Files
stemdeckapp--stemdeck/.github/workflows/ci.yml
T
wehub-resource-sync 8f10353f0c
CI / lint (push) Has been cancelled
CI / js-syntax (push) Successful in 10m24s
CI / deps-audit (push) Has been cancelled
CI / test (push) Failing after 24m55s
CI / sast-bandit (push) Failing after 11m13s
CI / trivy (push) Failing after 9m32s
Docker Publish / build-and-push (push) Failing after 34m3s
chore: import upstream snapshot with attribution
2026-07-13 12:32:09 +08:00

144 lines
5.1 KiB
YAML

# GitHub Actions: lint + unit tests + security scans.
# Does not build or publish artifacts. Image scanning is done via
# trivy fs on the project tree (covers deps, secrets, and Dockerfile
# misconfig) so CI does not need a docker-in-docker setup.
name: CI
on:
pull_request:
push:
branches: [main]
release:
types: [published]
env:
UV_LINK_MODE: copy
# Version is git-derived (hatch-vcs). CI's clone is shallow/tagless, which
# makes setuptools_scm raise, so pin a placeholder for the build -- CI only
# lints/tests and never publishes. #169
SETUPTOOLS_SCM_PRETEND_VERSION: "0.0.0"
jobs:
lint:
runs-on: ubuntu-latest
container:
image: ghcr.io/astral-sh/uv:python3.12-bookworm-slim
steps:
- uses: actions/checkout@v7
- run: uv sync --frozen --all-extras
- run: uv run ruff check app/ tests/
- run: uv run ruff format --check app/ tests/
- run: bash -n run.sh
test:
runs-on: ubuntu-latest
container:
image: ghcr.io/astral-sh/uv:python3.12-bookworm-slim
steps:
- uses: actions/checkout@v7
- run: apt-get update && apt-get install -y --no-install-recommends ffmpeg
- run: uv sync --frozen --all-extras
- run: uv run pytest tests/ -q
js-syntax:
runs-on: ubuntu-latest
container:
image: node:20-alpine
steps:
- uses: actions/checkout@v7
- run: for f in static/js/*.js; do node --check "$f"; done
sast-bandit:
runs-on: ubuntu-latest
container:
image: ghcr.io/astral-sh/uv:python3.12-bookworm-slim
steps:
- uses: actions/checkout@v7
- run: uv tool install bandit
- run: uv tool run bandit -r app/ -ll # fail on medium+ severity
deps-audit:
runs-on: ubuntu-latest
container:
image: ghcr.io/astral-sh/uv:python3.12-bookworm-slim
steps:
- uses: actions/checkout@v7
- run: uv tool install pip-audit
- run: uv pip compile pyproject.toml -o /tmp/requirements.txt
# Ignored CVEs (review when upgrading torch or demucs):
#
# torch 2.6.0 -- pinned to <2.7 because torchaudio 2.7+ removed its
# built-in audio writer and now requires torchcodec, which has ABI
# issues that break demucs 4.0.1's torchaudio.save() path. All torch
# CVEs below are in ops that StemDeck does not invoke; risk on a
# local-only, single-user app is negligible. Re-evaluate once demucs
# supports torch 2.7+ without torchcodec.
#
# joblib PYSEC-2024-277 -- no fix version available as of 2026-05-21
# (1.5.3 is latest). joblib is a transitive dep via demucs/librosa;
# StemDeck does not directly invoke joblib serialization. Drop once
# a patched release is available.
- run: |
uv tool run pip-audit -r /tmp/requirements.txt --strict \
--ignore-vuln CVE-2025-2953 \
--ignore-vuln CVE-2025-3730 \
--ignore-vuln PYSEC-2025-189 \
--ignore-vuln PYSEC-2025-190 \
--ignore-vuln PYSEC-2025-192 \
--ignore-vuln PYSEC-2025-193 \
--ignore-vuln PYSEC-2025-194 \
--ignore-vuln PYSEC-2025-195 \
--ignore-vuln PYSEC-2025-196 \
--ignore-vuln PYSEC-2025-197 \
--ignore-vuln PYSEC-2025-198 \
--ignore-vuln PYSEC-2025-199 \
--ignore-vuln PYSEC-2025-200 \
--ignore-vuln PYSEC-2025-201 \
--ignore-vuln PYSEC-2025-202 \
--ignore-vuln PYSEC-2025-203 \
--ignore-vuln PYSEC-2025-204 \
--ignore-vuln PYSEC-2025-205 \
--ignore-vuln PYSEC-2025-206 \
--ignore-vuln PYSEC-2025-207 \
--ignore-vuln PYSEC-2025-208 \
--ignore-vuln PYSEC-2025-209 \
--ignore-vuln PYSEC-2025-210 \
--ignore-vuln PYSEC-2026-139 \
--ignore-vuln PYSEC-2024-277 \
--ignore-vuln CVE-2025-2148 \
--ignore-vuln CVE-2025-2149 \
--ignore-vuln CVE-2025-2998 \
--ignore-vuln CVE-2025-2999 \
--ignore-vuln CVE-2025-3000 \
--ignore-vuln CVE-2025-3001
trivy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
# Scans the source tree for: known CVEs in deps, leaked secrets,
# and Dockerfile / compose misconfigurations. Skips .venv (it can
# be left over from earlier steps in the shared workspace; trivy
# would scan its bundled extractor files and flag false-positive
# secrets that ship inside third-party packages like yt-dlp).
- name: trivy fs
uses: aquasecurity/trivy-action@master
with:
scan-type: fs
scan-ref: .
scanners: vuln,secret,misconfig
severity: HIGH,CRITICAL
exit-code: '1'
ignore-unfixed: true
trivyignores: .trivyignore
skip-dirs: .venv,jobs
# Dedicated Dockerfile + compose static analysis (Trivy's IaC linter).
- name: trivy config
uses: aquasecurity/trivy-action@master
with:
scan-type: config
scan-ref: build/
severity: HIGH,CRITICAL
exit-code: '1'