stack

mosaic/stack

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jason Woltje	111a41c7ca	fix(#365 ): fix coordinator CI bandit config and pip upgrade Three fixes for the coordinator pipeline: 1. Use bandit.yaml config file (-c bandit.yaml) so global skips and exclude_dirs are respected in CI. 2. Upgrade pip to >=25.3 in the install step so pip-audit doesn't fail on the stale pip 24.0 bundled with python:3.11-slim. 3. Clean up nosec inline comments to bare "# nosec BXXX" format, moving explanations to a separate comment line above. This prevents bandit from misinterpreting trailing text as test IDs. Fixes #365 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-12 16:05:07 -06:00
Jason Woltje	5a35fd69bc	refactor(ci): split monolithic pipeline into per-package pipelines Some checks failed ci/woodpecker/push/infra Pipeline failed Details ci/woodpecker/push/api Pipeline failed Details ci/woodpecker/push/web Pipeline failed Details ci/woodpecker/push/coordinator Pipeline failed Details ci/woodpecker/push/orchestrator Pipeline failed Details Replace single build.yml with split pipelines per the CI/CD guide: - api.yml: API with postgres, prisma, Trivy scan - web.yml: Web with Trivy scan - orchestrator.yml: Orchestrator with Trivy scan - coordinator.yml: Python with ruff/mypy/bandit/pip-audit/Trivy - infra.yml: postgres + openbao builds with Trivy Adds path filtering (only affected packages rebuild), Trivy container scanning for all images, and scoped per-package quality gates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-12 10:29:53 -06:00

Author

SHA1

Message

Date

Jason Woltje

111a41c7ca

fix(#365 ): fix coordinator CI bandit config and pip upgrade

Three fixes for the coordinator pipeline:

1. Use bandit.yaml config file (-c bandit.yaml) so global skips
   and exclude_dirs are respected in CI.
2. Upgrade pip to >=25.3 in the install step so pip-audit doesn't
   fail on the stale pip 24.0 bundled with python:3.11-slim.
3. Clean up nosec inline comments to bare "# nosec BXXX" format,
   moving explanations to a separate comment line above. This
   prevents bandit from misinterpreting trailing text as test IDs.

Fixes #365

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-12 16:05:07 -06:00

Jason Woltje

5a35fd69bc

refactor(ci): split monolithic pipeline into per-package pipelines

ci/woodpecker/push/infra Pipeline failed

Details

ci/woodpecker/push/api Pipeline failed

Details

ci/woodpecker/push/web Pipeline failed

Details

ci/woodpecker/push/coordinator Pipeline failed

Details

ci/woodpecker/push/orchestrator Pipeline failed

Details

Replace single build.yml with split pipelines per the CI/CD guide:
- api.yml: API with postgres, prisma, Trivy scan
- web.yml: Web with Trivy scan
- orchestrator.yml: Orchestrator with Trivy scan
- coordinator.yml: Python with ruff/mypy/bandit/pip-audit/Trivy
- infra.yml: postgres + openbao builds with Trivy

Adds path filtering (only affected packages rebuild), Trivy container
scanning for all images, and scoped per-package quality gates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-12 10:29:53 -06:00

2 Commits