ci: CI & supply-chain hardening (#141, #195, #202, #205, #208, #209, #210, #212, #225, #232)#234
Merged
Merged
Conversation
…pec conformance adapter Adds the locally-verifiable CI gates from the hardening group: - #141: branch-coverage config in pyproject ([tool.coverage.run/report]) with a ratchet floor of fail_under=90 (measured 93.9%); `make test` now runs --cov-branch --cov-report=term-missing so the local gate matches CI. - #195: tests/test_docstrings.py enforces a docstring (+ Args: for functions with params) on every __all__ symbol; tests/test_doctests.py runs curated inline doctests (default_token_counter). Filled the few thin docstrings (merge_sensitivity, traces_to_ocsf, record_decision). - #202: tests/test_architecture.py enforces import boundaries (firewall/ drivers/router/models stay within their allowed leaf imports) and a module-size ratchet (current over-budget files pinned; new files capped at 300 lines), stdlib ast only. - #225: weaver_kernel/conformance.py maps Frame/ActionTrace/CapabilityToken to the published weaver-contracts dataclasses (lazy optional import); a new `conformance` extra pins weaver-contracts; tests/test_conformance.py validates the mappings (skipped when the extra is absent). make ci passes: 730 passed, 1 skipped, 93.9% branch coverage. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AGeBGThsRwnZuREUV8GoKH
…nd scanning - #209: SHA-pin every action in ci.yml (copied from publish.yml) and declare workflow-level least-privilege `permissions: contents: read`. No floating action tags remain in any workflow. - #210: ci.yml test job now invokes Makefile targets (fmt-check/lint/type/test/ example) so the local gate and CI cannot drift; all 13 examples run via `make example` (previously only 8 ran inline). - #232: pip caching (cache: pip, keyed on pyproject.toml) and a top-level concurrency group with cancel-in-progress (ci.yml only — publish is never cancelled). - #208: new bare-install job — installs with no extras, imports the full public API, runs the README quickstart, asserts optional extras are genuinely absent, and asserts the MCP-extra-missing ImportError is actionable. - #205: new security-audit job (pip-audit over the runtime tree), CodeQL workflow (python, security-and-quality, PR + weekly), and Dependabot for pip (grouped, range-respecting) + github-actions. - #225: conformance_stub placeholder replaced by a real `conformance` job that installs the conformance extra and runs the mapping tests (no echo). - #141: per-matrix coverage HTML report uploaded as an artifact. - #212: publish.yml generates a CycloneDX SBOM of the published runtime tree (separate sbom/ artifact, attached to the release) and enables PEP 740 PyPI attestations on the Trusted-Publisher upload. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AGeBGThsRwnZuREUV8GoKH
- README: add CodeQL + coverage-floor badges, the minimal-install guarantee, and a supply-chain/security-automation note (#141, #205, #208). - CONTRIBUTING: document the coverage ratchet, docstring/doctest gate, and architecture-conformance gate; note CI invokes the same make targets (#141, #195, #202, #210). - AGENTS.md: add the "Architectural conformance" layering table and note the docstring/coverage/no-extras gates in the quality bar (#202, #195, #141, #208). - RELEASE.md: document the SBOM and PEP 740 attestation artifacts and how consumers verify them (#212). - docs/agent-context/workflows.md: reflect CI-calls-make and the new bare-install / security-audit / conformance / CodeQL jobs (#210, #205, #225). - CHANGELOG: record the full CI / supply-chain hardening pass under [Unreleased]. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AGeBGThsRwnZuREUV8GoKH
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
This PR delivers a consolidated “CI / supply-chain hardening” pass across GitHub Actions workflows, test gates, and supporting docs/config, aligning CI with make ci, adding security automation (CodeQL/Dependabot/pip-audit), enforcing coverage/docstring/architecture constraints, and introducing a weaver-spec conformance adapter + tests.
Changes:
- Harden and expand CI: SHA-pinned actions + least-privilege permissions,
make-target parity, caching/concurrency, coverage HTML artifacts, bare-install smoke test, pip-audit, and a new CodeQL workflow. - Add/activate new quality/security gates: branch coverage floor, docstring + curated doctests, and architectural import/module-size enforcement.
- Add conformance mapping (
weaver_kernel.conformance) to validate kernel objects against publishedweaver-contracts, plus documentation updates for release SBOM/attestations and contributor guidance.
Reviewed changes
Copilot reviewed 21 out of 21 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
tests/test_doctests.py |
Adds curated doctest execution as a CI-enforced gate. |
tests/test_docstrings.py |
Enforces docstring presence/shape for weaver_kernel.__all__ exports. |
tests/test_conformance.py |
Validates kernel→contract mappings against weaver-contracts dataclasses (optional extra). |
tests/test_architecture.py |
Adds import-boundary and module-size (300-line + ratchet) enforcement. |
src/weaver_kernel/replay.py |
Docstring enriched to satisfy the new docstring gate. |
src/weaver_kernel/ocsf.py |
Docstring enriched to satisfy the new docstring gate. |
src/weaver_kernel/firewall/token_counting.py |
Adds doctested examples for token counting helper. |
src/weaver_kernel/federation.py |
Docstring enriched to satisfy the new docstring gate. |
src/weaver_kernel/conformance.py |
New adapter mapping kernel objects to weaver-contracts types. |
RELEASE.md |
Documents SBOM + PEP 740 attestation generation and verification steps. |
README.md |
Adds badges and documents CI-enforced minimal-install + security automation. |
pyproject.toml |
Adds coverage config + conformance extra + mypy overrides. |
Makefile |
Makes make test enforce branch coverage + term-missing report. |
docs/agent-context/workflows.md |
Updates workflow docs to reflect CI↔Makefile parity and new CI-only jobs. |
CONTRIBUTING.md |
Documents coverage/docstring/architecture gates and ratchet policy. |
CHANGELOG.md |
Summarizes CI hardening and new gates/features in Unreleased. |
AGENTS.md |
Updates canonical contributor rules (coverage/docstrings/architecture gates, minimal-install claim). |
.github/workflows/publish.yml |
Adds CycloneDX SBOM generation and enables PyPI attestations. |
.github/workflows/codeql.yml |
Introduces SHA-pinned CodeQL scanning on PRs + schedule. |
.github/workflows/ci.yml |
Rewrites CI to use Makefile targets and adds new jobs (bare-install, pip-audit, conformance) + artifacts/caching/concurrency. |
.github/dependabot.yml |
Adds Dependabot config for pip + GitHub Actions updates. |
- conformance.py: correct the docstring cross-reference (ActionTrace lives in weaver_kernel.models, not .trace) and raise AgentKernelError instead of a bare KeyError when ActionTrace.event_type is unknown (repo invariant: no bare KeyError to callers). - tests/test_architecture.py: _intra_imports now descends into module-scope if/try/with blocks so a conditional import cannot bypass the boundary rules, while still skipping TYPE_CHECKING bodies and function/class scope (the lazy optional-extra seam). - ci.yml: the security-audit job resolves weaver-kernel's runtime dependency tree in an isolated venv and audits that requirements set, so pip-audit's own dependencies are no longer part of the audited environment. make ci: 730 passed, 1 skipped, 93.87% branch coverage. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AGeBGThsRwnZuREUV8GoKH
Owner
Author
|
Thanks — addressed the review in
On the
Generated by Claude Code |
Adds a test asserting trace_to_contract() raises AgentKernelError (naming the supported event types) when given a trace with an unmapped event_type, locking in the bare-KeyError fix and covering the previously-untested error branch (branch coverage 93.87% -> 93.91%). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01231d7jz6KPg14KciqbZLsJ
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
A single, coherent pass over the build pipeline and repository automation — the
"CI / supply-chain hardening" issue cluster. Closes #141, #195, #202, #205,
#208, #209, #210, #212, #225, #232.
Workflows & automation
.github/workflows/ci.yml— rewritten: every action SHA-pinned (copied frompublish.yml) with workflow-level least-privilegepermissions(Pin CI actions to commit SHAs and set least-privilege workflow permissions #209); testjob now invokes
make fmt-check/lint/type/test/exampleso local and CI gatescannot drift and all 13 examples run (Align the CI workflow with
make cito eliminate drift #210); pip caching +concurrencycancel-in-progress (Speed up CI feedback: add pip/dependency caching and concurrency cancellation #232); new
bare-install,security-audit(pip-audit),and
conformancejobs; per-matrix coverage HTML artifact ([CI] Enforce a coverage threshold and publish a coverage badge #141, Add automated dependency and code scanning (Dependabot, pip-audit, CodeQL) #205, Add a CI job that installs and exercises the bare (no-extras) package #208,Activate the weaver-spec conformance suite in CI (replace the placeholder job) #225).
.github/workflows/codeql.yml— new CodeQL workflow (python,security-and-quality, PRs + weekly) (Add automated dependency and code scanning (Dependabot, pip-audit, CodeQL) #205)..github/dependabot.yml— new;pip(grouped, range-respecting) +github-actions(Add automated dependency and code scanning (Dependabot, pip-audit, CodeQL) #205)..github/workflows/publish.yml— CycloneDX SBOM of the published runtime tree(separate
sbom/artifact attached to the release; never uploaded to PyPI)and PEP 740 PyPI attestations on the Trusted-Publisher upload (Generate SBOMs and build attestations for releases #212).
Code / tests
pyproject.toml— branch-coverage config withfail_under = 90(measured93.9%), new
conformanceextra,weaver_contracts.*mypy override ([CI] Enforce a coverage threshold and publish a coverage badge #141, Activate the weaver-spec conformance suite in CI (replace the placeholder job) #225).Makefile—make testruns branch coverage + term-missing ([CI] Enforce a coverage threshold and publish a coverage badge #141, Align the CI workflow withmake cito eliminate drift #210).tests/test_docstrings.py+tests/test_doctests.py— docstring-shape gateover
__all__and curated inline doctests; enriched 3 thin docstrings (Add a docstring-coverage and doctest gate for the public API #195).tests/test_architecture.py— stdlib-astimport-boundary rules + 300-linemodule-size ratchet (over-budget files pinned shrink-only) (Add automated architectural conformance checks (import boundaries, module budget) #202).
src/weaver_kernel/conformance.py+tests/test_conformance.py— mapsFrame/ActionTrace/CapabilityTokenonto the publishedweaver-contractsdataclasses (lazy optional import); validated by real assertions, skipped when
the extra is absent (Activate the weaver-spec conformance suite in CI (replace the placeholder job) #225).
Docs — README badges + minimal-install/security notes; CONTRIBUTING gate
docs; AGENTS.md architectural-conformance table; RELEASE.md SBOM/attestation
verification; workflows.md CI-calls-make note; CHANGELOG.
Why
These ten issues all share one implementation surface (
.github/+ the testgates) and are far cleaner landed together than as ten near-identical PRs
serially editing the same CI YAML. The grouping rationale is in the triage
report that preceded this PR.
How verified
Local
make ci(Python 3.11, venv): all green.ruff format --check+ruff check— clean (All checks passed!).mypy src/—Success: no issues found in 58 source files.pytest— 730 passed, 1 skipped; branch coverage 93.90%(
Required test coverage of 90.0% reached).make example.conformance mapping validates against
weaver-contracts0.7.0; SBOM commandproduces a clean CycloneDX runtime tree.
Workflow behavior that cannot run locally (CodeQL upload, Dependabot PRs,
pip-audit network fetch, PyPI attestations/SBOM on a real tag) is exercised by
CI on this PR.
Risks / caveats
git ls-remote github/codeql-action(pinned to
v3.36.2); first run needs the repo's code-scanning enabled.security-auditfails on any known runtime-dep vulnerability by design;transient advisories can be allow-listed via
pip-audit --ignore-vuln <ID>with a comment (documented in README).
weaver-contractsdataclasses today;when
dgenio/weaver-spec#4shipsweaver_contracts.conformance, add itsrunner as an extra step in the
conformancejob (noted inline).actions/attest-build-provenanceto avoid an unverifiable new action SHA.
🤖 Generated with Claude Code
https://claude.ai/code/session_01AGeBGThsRwnZuREUV8GoKH
Generated by Claude Code