Dom/rpa_vision_v3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: Gitea Actions workflows + requirements-ci allégé

Browse Source 
Workflows :
  .gitea/workflows/tests.yml          -> lint + unit + security (PR + push)
  .gitea/workflows/security-audit.yml -> bandit + pip-audit + grep secrets
                                         (hebdo + push main)

requirements-ci.txt : sous-ensemble léger de requirements.txt
  - Sans torch, transformers, CUDA, FAISS binaire, Ollama, PyQt5, doctr
  - Gain ~3 Go + ~2 min d'install CI
  - À resynchroniser manuellement si nouveau test importe un package absent

Tests slow/gpu/integration/performance/visual/smoke exclus volontairement
(nécessitent CUDA, Ollama localhost:11434, serveur complet).

Temps estimé par run :
  - Cold : ~3 min
  - Warm (cache pip) : ~1m30

Security-tests (test_security_safe_condition + test_security_signed_serializer)
marqués bloquants : régression sur ast eval safe ou pickle HMAC casse la CI.

docs/CI_SETUP.md : activation Gitea Actions, enregistrement runner,
skip CI, troubleshooting.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dom
2026-04-15 09:07:40 +02:00
parent b808e48b1f
commit 2bfcfa4535
4 changed files with 740 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

207
.gitea/workflows/security-audit.yml Normal file
View File

@@ -0,0 +1,207 @@
# ------------------------------------------------------------------
# Audit sécurité — bandit + pip-audit + scan secrets
# ------------------------------------------------------------------
# Jamais bloquant : on reporte les warnings, on ne casse pas la CI.
# Utile pour détecter les dérives progressives (nouveaux CVE, secrets
# oubliés dans un commit, patterns risqués).
#
# Fréquence : à chaque push sur main + hebdo (cron).
# ------------------------------------------------------------------
name: security-audit
on:
push:
branches:
- main
schedule:
# Tous les lundis à 6h UTC (8h Paris hiver, 7h Paris été).
- cron: "0 6 * * 1"
workflow_dispatch: {}
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
# ----------------------------------------------------------------
# Job 1 — bandit (bonnes pratiques sécu Python)
# ----------------------------------------------------------------
bandit:
name: Bandit (scan statique)
runs-on: ubuntu-latest
timeout-minutes: 5
continue-on-error: true
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Python 3.12
uses: actions/setup-python@v5
with:
python-version: "3.12"
cache: "pip"
- name: Installation bandit
run: |
python -m pip install --upgrade pip
pip install "bandit[toml]==1.7.10"
- name: Scan bandit sur core/
run: |
# -ll : niveau LOW minimum (remonte tout)
# -ii : confiance LOW minimum
# --skip B101 : on ignore les asserts (usuels en tests/validation)
bandit -r core/ \
--skip B101,B404,B603 \
--format txt \
--exit-zero \
--output bandit-report.txt
echo "=== RAPPORT BANDIT ==="
cat bandit-report.txt
- name: Upload rapport bandit
if: always()
uses: actions/upload-artifact@v3
with:
name: bandit-report
path: bandit-report.txt
retention-days: 30
if-no-files-found: ignore
# ----------------------------------------------------------------
# Job 2 — pip-audit (CVE sur requirements)
# ----------------------------------------------------------------
pip-audit:
name: pip-audit (CVE dépendances)
runs-on: ubuntu-latest
timeout-minutes: 5
continue-on-error: true
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Python 3.12
uses: actions/setup-python@v5
with:
python-version: "3.12"
cache: "pip"
- name: Installation pip-audit
run: |
python -m pip install --upgrade pip
pip install "pip-audit==2.7.3"
- name: Audit CVE sur requirements-ci.txt
run: |
if [ -f requirements-ci.txt ]; then
pip-audit -r requirements-ci.txt \
--format json \
--output pip-audit-ci.json \
--progress-spinner off \
--disable-pip || echo "::warning::CVE détectées dans requirements-ci.txt"
echo "=== RAPPORT pip-audit (CI) ==="
cat pip-audit-ci.json || true
else
echo "::notice::requirements-ci.txt absent — skip"
fi
- name: Audit CVE sur requirements.txt (best-effort)
run: |
# Timeout généreux car requirements.txt est massif (torch, CUDA).
timeout 120 pip-audit -r requirements.txt \
--format json \
--output pip-audit-full.json \
--progress-spinner off \
--disable-pip 2>&1 | head -200 || \
echo "::warning::pip-audit sur requirements.txt a timeout ou échoué (non bloquant)"
- name: Upload rapports pip-audit
if: always()
uses: actions/upload-artifact@v3
with:
name: pip-audit-reports
path: |
pip-audit-ci.json
pip-audit-full.json
retention-days: 30
if-no-files-found: ignore
# ----------------------------------------------------------------
# Job 3 — Scan secrets en clair (grep simple)
# ----------------------------------------------------------------
# Patterns recherchés : clés API Anthropic (sk-ant-), OpenAI (sk-),
# Google (AIzaSy), AWS (AKIA), tokens Hugging Face (hf_).
# Ne cherche QUE dans les fichiers trackés (pas .env, pas .venv).
# ----------------------------------------------------------------
secrets-scan:
name: Scan secrets (grep)
runs-on: ubuntu-latest
timeout-minutes: 3
continue-on-error: true
steps:
- name: Checkout (historique complet)
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Scan patterns de secrets
run: |
# Chemins exclus : venvs, caches, data, htmlcov, models.
EXCLUDES='--exclude-dir=.venv --exclude-dir=venv_v3 --exclude-dir=.git \
--exclude-dir=node_modules --exclude-dir=htmlcov --exclude-dir=models \
--exclude-dir=data --exclude-dir=__pycache__ --exclude-dir=.pytest_cache \
--exclude=*.lock --exclude=*.log --exclude=*.md'
echo "=== Recherche de secrets potentiels ==="
FOUND=0
# Anthropic
if grep -rnI $EXCLUDES -E 'sk-ant-[a-zA-Z0-9_-]{20,}' . 2>/dev/null; then
echo "::warning::Clé Anthropic potentielle détectée"
FOUND=1
fi
# OpenAI
if grep -rnI $EXCLUDES -E 'sk-proj-[a-zA-Z0-9_-]{20,}|sk-[a-zA-Z0-9]{40,}' . 2>/dev/null; then
echo "::warning::Clé OpenAI potentielle détectée"
FOUND=1
fi
# Google Cloud / API Keys
if grep -rnI $EXCLUDES -E 'AIzaSy[a-zA-Z0-9_-]{33}' . 2>/dev/null; then
echo "::warning::Clé Google API potentielle détectée"
FOUND=1
fi
# AWS
if grep -rnI $EXCLUDES -E 'AKIA[0-9A-Z]{16}' . 2>/dev/null; then
echo "::warning::Clé AWS potentielle détectée"
FOUND=1
fi
# Hugging Face
if grep -rnI $EXCLUDES -E 'hf_[a-zA-Z0-9]{30,}' . 2>/dev/null; then
echo "::warning::Token Hugging Face potentiel détecté"
FOUND=1
fi
# Mots-clés suspects à côté d'assignations
if grep -rnI $EXCLUDES -E '(password|passwd|secret|api_key|apikey|token)\s*=\s*["\x27][a-zA-Z0-9_\-!@#\$%]{12,}["\x27]' . 2>/dev/null \
| grep -viE '(example|dummy|placeholder|test|fake|xxx|changeme|\$\{)' 2>/dev/null; then
echo "::warning::Assignation suspecte d'un secret détectée"
FOUND=1
fi
if [ "$FOUND" -eq 0 ]; then
echo "Aucun secret détecté par les patterns de base."
else
echo ""
echo "::notice::Vérifier manuellement les occurrences ci-dessus."
echo "::notice::Si faux positif : ajouter le fichier aux exclusions ou reformater."
fi
# Toujours succès (job non bloquant).
exit 0

199
.gitea/workflows/tests.yml Normal file
View File

@@ -0,0 +1,199 @@
# ------------------------------------------------------------------
# CI principale — Tests unitaires + lint léger
# ------------------------------------------------------------------
# Déclenchement : push / pull_request sur n'importe quelle branche.
# Objectif : feedback rapide (< 3 min) sans GPU ni Ollama.
# Runner : self-hosted (label "ubuntu-latest" ou équivalent).
#
# Les tests marqués `slow`, `gpu`, `integration`, `performance`,
# `visual` et `smoke` sont exclus volontairement — ils nécessitent
# CUDA, Ollama, ou des captures d'écran réelles.
# ------------------------------------------------------------------
name: tests
on:
push:
branches:
- "**"
pull_request:
branches:
- "**"
# Permet à une nouvelle exécution d'annuler les précédentes
# sur la même branche (évite l'engorgement du runner local).
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
# Empêche l'import accidentel de torch/CUDA pendant la CI.
PYTHONDONTWRITEBYTECODE: "1"
PIP_DISABLE_PIP_VERSION_CHECK: "1"
PIP_NO_PYTHON_VERSION_WARNING: "1"
# Les modules d'exécution lisent parfois ces vars ; valeurs neutres en CI.
RPA_VISION_CI: "1"
RPA_AUTH_VAULT_PATH: "/tmp/ci_vault.enc"
jobs:
# ----------------------------------------------------------------
# Job 1 — Lint (ruff + black --check)
# ----------------------------------------------------------------
# Non-bloquant : si ruff/black ne sont pas installables, on log
# un warning et on continue. L'objectif ici est d'alerter, pas de
# casser la CI pour des espaces en trop.
# ----------------------------------------------------------------
lint:
name: Lint (ruff + black)
runs-on: ubuntu-latest
timeout-minutes: 5
continue-on-error: true
steps:
- name: Checkout du code
uses: actions/checkout@v4
- name: Setup Python 3.12
uses: actions/setup-python@v5
with:
python-version: "3.12"
cache: "pip"
- name: Installation des linters
run: |
python -m pip install --upgrade pip
pip install "ruff==0.6.9" "black==23.12.1" || {
echo "::warning::Impossible d'installer ruff/black — job ignoré"
exit 0
}
- name: Ruff (lint rapide)
run: |
if command -v ruff >/dev/null 2>&1; then
# Ruff : on limite aux erreurs critiques (E9, F63, F7, F82) pour
# éviter le bruit. Dom peut durcir progressivement.
ruff check --select=E9,F63,F7,F82 --output-format=github \
core/ agent_v0/ tests/ || {
echo "::warning::Ruff a trouvé des erreurs critiques"
exit 1
}
else
echo "::warning::ruff indisponible — skip"
fi
- name: Black (format check)
run: |
if command -v black >/dev/null 2>&1; then
# --check : ne modifie pas, signale juste.
black --check --diff core/ agent_v0/ tests/ || {
echo "::warning::Black suggère un reformatage — non bloquant"
exit 0
}
else
echo "::warning::black indisponible — skip"
fi
# ----------------------------------------------------------------
# Job 2 — Tests unitaires
# ----------------------------------------------------------------
# Exclut tous les marqueurs lourds. Utilise requirements-ci.txt
# pour éviter torch/CUDA (économie ~3 Go + ~2 min).
# ----------------------------------------------------------------
unit-tests:
name: Tests unitaires (sans GPU)
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout du code
uses: actions/checkout@v4
- name: Setup Python 3.12
uses: actions/setup-python@v5
with:
python-version: "3.12"
cache: "pip"
cache-dependency-path: |
requirements-ci.txt
requirements.txt
- name: Installation des dépendances CI
run: |
python -m pip install --upgrade pip
if [ -f requirements-ci.txt ]; then
echo "Utilisation de requirements-ci.txt (léger, sans torch)"
pip install -r requirements-ci.txt
else
echo "::warning::requirements-ci.txt absent — fallback requirements.txt (lourd)"
pip install -r requirements.txt
fi
- name: Vérification imports critiques
run: |
python -c "import pytest; print(f'pytest {pytest.__version__}')"
python -c "import sys; sys.path.insert(0, '.'); import core; print('core OK')" || {
echo "::error::Impossible d'importer core.*"
exit 1
}
- name: Tests unitaires (hors slow/gpu/integration)
run: |
python -m pytest tests/unit/ \
-m "not slow and not gpu and not integration and not performance and not visual" \
--tb=short \
--strict-markers \
-q \
--maxfail=10 \
-o cache_dir=/tmp/.pytest_cache_ci
- name: Upload logs si échec
if: failure()
uses: actions/upload-artifact@v3
with:
name: pytest-logs
path: |
/tmp/.pytest_cache_ci
logs/
retention-days: 3
if-no-files-found: ignore
# ----------------------------------------------------------------
# Job 3 — Tests sécurité (bloquant)
# ----------------------------------------------------------------
# Les tests `test_security_*` valident des invariants critiques
# (évaluation sûre, sérialisation signée). Aucune régression tolérée.
# ----------------------------------------------------------------
security-tests:
name: Tests sécurité (critique)
runs-on: ubuntu-latest
timeout-minutes: 5
needs: [unit-tests]
steps:
- name: Checkout du code
uses: actions/checkout@v4
- name: Setup Python 3.12
uses: actions/setup-python@v5
with:
python-version: "3.12"
cache: "pip"
cache-dependency-path: |
requirements-ci.txt
requirements.txt
- name: Installation des dépendances CI
run: |
python -m pip install --upgrade pip
if [ -f requirements-ci.txt ]; then
pip install -r requirements-ci.txt
else
pip install -r requirements.txt
fi
- name: Tests sécurité (test_security_*)
run: |
python -m pytest tests/unit/test_security_*.py \
--tb=long \
--strict-markers \
-v \
-o cache_dir=/tmp/.pytest_cache_ci_sec