ai-guard-coding-agents/.github/workflows/test.yml at main · DataDog/ai-guard-coding-agents · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
# Unless explicitly stated otherwise all files in this repository are licensed
# under the Apache 2.0 License.
#
# This product includes software developed at Datadog (https://www.datadoghq.com/).
# Copyright 2026-Present Datadog, Inc.

name: Test

on:
  push:
    branches: [main]
    tags-ignore:
      - "v*"
  pull_request:
  workflow_call:
    outputs:
      platforms:
        description: "Build/test matrix from .github/matrix.json (single source of truth)."
        value: ${{ jobs.matrix.outputs.platforms }}
  workflow_dispatch:

permissions:
  contents: read

# In a reusable-workflow call, `github.workflow` resolves to the *caller's*
# workflow name — so `${{ github.workflow }}-${{ github.ref }}` here would
# collide with the caller's concurrency group and deadlock both runs. Use a
# literal prefix to keep the group unique to this workflow.
concurrency:
  group: test-${{ github.ref }}
  cancel-in-progress: true

jobs:
  matrix:
    name: Resolve matrix
    runs-on: ubuntu-latest
    outputs:
      platforms: ${{ steps.read.outputs.platforms }}
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
      - id: read
        run: echo "platforms=$(jq -c . .github/matrix.json)" >> "$GITHUB_OUTPUT"

  lint:
    name: Lint
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
      - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86  # v5.4.2
        with:
          python-version: "3.11"
      - name: Install ruff
        run: uv sync --extra dev
      - name: ruff check (lint)
        run: uv run ruff check src/ tests/
      - name: ruff format --check (formatting)
        run: uv run ruff format --check src/ tests/

  test:
    name: Unit Test (${{ matrix.os }} / ${{ matrix.arch }})
    needs: [matrix, lint]
    permissions:
      contents: read

    strategy:
      fail-fast: false
      matrix:
        include: ${{ fromJSON(needs.matrix.outputs.platforms) }}

    runs-on: ${{ matrix.os }}

    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1

      # ddtrace is pinned to a git source whose tests/ tree includes paths
      # > 260 chars; without longpaths Windows checkout fails mid-clone.
      - name: Enable git long paths (Windows)
        if: runner.os == 'Windows'
        shell: pwsh
        run: git config --system core.longpaths true

      - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86  # v5.4.2
        with:
          python-version: "3.11"

      - name: Install dependencies
        run: uv sync --extra test --extra build

      - name: Run pytest (excluding binary tests)
        run: uv run pytest -q -m "not binary"

  smoke:
    name: Smoke Test (${{ matrix.os }} / ${{ matrix.arch }})
    needs: [matrix, test]
    permissions:
      contents: read

    strategy:
      fail-fast: false
      matrix:
        include: ${{ fromJSON(needs.matrix.outputs.platforms) }}

    runs-on: ${{ matrix.os }}

    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1

      - name: Enable git long paths (Windows)
        if: runner.os == 'Windows'
        shell: pwsh
        run: git config --system core.longpaths true

      - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86  # v5.4.2
        with:
          python-version: "3.11"

      - name: Install dependencies (test + build)
        run: uv sync --extra test --extra build

      - name: Build executable
        run: uv run pyinstaller ai-guard.spec

      - name: CLI (Unix)
        if: runner.os != 'Windows'
        shell: bash
        run: |
          set -euo pipefail
          ./dist/ai-guard/ai-guard --version
          ./dist/ai-guard/ai-guard --help | grep -E "hook|proxy"
          ./dist/ai-guard/ai-guard hook --help
          ./dist/ai-guard/ai-guard proxy --help

      - name: CLI (Windows)
        if: runner.os == 'Windows'
        shell: pwsh
        run: |
          $ErrorActionPreference = "Stop"
          .\dist\ai-guard\ai-guard.exe --version
          # Capture stdout as a single string — PowerShell's -match/-notmatch
          # operate per-element on arrays, which is not what we want.
          $help = (.\dist\ai-guard\ai-guard.exe --help | Out-String)
          if ($help -notmatch "hook")  { throw "hook subcommand missing from --help" }
          if ($help -notmatch "proxy") { throw "proxy subcommand missing from --help" }
          .\dist\ai-guard\ai-guard.exe hook --help
          .\dist\ai-guard\ai-guard.exe proxy --help

      - name: Proxy (Unix)
        if: runner.os != 'Windows'
        shell: bash
        env:
          AI_GUARD_BINARY: ${{ github.workspace }}/dist/ai-guard/ai-guard
        run: uv run pytest tests/integration/test_binary_proxy.py -m binary -v

      - name: Proxy (Windows)
        if: runner.os == 'Windows'
        shell: pwsh
        env:
          AI_GUARD_BINARY: ${{ github.workspace }}\dist\ai-guard\ai-guard.exe
        run: uv run pytest tests/integration/test_binary_proxy.py -m binary -v