bd08a47a6f
- Add PathValidator class for preventing path traversal attacks - Add SecureSubprocessRunner for safe command execution - Replace unsafe XML parsing with defusedxml for security - Add comprehensive input validation tools for circuit generation - Include security dependencies (defusedxml, bandit) in pyproject.toml - Add security scanning job to CI/CD pipeline - Add comprehensive test coverage for security utilities - Add timeout constants for safe operation limits - Add boundary validation for component positioning This establishes a strong security foundation for the KiCad MCP server by implementing defense-in-depth security measures across all input vectors and external process interactions. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
123 lines
2.6 KiB
YAML
123 lines
2.6 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [ main, develop ]
|
|
pull_request:
|
|
branches: [ main, develop ]
|
|
|
|
jobs:
|
|
lint:
|
|
runs-on: ubuntu-latest
|
|
name: Lint and Format
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install uv
|
|
uses: astral-sh/setup-uv@v4
|
|
with:
|
|
enable-cache: true
|
|
|
|
- name: Set up Python 3.12
|
|
run: |
|
|
uv python install 3.12
|
|
uv python pin 3.12
|
|
|
|
- name: Install dependencies
|
|
run: uv sync --group dev
|
|
|
|
- name: Lint with ruff
|
|
run: uv run ruff check kicad_mcp/ tests/
|
|
|
|
- name: Check formatting with ruff
|
|
run: uv run ruff format --check kicad_mcp/ tests/
|
|
|
|
test:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [ubuntu-latest, macos-latest]
|
|
python-version: ["3.10", "3.11", "3.12", "3.13"]
|
|
exclude:
|
|
- os: macos-latest
|
|
python-version: "3.10"
|
|
|
|
name: Test Python ${{ matrix.python-version }} on ${{ matrix.os }}
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install uv
|
|
uses: astral-sh/setup-uv@v4
|
|
with:
|
|
enable-cache: true
|
|
|
|
- name: Set up Python ${{ matrix.python-version }}
|
|
run: |
|
|
uv python install ${{ matrix.python-version }}
|
|
uv python pin ${{ matrix.python-version }}
|
|
|
|
- name: Install dependencies
|
|
run: uv sync --group dev
|
|
|
|
- name: Run tests
|
|
run: uv run python -m pytest tests/ -v --cov=kicad_mcp --cov-report=xml --cov-fail-under=30
|
|
|
|
- name: Upload coverage to Codecov
|
|
uses: codecov/codecov-action@v4
|
|
if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.12'
|
|
with:
|
|
file: ./coverage.xml
|
|
fail_ci_if_error: false
|
|
|
|
security:
|
|
runs-on: ubuntu-latest
|
|
name: Security Scan
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install uv
|
|
uses: astral-sh/setup-uv@v4
|
|
with:
|
|
enable-cache: true
|
|
|
|
- name: Set up Python 3.12
|
|
run: |
|
|
uv python install 3.12
|
|
uv python pin 3.12
|
|
|
|
- name: Install dependencies
|
|
run: uv sync --group dev
|
|
|
|
- name: Run security scan
|
|
run: uv run bandit -r kicad_mcp/
|
|
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
name: Build Package
|
|
needs: [lint, test]
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install uv
|
|
uses: astral-sh/setup-uv@v4
|
|
with:
|
|
enable-cache: true
|
|
|
|
- name: Set up Python 3.12
|
|
run: |
|
|
uv python install 3.12
|
|
uv python pin 3.12
|
|
|
|
- name: Build package
|
|
run: uv build
|
|
|
|
- name: Upload artifacts
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: dist
|
|
path: dist/ |