletions
+1
View File
@@ -0,0 +1 @@
github: safishamsi
+106
View File
@@ -0,0 +1,106 @@
name: CI
on:
push:
branches: ["v1", "v2", "v3", "v4", "v5", "v6", "v7", "v8", "main"]
pull_request:
branches: ["v1", "v2", "v3", "v4", "v5", "v6", "v7", "v8", "main"]
workflow_dispatch:
jobs:
skillgen-check:
# Fast lint-style guard: the skill files under graphify/ are generated from
# the fragments in tools/skillgen/. This fails if someone hand-edited a
# generated file or forgot to re-run the generator and bless expected/, and it
# runs the build-time validators that guard per-host coverage, the file_type
# enum, the monolith round-trips, and the always-on round-trips.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
# The audit-coverage, monolith-roundtrip, and always-on-roundtrip
# validators read blobs from origin/v8. A shallow checkout omits that
# ref, so fetch the full history here and the validators run for real
# (rather than skipping). The other jobs stay shallow.
fetch-depth: 0
- name: Install uv
uses: astral-sh/setup-uv@v8.1.0
with:
python-version: "3.12"
# --frozen keeps uv from re-resolving and rewriting uv.lock as a side
# effect of `uv run`; the lock is committed and must not churn in CI.
- name: Check generated skill artifacts are up to date
run: uv run --frozen python -m tools.skillgen --check
- name: Audit per-host v8 coverage
run: uv run --frozen python -m tools.skillgen --audit-coverage
- name: Check the file_type enum is a singleton
run: uv run --frozen python -m tools.skillgen --schema-singleton
- name: Round-trip the monoliths against v8
run: uv run --frozen python -m tools.skillgen --monolith-roundtrip
- name: Round-trip the always-on blocks against v8
run: uv run --frozen python -m tools.skillgen --always-on-roundtrip
test:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.10", "3.12"]
steps:
- uses: actions/checkout@v6
with:
# test_skillgen.py reads pre-split skill bodies from the immutable
# baseline commit via `git show`; a shallow checkout omits that history
# and the baseline tests fail. Full history mirrors the skillgen-check job.
fetch-depth: 0
- name: Install uv
uses: astral-sh/setup-uv@v8.1.0
with:
python-version: ${{ matrix.python-version }}
# --frozen installs straight from the committed uv.lock without re-resolving
# or rewriting it, so CI never churns the lock.
- name: Install dependencies
run: uv sync --all-extras --frozen
- name: Run tests
run: uv run --frozen pytest tests/ -q --tb=short
- name: Verify install works end-to-end
run: |
uv run --frozen graphify --help
uv run --frozen graphify install
security-scan:
# The dev deps include bandit and pip-audit. Run them in CI so a new
# HIGH-severity finding or vulnerable dependency is caught on the PR that
# introduces it, rather than at the next manual audit.
# Non-blocking for now (continue-on-error) to avoid breaking CI on
# pre-existing findings; remove continue-on-error after the initial
# cleanup pass.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install uv
uses: astral-sh/setup-uv@v8.1.0
with:
python-version: "3.12"
- name: Install dependencies
run: uv sync --frozen
- name: bandit (static security analysis)
continue-on-error: true
run: uv run --frozen bandit -r graphify -ll
- name: pip-audit (dependency vulnerabilities)
continue-on-error: true
run: uv run --frozen pip-audit --strict
+64
View File
@@ -0,0 +1,64 @@
name: Release graph asset
on:
release:
types: [published]
workflow_dispatch:
jobs:
build-graph:
runs-on: ubuntu-latest
permissions:
contents: write # needed to upload release assets
steps:
- uses: actions/checkout@v6
- name: Install uv
uses: astral-sh/setup-uv@v8.1.0
with:
python-version: "3.12"
- name: Install graphify
run: uv sync --frozen
- name: Build graph of graphify source (AST-only, no API cost)
# graphify/skills/ contains 126+ .md files that trigger the LLM pass.
# Temporarily ignore all .md files so extraction stays pure AST (no API key needed).
run: |
echo "*.md" >> .graphifyignore
echo "*.txt" >> .graphifyignore
uv run --frozen graphify extract graphify/ --out .
git checkout .graphifyignore 2>/dev/null || rm -f .graphifyignore
- name: Cluster, label communities and generate GRAPH_REPORT.md
# cluster-only writes GRAPH_REPORT.md and names communities (no LLM needed
# for basic numeric labels; --no-label skips LLM labeling entirely).
run: uv run --frozen graphify cluster-only . --no-label
- name: Generate HTML viewer
run: uv run --frozen graphify export html --graph graphify-out/graph.json
- name: Bundle release asset
run: |
mkdir -p dist-graph
cp graphify-out/graph.json dist-graph/
cp graphify-out/graph.html dist-graph/
[ -f graphify-out/GRAPH_REPORT.md ] && cp graphify-out/GRAPH_REPORT.md dist-graph/ || true
tar -czf graphify-self-graph.tar.gz -C dist-graph .
echo "Asset contents:"
tar -tzf graphify-self-graph.tar.gz
- name: Upload to GitHub release
if: github.event_name == 'release'
uses: softprops/action-gh-release@v2
with:
files: graphify-self-graph.tar.gz
- name: Upload as workflow artifact (for workflow_dispatch runs)
if: github.event_name == 'workflow_dispatch'
uses: actions/upload-artifact@v4
with:
name: graphify-self-graph
path: graphify-self-graph.tar.gz
retention-days: 7