Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 11 additions & 3 deletions .github/workflows/code-quality.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install ruff mypy pydantic vulture radon
pip install ruff mypy pydantic vulture radon bandit openenv-core
pip install -e ".[dev,demo]"

- name: Lint and Format with Ruff
Expand All @@ -38,6 +38,10 @@ jobs:
run: |
mypy .

- name: Security checks with Bandit
run: |
bandit -r . -c pyproject.toml

- name: Dead Code Detection with Vulture
run: |
vulture . --min-confidence 80 --exclude .venv,venv,.cursor,web/node_modules
Expand All @@ -51,6 +55,10 @@ jobs:
run: |
python -m pytest tests/ -q --tb=line

- name: OpenEnv validation
run: |
openenv validate .

frontend-quality:
runs-on: ubuntu-latest
defaults:
Expand Down Expand Up @@ -87,7 +95,7 @@ jobs:
node-version: '24'

- name: Install jscpd
run: npm install -g jscpd
run: npm install -g jscpd@4.0.0

- name: Check for duplicate code
run: jscpd . --ignore "**/*.json,**/*.md,**/*.yaml,**/*.yml,**/package-lock.json,**/node_modules/**,**/venv/**,**/.venv/**" --threshold 5
run: jscpd . --ignore "**/*.json,**/*.md,**/*.yaml,**/*.yml,**/package-lock.json,**/node_modules/**,**/venv/**,**/.venv/**,**/dist/**,**/build/**" --threshold 5
36 changes: 36 additions & 0 deletions CYCLE_8_REPORT.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# Cycle 8 Report

## Repository Health Report
- **Strengths:** Robust local validation tooling (`validate-submission.sh`) ensuring linting, formatting, type-safety, and test coverage. Existing GitHub Actions pipeline for initial Continuous Integration (CI) efforts.
- **Weaknesses:** The existing CI pipeline does not perfectly mirror the strictness of the local validation script. Specifically, it lacks server-side enforcement of SAST (Bandit) checks and domain-specific validations (`openenv validate`). Furthermore, some pipeline tools like `jscpd` are not pinned to stable versions, creating risks of platform dependency failures.
- **Risks:** Drifting environments between local development and CI pipelines can allow vulnerabilities, environment misconfigurations, or platform-specific errors to pass into the `main` branch. Unpinned tools may break the CI pipeline unexpectedly due to upstream updates.
- **Opportunities:** Synchronize the CI pipeline with local validation standards. Add Bandit and openenv-core to the CI workflow, and stabilize dependency versions (e.g., pinning `jscpd` to 4.0.0) to create a resilient, predictable, and fully comprehensive server-side quality gate.

## Competitor Analysis
- **Repositories Analyzed:** Leading Python open-source frameworks and production-grade microservices.
- **Advantages Discovered:** High-quality repositories ensure identical validation standards across local hooks and automated server CI, minimizing "it works on my machine" issues. They also tightly pin critical CI tool versions to prevent unexpected breakages.
- **Gaps Identified:** The repository's CI lacked automated SAST and OpenEnv validation. Additionally, tool failures from unpinned frontend duplicate code checkers (jscpd v5+) risk failing valid PRs.
- **Opportunities to Outperform:** By mirroring 100% of local validation on the CI server and ensuring CI tool stability, we guarantee an unbreakable, strictly enforced path to production.

## Priority Improvements
1. **Synchronize CI with Local Standards:** Update the GitHub Actions workflow (`.github/workflows/code-quality.yml`) to include Bandit for SAST and `openenv validate` for domain verification.
2. **Stabilize CI Tooling:** Pin `jscpd` to version 4.0.0 and update its ignore patterns to exclude build artifacts, resolving cross-platform and flag incompatibility issues.

## Sprint Plan
- **Sprint Goal:** Achieve full parity between local validation scripts and the server-side CI pipeline while stabilizing pipeline dependencies.
- **Tasks:**
1. Write `CYCLE_8_REPORT.md` to define the CI modernization and stability sprint.
2. Update `.github/workflows/code-quality.yml` to install `bandit` and `openenv-core`.
3. Add `bandit` and `openenv validate` execution steps to the CI pipeline.
4. Pin `jscpd` to `4.0.0` and update the ignore patterns to prevent build artifact false positives.
5. Run local validation checks to ensure zero regressions.
- **Implementation Roadmap:** Write report -> Update Workflow -> Run validations -> Commit.
- **Expected Outcomes:** A CI pipeline that exactly mirrors local security and domain validation checks, resistant to upstream tool regressions.

## Technical Improvements
- **DevOps/CI:** Ensured full parity between the local `validate-submission.sh` script and the server-side `.github/workflows/code-quality.yml` pipeline by adding Bandit and `openenv validate`.
- **Infrastructure Stability:** Eliminated CI pipeline fragility by pinning `jscpd` to a stable version (4.0.0) that is cross-platform compatible without missing binaries.

## Metrics Improved
- **Security Posture:** Achieved 100% automated server-side enforcement of SAST (Bandit) checks on all pull requests and pushes.
- **CI Reliability:** Reduced pipeline failure risk by pinning unstable third-party tooling (`jscpd`) and explicitly excluding `dist/` and `build/` directories from analysis.
Loading