jfraeysd/fetch_ml
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
fetch_ml/.forgejo/workflows/verification.yml
Jeremie Fraeys b00fa236db
docs: add Known Limitations section and testing structure updates 
Add Known Limitations section to AGENTS.md documenting:
- AMD GPU not implemented (use NVIDIA, Apple Silicon, or CPU)
- 100+ node gang allocation stress testing not yet implemented
- Podman-in-Docker CI requires privileged mode, not yet automated
- Error handling patterns for unimplemented features
- Container usage rules (Docker for testing/deployments, Podman for experiments)
- Error codes table (NOT_IMPLEMENTED, NOT_FOUND, INVALID_CONFIGURATION)

Update testing documentation to reflect new test locations:
- Unit tests moved from tests/unit/ to internal/ (Go convention)
- Update all test file path references in security testing docs
2026-03-12 16:33:19 -04:00

170 lines
5.4 KiB
YAML
Raw Blame History

name: Verification & Maintenance
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
schedule:
# Run nightly fault injection and scorecard evaluation
- cron: '0 3 * * *'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
# V.1: Schema Validation
schema-drift-check:
name: V.1 - Schema Drift Detection
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Verify manifest schema unchanged
run: go test ./internal/manifest/... -run TestSchemaUnchanged -v
- name: Test schema validation (valid manifests)
run: go test ./internal/manifest/... -run TestSchemaValidatesExampleManifest -v
- name: Test schema validation (invalid manifests rejected)
run: go test ./internal/manifest/... -run TestSchemaRejectsInvalidManifest -v
- name: Verify schema version matches constant
run: go test ./internal/manifest/... -run TestSchemaVersionMatchesConst -v
# V.4: Custom Linting Rules
custom-lint:
name: V.4 - Custom Go Vet Analyzers
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Build custom linting tool
run: go build -o bin/fetchml-vet ./tools/fetchml-vet/cmd/fetchml-vet/
- name: Run custom lint rules
run: |
go vet -vettool=bin/fetchml-vet ./internal/... ./cmd/... 2>&1 | tee lint-results.txt || true
# Fail if any custom lint errors found
if grep -q "bare CreateDetector\|Artifacts without Environment\|inline credential\|HIPAA.*incomplete" lint-results.txt; then
echo "Custom lint violations detected"
exit 1
fi
# V.7: Audit Chain Verification
audit-verification:
name: V.7 - Audit Chain Integrity
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Run audit chain verifier tests
run: go test -v ./internal/audit/... -run TestChainVerifier -v
- name: Build audit verifier tool
run: go build -o bin/audit-verifier ./cmd/audit-verifier/
- name: Test audit verifier CLI
run: |
# Create a test audit log
mkdir -p /tmp/audit-test
echo '{"timestamp":"2026-02-23T12:00:00Z","event_type":"job_started","user_id":"test","success":true,"sequence_num":1,"prev_hash":"","event_hash":"abc123"}' > /tmp/audit-test/test.log
# Verify it works (should detect tampering or pass based on hash)
./bin/audit-verifier -log-path=/tmp/audit-test/test.log || true
# V.6: Continuous Security Scanning (extends security-scan.yml)
security-scan-extended:
name: V.6 - Extended Security Scanning
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Run Nancy (dependency audit)
run: |
go install github.com/sonatype-nexus-community/nancy@latest
go list -json -deps ./... | nancy sleuth --stdout || true
- name: Run govulncheck
uses: golang/govulncheck-action@v1
with:
go-version-input: '1.25'
go-package: ./...
# V.10: OpenSSF Scorecard (weekly)
scorecard:
name: V.10 - OpenSSF Scorecard
if: github.event.schedule == '0 3 * * *'
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Install and run Scorecard
run: |
go install github.com/ossf/scorecard/v4/cmd/scorecard@latest
scorecard --repo ${{ github.repository }} --format json > scorecard.json || true
cat scorecard.json | jq '.score' || echo "Scorecard evaluation complete"
- name: Upload scorecard results
uses: actions/upload-artifact@v4
with:
name: scorecard-results
path: scorecard.json
# All verification checks summary
verify-summary:
name: Verification Summary
needs: [schema-drift-check, custom-lint, audit-verification, security-scan-extended]
runs-on: ubuntu-latest
if: always()
steps:
- name: Summary
run: |
echo "Verification & Maintenance Checks Complete"
echo "=========================================="
echo "V.1 Schema Validation: ${{ needs.schema-drift-check.result }}"
echo "V.4 Custom Lint: ${{ needs.custom-lint.result }}"
echo "V.7 Audit Verification: ${{ needs.audit-verification.result }}"
echo "V.6 Security Scan: ${{ needs.security-scan-extended.result }}"
- name: Check for failures
if: |
needs.schema-drift-check.result == 'failure' ||
needs.custom-lint.result == 'failure' ||
needs.audit-verification.result == 'failure' ||
needs.security-scan-extended.result == 'failure'
run: |
echo "One or more verification checks failed"
exit 1
Reference in a new issue View git blame Copy permalink