Sharang Parnerkar
32e5fc21e7
Some checks failed
CI / Format (push) Successful in 3s
CI / Clippy (push) Successful in 4m4s
CI / Security Audit (push) Successful in 1m42s
CI / Tests (push) Successful in 4m38s
CI / Deploy Agent (push) Successful in 2s
CI / Deploy Dashboard (push) Successful in 1s
CI / Deploy MCP (push) Failing after 2s
CI / Detect Changes (push) Successful in 7s
CI / Deploy Docs (push) Successful in 2s
New `compliance-mcp` crate providing a Model Context Protocol server with 7 tools: list/get/summarize findings, list SBOM packages, SBOM vulnerability report, list DAST findings, and DAST scan summary. Supports stdio (local dev) and Streamable HTTP (deployment via MCP_PORT). Includes Dockerfile, CI clippy check, and Coolify deploy job. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com> Reviewed-on: #5
245 lines
8.4 KiB
YAML
245 lines
8.4 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- "**"
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
|
|
env:
|
|
CARGO_TERM_COLOR: always
|
|
RUSTFLAGS: "-D warnings"
|
|
# sccache caches compilation artifacts within a job so that compiling
|
|
# both --features server and --features web shares common crate work.
|
|
RUSTC_WRAPPER: /usr/local/bin/sccache
|
|
SCCACHE_DIR: /tmp/sccache
|
|
|
|
# Cancel in-progress runs for the same branch/PR
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
# ---------------------------------------------------------------------------
|
|
# Stage 1: Code quality checks (run in parallel)
|
|
# ---------------------------------------------------------------------------
|
|
fmt:
|
|
name: Format
|
|
runs-on: docker
|
|
container:
|
|
image: rust:1.89-bookworm
|
|
steps:
|
|
- name: Checkout
|
|
run: |
|
|
git init
|
|
git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
|
|
git fetch --depth=1 origin "${GITHUB_SHA}"
|
|
git checkout FETCH_HEAD
|
|
- run: rustup component add rustfmt
|
|
# Format check does not compile, so sccache is not needed here.
|
|
- run: cargo fmt --all --check
|
|
env:
|
|
RUSTC_WRAPPER: ""
|
|
|
|
clippy:
|
|
name: Clippy
|
|
runs-on: docker
|
|
container:
|
|
image: rust:1.89-bookworm
|
|
steps:
|
|
- name: Checkout
|
|
run: |
|
|
git init
|
|
git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
|
|
git fetch --depth=1 origin "${GITHUB_SHA}"
|
|
git checkout FETCH_HEAD
|
|
- name: Install sccache
|
|
run: |
|
|
curl -fsSL https://github.com/mozilla/sccache/releases/download/v0.9.1/sccache-v0.9.1-x86_64-unknown-linux-musl.tar.gz \
|
|
| tar xz --strip-components=1 -C /usr/local/bin/ sccache-v0.9.1-x86_64-unknown-linux-musl/sccache
|
|
chmod +x /usr/local/bin/sccache
|
|
- run: rustup component add clippy
|
|
# Lint the agent (native only).
|
|
- name: Clippy (agent)
|
|
run: cargo clippy -p compliance-agent -- -D warnings
|
|
# Lint the dashboard for both feature sets independently.
|
|
# sccache deduplicates shared crates between the two compilations.
|
|
- name: Clippy (dashboard server)
|
|
run: cargo clippy -p compliance-dashboard --features server --no-default-features -- -D warnings
|
|
- name: Clippy (dashboard web)
|
|
run: cargo clippy -p compliance-dashboard --features web --no-default-features -- -D warnings
|
|
- name: Clippy (mcp)
|
|
run: cargo clippy -p compliance-mcp -- -D warnings
|
|
- name: Show sccache stats
|
|
run: sccache --show-stats
|
|
if: always()
|
|
|
|
audit:
|
|
name: Security Audit
|
|
runs-on: docker
|
|
if: github.ref == 'refs/heads/main'
|
|
container:
|
|
image: rust:1.89-bookworm
|
|
steps:
|
|
- name: Checkout
|
|
run: |
|
|
git init
|
|
git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
|
|
git fetch --depth=1 origin "${GITHUB_SHA}"
|
|
git checkout FETCH_HEAD
|
|
- run: cargo install cargo-audit
|
|
env:
|
|
RUSTC_WRAPPER: ""
|
|
- run: cargo audit
|
|
env:
|
|
RUSTC_WRAPPER: ""
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Stage 2: Tests (only after all quality checks pass)
|
|
# ---------------------------------------------------------------------------
|
|
test:
|
|
name: Tests
|
|
runs-on: docker
|
|
needs: [fmt, clippy, audit]
|
|
container:
|
|
image: rust:1.89-bookworm
|
|
steps:
|
|
- name: Checkout
|
|
run: |
|
|
git init
|
|
git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
|
|
git fetch --depth=1 origin "${GITHUB_SHA}"
|
|
git checkout FETCH_HEAD
|
|
- name: Install sccache
|
|
run: |
|
|
curl -fsSL https://github.com/mozilla/sccache/releases/download/v0.9.1/sccache-v0.9.1-x86_64-unknown-linux-musl.tar.gz \
|
|
| tar xz --strip-components=1 -C /usr/local/bin/ sccache-v0.9.1-x86_64-unknown-linux-musl/sccache
|
|
chmod +x /usr/local/bin/sccache
|
|
- name: Run tests (core + agent)
|
|
run: cargo test -p compliance-core -p compliance-agent
|
|
- name: Run tests (dashboard server)
|
|
run: cargo test -p compliance-dashboard --features server --no-default-features
|
|
- name: Run tests (dashboard web)
|
|
run: cargo test -p compliance-dashboard --features web --no-default-features
|
|
- name: Show sccache stats
|
|
run: sccache --show-stats
|
|
if: always()
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Stage 3: Deploy (only on main, after tests pass)
|
|
# Each service only deploys when its relevant files changed.
|
|
# ---------------------------------------------------------------------------
|
|
detect-changes:
|
|
name: Detect Changes
|
|
runs-on: docker
|
|
if: github.ref == 'refs/heads/main'
|
|
needs: [test]
|
|
container:
|
|
image: alpine:latest
|
|
outputs:
|
|
agent: ${{ steps.changes.outputs.agent }}
|
|
dashboard: ${{ steps.changes.outputs.dashboard }}
|
|
docs: ${{ steps.changes.outputs.docs }}
|
|
mcp: ${{ steps.changes.outputs.mcp }}
|
|
steps:
|
|
- name: Install git
|
|
run: apk add --no-cache git
|
|
- name: Checkout
|
|
run: |
|
|
git init
|
|
git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
|
|
git fetch --depth=2 origin "${GITHUB_SHA}"
|
|
git checkout FETCH_HEAD
|
|
- name: Detect changed paths
|
|
id: changes
|
|
run: |
|
|
CHANGED=$(git diff --name-only HEAD~1 HEAD 2>/dev/null || echo "")
|
|
echo "Changed files:"
|
|
echo "$CHANGED"
|
|
|
|
# Agent: core libs, agent code, agent Dockerfile
|
|
if echo "$CHANGED" | grep -qE '^(compliance-core/|compliance-agent/|compliance-graph/|compliance-dast/|Dockerfile\.agent|Cargo\.(toml|lock))'; then
|
|
echo "agent=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "agent=false" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
# Dashboard: core libs, dashboard code, dashboard Dockerfile, assets
|
|
if echo "$CHANGED" | grep -qE '^(compliance-core/|compliance-dashboard/|Dockerfile\.dashboard|Dioxus\.toml|assets/|bin/|Cargo\.(toml|lock))'; then
|
|
echo "dashboard=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "dashboard=false" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
# Docs: docs folder, docs Dockerfile
|
|
if echo "$CHANGED" | grep -qE '^(docs/|Dockerfile\.docs)'; then
|
|
echo "docs=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "docs=false" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
# MCP: core libs, mcp code, mcp Dockerfile
|
|
if echo "$CHANGED" | grep -qE '^(compliance-core/|compliance-mcp/|Dockerfile\.mcp|Cargo\.(toml|lock))'; then
|
|
echo "mcp=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "mcp=false" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
deploy-agent:
|
|
name: Deploy Agent
|
|
runs-on: docker
|
|
needs: [detect-changes]
|
|
if: needs.detect-changes.outputs.agent == 'true'
|
|
container:
|
|
image: alpine:latest
|
|
steps:
|
|
- name: Trigger Coolify deploy
|
|
run: |
|
|
apk add --no-cache curl
|
|
curl -sf "${{ secrets.COOLIFY_WEBHOOK_AGENT }}" \
|
|
-H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
|
|
|
|
deploy-dashboard:
|
|
name: Deploy Dashboard
|
|
runs-on: docker
|
|
needs: [detect-changes]
|
|
if: needs.detect-changes.outputs.dashboard == 'true'
|
|
container:
|
|
image: alpine:latest
|
|
steps:
|
|
- name: Trigger Coolify deploy
|
|
run: |
|
|
apk add --no-cache curl
|
|
curl -sf "${{ secrets.COOLIFY_WEBHOOK_DASHBOARD }}" \
|
|
-H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
|
|
|
|
deploy-docs:
|
|
name: Deploy Docs
|
|
runs-on: docker
|
|
needs: [detect-changes]
|
|
if: needs.detect-changes.outputs.docs == 'true'
|
|
container:
|
|
image: alpine:latest
|
|
steps:
|
|
- name: Trigger Coolify deploy
|
|
run: |
|
|
apk add --no-cache curl
|
|
curl -sf "${{ secrets.COOLIFY_WEBHOOK_DOCS }}" \
|
|
-H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
|
|
|
|
deploy-mcp:
|
|
name: Deploy MCP
|
|
runs-on: docker
|
|
needs: [detect-changes]
|
|
if: needs.detect-changes.outputs.mcp == 'true'
|
|
container:
|
|
image: alpine:latest
|
|
steps:
|
|
- name: Trigger Coolify deploy
|
|
run: |
|
|
apk add --no-cache curl
|
|
curl -sf "${{ secrets.COOLIFY_WEBHOOK_MCP }}" \
|
|
-H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
|