Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8cbb513e2c2516473ddb630aedbbf99aa64c7cda
breakpilot-compliance/.gitea/workflows/ci.yaml
T
Benjamin Admin 4d1e0a7f8e feat(iace): GT-Bremse coverage — 59 expert measures + 7 hazard patterns 
Systematic gap analysis of the Bremse ground-truth file (60 entries,
100 unique expert measures) revealed only ~5% library coverage. This
commit closes the documented gaps with concrete, norm-anchored
mitigations.

Library additions (M481-M539, 59 entries):
- M481-M482  Low-voltage isolation (>= 2,0 / 2x1,0 / 1,0 MOhm +
             IP2X/IPXXB per EN 60204-1 Ziff. 6.2/8.2.3) — primary
             trigger of this work
- M483-M485  Pneumatic safety (component pressure rating, hose
             retention, depressurization per EN ISO 4414)
- M486-M490  Robot-cell access (tool-secured fence, dual-channel
             door monitor, intentional restart, anti-trap inside
             opening, HMI sight line per ISO 10218-2)
- M491-M493  Teach mode (key/password mode selector, safe reduced
             speed <= 250 mm/s, hold-to-run with 3-stage enabler
             per ISO 10218-1)
- M494-M500  Geometry constants (Safe Limited Position, reach-over
             250 mm @ 2250 mm fence, conveyor opening >= 850 mm,
             25 mm finger gap, band speed <= 100 mm/s per
             EN ISO 13857 / EN 619)
- M501-M507  Enclosure load rating, gripper fail-safe, centring
             gripper stop on door, MWF nozzle integration, floor
             load capacity per DIN 1055-3
- M508-M517  Electrical cabling + PE protection (environment-rated,
             drag chain, strain relief, 10 mm² Cu PE, dual PE,
             monitoring, continuity check, class-II equipment,
             SELV/PELV per EN 60204-1)
- M518-M522  RCD, cable cross-section, overcurrent in each active
             conductor, IP22 water ingress, lockable main switch
- M523-M539  Teach-locked door, WZM door interlock, dual-channel
             door switch, machining-doors-closed for aerosol
             retention, post-NOTHALT release, >25 kg lifting aid
             (DGUV 208-016), 95-120 cm control height, ergonomic
             conveyor height, SDS/PSA reference, BA instructions
             for depressurization/clamp release/max weight/pinch
             warning/slip warning/dead-state cleaning

New hazard patterns (HP1710-HP1717):
floor overload, gripper failure throw, compressed-air injury in
machining cell, manual handling load + awkward posture, MWF skin
contact, live-cabinet cleaning short, pneumatic stored-energy.

Existing patterns rewired to the new measures: HP1600, HP1602-1606,
HP1610-1612, HP1620-1622, HP1630/1631/1633, HP1640/1641, HP1660/1661,
HP1675, HP1685, HP1688, HP1689, HP1698-1704.

Tooling:
- scripts/gt_measure_gap_analysis.py: 4-signal fuzzy matcher
  (Jaccard, token recall, substring containment, norm-reference
  overlap). Outputs markdown + JSON.
- gt_coverage_test.go: 23 expert-validated (GT-Nr, pattern, measure)
  triples + a norm-reference presence test for every new expert
  measure (no generic 'do X safely' entries allowed).
- .gitea/workflows/ci.yaml: new iace-gt-coverage job enforces
  MIN_COVERAGE_PCT (70%) on Strong+Weak GT coverage; never lower
  without explicit decision.

Coverage shift: 5% Strong -> 30% Strong, 0% -> 72% Strong+Weak.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 13:08:52 +02:00

425 lines
18 KiB
YAML
Raw Blame History

# BreakPilot Compliance — CI Pipeline
#
# Feature branch workflow:
# feat/* | feature/* | fix/* | hotfix/* | chore/* | refactor/* | docs/* | test/* | ci/*
# → open PR targeting main
# → all jobs run as PR gates
# → squash merge to main
# → subset of jobs re-run on main to catch merge surprises
#
# Deploy is handled by build-push-deploy.yml on push to main.
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
# ── Change detection (always runs first) ─────────────────────────────────
# Diff base:
# PR → merge-base with the PR base branch
# push → last-build/main tag (set by build-push-deploy after a green build)
# Falls back to "rebuild all" when the base is missing or unreachable.
detect-changes:
runs-on: docker
container: alpine:3.20
outputs:
admin: ${{ steps.diff.outputs.admin }}
backend: ${{ steps.diff.outputs.backend }}
sdk: ${{ steps.diff.outputs.sdk }}
portal: ${{ steps.diff.outputs.portal }}
tts: ${{ steps.diff.outputs.tts }}
crawler: ${{ steps.diff.outputs.crawler }}
dsms_gateway: ${{ steps.diff.outputs.dsms_gateway }}
dsms_node: ${{ steps.diff.outputs.dsms_node }}
any_python: ${{ steps.diff.outputs.any_python }}
any_node: ${{ steps.diff.outputs.any_node }}
any: ${{ steps.diff.outputs.any }}
steps:
- name: Checkout
run: |
apk add --no-cache git bash
git clone --depth 200 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
if [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then
git fetch --depth 200 origin "${GITHUB_BASE_REF}" || true
else
git fetch --tags origin || true
fi
- name: Resolve base SHA
run: |
if [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then
BASE=$(git merge-base "origin/${GITHUB_BASE_REF}" HEAD 2>/dev/null || true)
else
BASE=$(git rev-parse --verify refs/tags/last-build/main 2>/dev/null || true)
fi
echo "Base SHA: ${BASE:-<none>}"
echo "BASE_SHA=${BASE}" >> "$GITHUB_ENV"
- name: Detect changes
id: diff
run: bash scripts/detect-changes.sh
# ── Branch naming convention (PR only) ──────────────────────────────────
branch-name:
runs-on: docker
container: alpine:3.20
if: github.event_name == 'pull_request'
steps:
- name: Validate branch name
run: |
BRANCH="${GITHUB_HEAD_REF}"
if ! echo "$BRANCH" | grep -qE '^(feat|feature|fix|hotfix|chore|refactor|docs|test|ci)/.+'; then
echo "::error::Branch '$BRANCH' does not follow naming convention."
echo "Required prefix: feat/ feature/ fix/ hotfix/ chore/ refactor/ docs/ test/ ci/"
exit 1
fi
echo "Branch name OK: $BRANCH"
# ── Guardrail integrity (PR only) ────────────────────────────────────────
guardrail-integrity:
runs-on: docker
container: alpine:3.20
if: github.event_name == 'pull_request'
steps:
- name: Checkout
run: |
apk add --no-cache git bash
git clone --depth 20 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
git fetch origin ${GITHUB_BASE_REF}:base
- name: Require [guardrail-change] in commits touching guardrails
run: |
changed=$(git diff --name-only base...HEAD)
echo "$changed" | grep -qE '^(\.claude/settings\.json|\.claude/rules/loc-exceptions\.txt|scripts/check-loc\.sh|scripts/githooks/pre-commit|AGENTS\.(python|go|typescript)\.md)$' || exit 0
if ! git log base..HEAD --format=%B | grep -q '\[guardrail-change\]'; then
echo "::error::Guardrail files modified without [guardrail-change] in any commit message."
exit 1
fi
# ── LOC budget (only if files changed) ───────────────────────────────────
loc-budget:
runs-on: docker
container: alpine:3.20
needs: detect-changes
if: needs.detect-changes.outputs.any == 'true'
steps:
- name: Checkout
run: |
apk add --no-cache git bash
git clone --depth 50 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Enforce 500-line hard cap
run: |
chmod +x scripts/check-loc.sh
scripts/check-loc.sh
# ── Secret scanning (PR only) ────────────────────────────────────────────
secret-scan:
runs-on: docker
container: zricethezav/gitleaks:v8.21.2
if: github.event_name == 'pull_request'
steps:
- name: Checkout
run: |
apk add --no-cache git
git clone --depth 50 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Scan for secrets
run: |
gitleaks detect --source . --no-git \
--exit-code 1 \
--redact \
|| { echo "::error::Secrets detected — remove them before merging."; exit 1; }
# ── Go lint + build (PR only, gated on ai-compliance-sdk changes) ────────
go-lint:
runs-on: docker
needs: detect-changes
if: github.event_name == 'pull_request' && needs.detect-changes.outputs.sdk == 'true'
container: golangci/golangci-lint:v1.62-alpine
steps:
- name: Checkout
run: |
apk add --no-cache git
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Lint ai-compliance-sdk
run: |
[ -d "ai-compliance-sdk" ] || exit 0
cd ai-compliance-sdk
golangci-lint run --timeout 5m ./...
- name: Build ai-compliance-sdk
run: |
[ -d "ai-compliance-sdk" ] || exit 0
cd ai-compliance-sdk
go build ./...
# ── Python lint + import check (PR only, gated on python service changes) ─
python-lint:
runs-on: docker
needs: detect-changes
if: github.event_name == 'pull_request' && needs.detect-changes.outputs.any_python == 'true'
container: python:3.12-slim
steps:
- name: Checkout
run: |
apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Lint (ruff) + type-check (mypy)
run: |
pip install --quiet ruff mypy
fail=0
for svc in backend-compliance document-crawler dsms-gateway compliance-tts-service; do
[ -d "$svc" ] || continue
echo "=== ruff: $svc ===" && ruff check "$svc/" --output-format=github || fail=1
done
if [ -f "backend-compliance/mypy.ini" ]; then
cd backend-compliance && mypy compliance/ || fail=1
fi
exit $fail
- name: Import sanity check (catches NameError at collection time)
run: |
cd backend-compliance
pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
python -c "import compliance; print('Import OK')" \
|| { echo "::error::compliance package fails to import — missing import or syntax error."; exit 1; }
# ── Node.js lint + type-check (PR only, gated on Next.js service changes) ─
nodejs-lint:
runs-on: docker
needs: detect-changes
if: github.event_name == 'pull_request' && needs.detect-changes.outputs.any_node == 'true'
container: node:20-alpine
steps:
- name: Checkout
run: |
apk add --no-cache git
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Lint + type-check
run: |
fail=0
for svc in admin-compliance developer-portal; do
[ -d "$svc" ] || continue
echo "=== $svc: install ===" && (cd "$svc" && npm ci --silent 2>/dev/null || npm install --silent)
echo "=== $svc: next lint ===" && (cd "$svc" && npx next lint) || fail=1
echo "=== $svc: tsc ===" && (cd "$svc" && npx tsc --noEmit) || fail=1
done
exit $fail
# ── Node.js build — next build (gated on Next.js service changes) ───────
nodejs-build:
runs-on: docker
container: node:20-alpine
needs: detect-changes
if: needs.detect-changes.outputs.any_node == 'true'
steps:
- name: Checkout
run: |
apk add --no-cache git
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Build Next.js services
run: |
fail=0
for svc in admin-compliance developer-portal; do
[ -d "$svc" ] || continue
echo "=== $svc: install ==="
(cd "$svc" && npm ci --silent 2>/dev/null || npm install --silent)
echo "=== $svc: next build ==="
(cd "$svc" && \
NEXT_PUBLIC_API_URL=https://api-dev.breakpilot.ai \
NEXT_PUBLIC_SDK_URL=https://sdk-dev.breakpilot.ai \
npm run build) || fail=1
done
exit $fail
# ── Dependency audit (PR only) ───────────────────────────────────────────
dep-audit:
runs-on: docker
if: github.event_name == 'pull_request'
container: python:3.12-slim
steps:
- name: Checkout
run: |
apt-get update -qq && apt-get install -y -qq git curl > /dev/null 2>&1
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Install Node.js + Go
run: |
curl -fsSL https://deb.nodesource.com/setup_20.x | bash - > /dev/null 2>&1
apt-get install -y nodejs golang-go > /dev/null 2>&1
- name: Python — pip-audit
run: |
pip install --quiet pip-audit
fail=0
for svc in backend-compliance document-crawler dsms-gateway compliance-tts-service; do
[ -f "$svc/requirements.txt" ] || continue
echo "=== pip-audit: $svc ==="
pip-audit -r "$svc/requirements.txt" --skip-editable -f columns || fail=1
done
exit $fail
- name: Node.js — npm audit
run: |
fail=0
for svc in admin-compliance developer-portal; do
[ -d "$svc" ] || continue
echo "=== npm audit: $svc ==="
(cd "$svc" && npm audit --audit-level=moderate --json 2>/dev/null | \
node -e "const d=JSON.parse(require('fs').readFileSync('/dev/stdin','utf8')); \
const hi=Object.values(d.vulnerabilities||{}).filter(v=>['high','critical'].includes(v.severity)).length; \
if(hi>0){console.error('HIGH/CRITICAL: '+hi);process.exit(1)}") || fail=1
done
exit $fail
- name: Go — govulncheck
run: |
[ -d "ai-compliance-sdk" ] || exit 0
go install golang.org/x/vuln/cmd/govulncheck@latest 2>/dev/null
cd ai-compliance-sdk && govulncheck ./... || true
# Non-blocking until Go module versions are pinned
# ── SBOM + vulnerability scan (PR only) ─────────────────────────────────
sbom-scan:
runs-on: docker
if: github.event_name == 'pull_request'
container: alpine:3.20
steps:
- name: Checkout
run: |
apk add --no-cache git curl bash
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Install syft + grype
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
- name: Generate SBOM
run: mkdir -p sbom-out && syft dir:. -o cyclonedx-json=sbom-out/sbom.cdx.json -q
- name: Vulnerability scan (fail on high+)
run: grype sbom:sbom-out/sbom.cdx.json --fail-on high -q
# ── Tests (gated per service) ────────────────────────────────────────────
test-go:
runs-on: docker
container: golang:1.24-alpine
needs: detect-changes
if: needs.detect-changes.outputs.sdk == 'true'
env:
CGO_ENABLED: "0"
steps:
- name: Checkout
run: |
apk add --no-cache git
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Test ai-compliance-sdk
run: |
[ -d "ai-compliance-sdk" ] || exit 0
cd ai-compliance-sdk
go test -v -coverprofile=coverage.out ./...
go tool cover -func=coverage.out | tail -1
iace-gt-coverage:
runs-on: docker
container: python:3.12-slim
needs: detect-changes
if: needs.detect-changes.outputs.sdk == 'true'
env:
# Lower bound on Strong+Weak GT-Bremse coverage. Raise this number when
# coverage improves; never lower it without an explicit decision.
MIN_COVERAGE_PCT: "70"
steps:
- name: Checkout
run: |
apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: GT-Bremse measure-coverage report
run: |
python3 scripts/gt_measure_gap_analysis.py --json /tmp/gt_gap_report.json > /tmp/gt_gap_report.md
echo "--- summary ---"
head -8 /tmp/gt_gap_report.md
- name: Enforce coverage threshold
run: |
python3 - <<'PY'
import json, os, sys
d = json.load(open('/tmp/gt_gap_report.json'))
total = d['total']
covered = d['ok_count'] + d['weak_count']
pct = covered * 100 / total if total else 0.0
threshold = float(os.environ['MIN_COVERAGE_PCT'])
print(f"GT coverage (strong+weak): {covered}/{total} = {pct:.1f}% (threshold {threshold}%)")
if pct < threshold:
print(f"::error::GT-Bremse coverage regression — {pct:.1f}% < {threshold}%")
sys.exit(1)
PY
test-python-backend:
runs-on: docker
container: python:3.12-slim
needs: detect-changes
if: needs.detect-changes.outputs.backend == 'true'
env:
CI: "true"
steps:
- name: Checkout
run: |
apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Test backend-compliance
run: |
[ -d "backend-compliance" ] || exit 0
cd backend-compliance
export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
pip install --quiet --no-cache-dir pytest pytest-asyncio
python -m pytest compliance/tests/ -v --tb=short
test-python-document-crawler:
runs-on: docker
container: python:3.12-slim
needs: detect-changes
if: needs.detect-changes.outputs.crawler == 'true'
env:
CI: "true"
steps:
- name: Checkout
run: |
apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Test document-crawler
run: |
[ -d "document-crawler" ] || exit 0
cd document-crawler
export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
pip install --quiet --no-cache-dir pytest pytest-asyncio
python -m pytest tests/ -v --tb=short
test-python-dsms-gateway:
runs-on: docker
container: python:3.12-slim
needs: detect-changes
if: needs.detect-changes.outputs.dsms_gateway == 'true'
env:
CI: "true"
steps:
- name: Checkout
run: |
apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Test dsms-gateway
run: |
[ -d "dsms-gateway" ] || exit 0
cd dsms-gateway
export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
pip install --quiet --no-cache-dir pytest pytest-asyncio
python -m pytest test_main.py -v --tb=short
# ── OpenAPI contract validation (always) ─────────────────────────────────
validate-canonical-controls:
runs-on: docker
container: python:3.12-slim
steps:
- name: Checkout
run: |
apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
- name: Validate controls
run: python scripts/validate-controls.py
Reference in New Issue View Git Blame Copy Permalink