Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .bandit
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Bandit configuration (YAML format, bandit 1.9+)
# https://bandit.readthedocs.io/en/latest/config.html
#
# NOTE: scan targets must be passed via -r on the CLI; the YAML config
# does not support a "targets" key. Edit the workflow's bandit command
# to add new directories.

# Exclude test directories (test code often has intentional patterns
# that trigger false positives like assert, subprocess in fixtures),
# virtualenvs, generated run workspaces, and vendored JS deps — none of
# which are first-party source.
exclude_dirs:
- "*/tests/*"
- "*/.venv/*"
- "*/runs/*"
- "*/node_modules/*"
90 changes: 90 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
# Dependabot version updates
# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates
#
# Note: The ClamAV service container image in security-scanners.yml is pinned
# by sha256 digest and is NOT covered by any Dependabot ecosystem. That digest
# must be updated manually (monthly cadence). See:
# docs/ADMINISTRATIVE_GUIDE.md → Updating Pinned Versions → How to update the ClamAV image digest
#
# A cooldown is applied to every ecosystem so freshly-published versions are not
# adopted immediately — this mitigates the window where a compromised/malicious
# release is live before it is yanked. Longer for majors (higher breakage and
# supply-chain risk), shorter for patches.

version: 2
updates:
# npm — the unified v2 TypeScript/bun monorepo (root package.json / bun.lock)
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
semver-major-days: 30
semver-minor-days: 7
semver-patch-days: 3
commit-message:
prefix: "chore(deps)"
prefix-development: "chore(deps-dev)"
include: "scope"
groups:
npm-deps:
patterns:
- "*"

# GitHub Actions — SHA-pinned actions across all workflows.
# (Only default-days is supported for non-semver ecosystems.)
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
commit-message:
prefix: "chore(deps)"
include: "scope"
groups:
github-actions:
patterns:
- "*"

# Python (uv) — evaluator framework dependencies
- package-ecosystem: "uv"
directory: "/evaluator"
schedule:
interval: "weekly"
cooldown:
default-days: 7
semver-major-days: 30
semver-minor-days: 7
semver-patch-days: 3
commit-message:
prefix: "chore(deps)"
prefix-development: "chore(deps-dev)"
include: "scope"
groups:
evaluator-deps:
patterns:
- "*"

# Pre-commit hooks — .pre-commit-config.yaml rev pins
- package-ecosystem: "pre-commit"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
commit-message:
prefix: "chore(deps)"
include: "scope"

# Docker — sandbox Dockerfile base image
- package-ecosystem: "docker"
directory: "/evaluator/docker/sandbox"
schedule:
interval: "weekly"
cooldown:
default-days: 7
commit-message:
prefix: "chore(deps)"
include: "scope"
26 changes: 26 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: CI

on:
pull_request:
branches: ["v2", "main"]
push:
branches: ["v2", "main"]
workflow_dispatch:

permissions: {}

concurrency:
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }}
cancel-in-progress: true

jobs:
markdownlint:
name: Markdown Lint
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
- uses: DavidAnson/markdownlint-cli2-action@ded1f9488f68a970bc66ea5619e13e9b52e601cd #v23.2.0
with:
globs: "**/*.md"
63 changes: 63 additions & 0 deletions .github/workflows/evaluator-tests.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: Evaluator Tests

# Lint, format-check, dead-code-check, dependency-audit, and unit-test the AIDLC
# evaluation framework. The heavy end-to-end evaluation (run.py full / cli) needs
# AWS Bedrock and runs in CodeBuild, not here; the default CLI evaluation adapter
# is kiro-cli (see scripts/run_cli_evaluation.py).
on:
pull_request:
branches: ["v2", "main"]
paths:
- "evaluator/**"
- ".github/workflows/evaluator-tests.yml"
push:
branches: ["v2", "main"]
paths:
- "evaluator/**"
- ".github/workflows/evaluator-tests.yml"
workflow_dispatch:

permissions: {}

concurrency:
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }}
cancel-in-progress: true

defaults:
run:
working-directory: evaluator

jobs:
quality:
name: Lint and test
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Install uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
python-version: "3.13"

- name: Sync dependencies (with dev tools)
run: uv sync --all-extras --dev

- name: Ruff lint
run: uv run ruff check packages run.py scripts

- name: Ruff format check
run: uv run ruff format --check packages run.py scripts

- name: Vulture dead-code check
run: uv run vulture packages run.py --min-confidence 80

- name: pip-audit (dependency CVE scan)
# --skip-editable: the workspace's own packages (aidlc-shared, etc.) are
# editable installs not published to PyPI; pip-audit cannot resolve them
# and would otherwise exit non-zero. Third-party deps are still audited.
run: uv run --with pip-audit pip-audit --skip-editable

- name: Pytest
run: uv run python -m pytest packages
Loading
Loading