fix: validate existing Docker network subnets #266
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | ||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| - "claude/**" | ||
| pull_request: | ||
| branches: | ||
| - main | ||
| jobs: | ||
| test: | ||
| name: Tests | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| python-version: ["3.13"] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up Python ${{ matrix.python-version }} | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| - name: Install Poetry | ||
| uses: snok/install-poetry@v1 | ||
| with: | ||
| version: 2.1.4 | ||
| virtualenvs-create: true | ||
| virtualenvs-in-project: true | ||
| - name: Cache Poetry dependencies | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: .venv | ||
| key: ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }} | ||
| - name: Install dependencies | ||
| run: poetry install | ||
| - name: Run tests | ||
| run: poetry run pytest tests/ -v --tb=short | ||
| lint: | ||
| name: Linting | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| python-version: ["3.13"] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up Python ${{ matrix.python-version }} | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| - name: Install Poetry | ||
| uses: snok/install-poetry@v1 | ||
| - name: Cache Poetry dependencies | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: .venv | ||
| key: ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }} | ||
| - name: Install dependencies | ||
| run: poetry install | ||
| - name: Check formatting with black | ||
| run: poetry run black --check netengine tests | ||
| - name: Check import sorting with isort | ||
| run: poetry run isort --check netengine tests | ||
| - name: Lint with flake8 | ||
| run: poetry run flake8 netengine tests | ||
| integration: | ||
| name: Integration Tests | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| python-version: ["3.13"] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up Python ${{ matrix.python-version }} | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| - name: Install Poetry | ||
| uses: snok/install-poetry@v1 | ||
| with: | ||
| version: 2.1.4 | ||
| virtualenvs-create: true | ||
| virtualenvs-in-project: true | ||
| - name: Cache Poetry dependencies | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: .venv | ||
| key: ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }} | ||
| - name: Install dependencies | ||
| run: poetry install | ||
| - name: Run integration tests | ||
| run: poetry run pytest tests/integration/ -v --tb=short | ||
| e2e: | ||
| name: E2E Tests | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| python-version: ["3.13"] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up Python ${{ matrix.python-version }} | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| - name: Install Poetry | ||
| uses: snok/install-poetry@v1 | ||
| with: | ||
| version: 2.1.4 | ||
| virtualenvs-create: true | ||
| virtualenvs-in-project: true | ||
| - name: Cache Poetry dependencies | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: .venv | ||
| key: ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }} | ||
| - name: Install dependencies | ||
| run: poetry install | ||
| - name: Pull CoreDNS image (cache warm-up) | ||
| run: docker pull coredns/coredns:1.11.3 | ||
| - name: Run e2e tests | ||
| run: poetry run pytest tests/integration/test_e2e_fullstack.py tests/integration/test_e2e_federation.py -v --tb=short --run-e2e -m "e2e and not slow" | ||
| typecheck: | ||
| name: Type Checking | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| python-version: ["3.13"] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up Python ${{ matrix.python-version }} | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| - name: Install Poetry | ||
| uses: snok/install-poetry@v1 | ||
| - name: Cache Poetry dependencies | ||
| uses: actions/cache@v4 | ||
| with: | ||
| path: .venv | ||
| key: ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }} | ||
| - name: Install dependencies | ||
| run: poetry install | ||
| - name: Type check with mypy (strict mode) | ||
| run: poetry run mypy netengine --strict | ||
| supply-chain: | ||
| name: Supply Chain | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up Python 3.13 | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: "3.13" | ||
| - name: Install Poetry | ||
| uses: snok/install-poetry@v1 | ||
| with: | ||
| version: 2.1.4 | ||
| virtualenvs-create: true | ||
| virtualenvs-in-project: true | ||
| - name: Validate lockfile | ||
| run: poetry check --lock | ||
| - name: Install dependencies | ||
| run: poetry install | ||
| - name: Validate pinned Docker images and lockfile presence | ||
| run: python scripts/validate_supply_chain.py | ||
| - name: Generate license inventory | ||
| run: poetry run python scripts/generate_license_list.py | ||
| - name: Check license inventory is committed | ||
| run: git diff --exit-code -- docs/licenses.md | ||
| - name: Generate SBOM | ||
| uses: anchore/sbom-action@v0.17.8 | ||
| with: | ||
| path: . | ||
| format: spdx-json | ||
| output-file: sbom.spdx.json | ||
| - name: Upload SBOM artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: netengine-sbom-spdx | ||
| path: sbom.spdx.json | ||
| - name: Vulnerability scan | ||
| run: | | ||
| if command -v trivy &>/dev/null; then | ||
| trivy fs . --severity CRITICAL,HIGH --ignore-unfixed --exit-code 1 | ||
| else | ||
| echo "trivy not available; skipping vulnerability scan" | ||
| fi | ||
| uses: aquasecurity/trivy-action@v0.36.0 | ||
| with: | ||
| scan-type: fs | ||
| scan-ref: . | ||
| severity: CRITICAL,HIGH | ||
| ignore-unfixed: true | ||
| exit-code: "1" | ||