feat: HaloLight Python API - FastAPI 企业级后端服务 #20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main, develop] | |
| workflow_dispatch: | |
| # 取消同一分支的之前运行,节省资源 | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| PYTHON_VERSION: "3.11" | |
| CI: "true" | |
| jobs: | |
| # ============================================================================ | |
| # 代码质量检查 | |
| # ============================================================================ | |
| lint: | |
| name: Lint & Type Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Cache pip dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('pyproject.toml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pip- | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e ".[dev]" | |
| - name: Run Ruff linter | |
| run: ruff check app tests | |
| - name: Run Black formatter check | |
| run: black --check app tests | |
| - name: Run MyPy type checker | |
| run: mypy app --ignore-missing-imports | |
| continue-on-error: true | |
| # ============================================================================ | |
| # 单元测试 | |
| # ============================================================================ | |
| test: | |
| name: Unit Tests | |
| runs-on: ubuntu-latest | |
| needs: lint | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Cache pip dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('pyproject.toml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pip- | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e ".[dev]" | |
| - name: Run tests with coverage | |
| env: | |
| DATABASE_URL: sqlite:///./test.db | |
| JWT_SECRET_KEY: test-secret-key-for-ci | |
| JWT_REFRESH_SECRET_KEY: test-refresh-secret-key-for-ci | |
| ENVIRONMENT: test | |
| run: pytest --cov=app --cov-report=xml --cov-report=term-missing tests/ | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@v4 | |
| if: always() | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| fail_ci_if_error: false | |
| files: ./coverage.xml | |
| flags: unittests | |
| name: codecov-umbrella | |
| # ============================================================================ | |
| # E2E 测试 | |
| # ============================================================================ | |
| e2e: | |
| name: E2E Tests | |
| runs-on: ubuntu-latest | |
| needs: lint | |
| # PostgreSQL 服务 | |
| services: | |
| postgres: | |
| image: postgres:16-alpine | |
| env: | |
| POSTGRES_USER: test | |
| POSTGRES_PASSWORD: test | |
| POSTGRES_DB: halolight_test | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| ports: | |
| - 5432:5432 | |
| env: | |
| ENVIRONMENT: test | |
| DATABASE_URL: postgresql://test:test@localhost:5432/halolight_test | |
| JWT_SECRET_KEY: test-secret-key-for-ci | |
| JWT_REFRESH_SECRET_KEY: test-refresh-secret-key-for-ci | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Cache pip dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('pyproject.toml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pip- | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e ".[dev]" | |
| - name: Run database migrations | |
| run: alembic upgrade head | |
| - name: Run E2E tests | |
| run: | | |
| if [ -d "tests/e2e" ]; then | |
| pytest tests/e2e/ -v --tb=short | |
| else | |
| echo "E2E tests directory not found, skipping..." | |
| fi | |
| # ============================================================================ | |
| # 构建检查 | |
| # ============================================================================ | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| needs: lint | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Cache pip dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('pyproject.toml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pip- | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e ".[dev]" | |
| pip install build | |
| - name: Build package | |
| run: python -m build | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-output | |
| path: | | |
| dist/ | |
| retention-days: 7 | |
| # ============================================================================ | |
| # Docker 构建检查 | |
| # ============================================================================ | |
| docker: | |
| name: Docker Build | |
| runs-on: ubuntu-latest | |
| needs: [lint, test] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| push: false | |
| tags: halolight-api-python:${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| # ============================================================================ | |
| # 依赖安全审计 | |
| # ============================================================================ | |
| security: | |
| name: Security Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e . | |
| pip install bandit safety pip-audit | |
| - name: Run Bandit security linter | |
| run: bandit -r app -ll -ii | |
| continue-on-error: true | |
| - name: Run pip-audit for vulnerabilities | |
| run: pip-audit | |
| continue-on-error: true | |
| # ============================================================================ | |
| # 依赖更新检查(仅 PR) | |
| # ============================================================================ | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: high | |
| allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, PSF-2.0 |