Add CI workflows, security scans, and dependabot#162
Conversation
CI pipeline (ci.yaml): - Replace flake8 with ruff==0.11.4 lint + format checks - Add pytest test job with mocked dependencies - SHA-pin all actions, add permissions and timeouts Security scanning (security-scans.yaml): - Dependency review (critical severity, deny GPL-3.0/AGPL-3.0) - Trivy filesystem scan (CRITICAL+HIGH, informational) - CodeQL with security-extended queries for Python - Hadolint for Dockerfile linting (error threshold) Supply chain hardening: - OpenSSF Scorecard workflow (weekly + push to main) - SHA-pin all existing build.yaml actions - Dependabot for github-actions, pip (21 dirs), docker (23 dirs) Code quality fixes: - Run ruff check --fix and format across all Python files - Update ruff config: ignore E501/E402/W291, exclude .repos/ - Fix F841 unused variable in test_client.py - Fix DL3020: ADD -> COPY in currency_converter Dockerfile Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
pdettori
added
Ready for Review!
safe-to-test
Remove hardcoded `tests/` path from pytest invocation so it picks up all testpaths from pyproject.toml (tests/ and mcp/reservation_tool/tests/). Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Paolo Dettori <dettori@us.ibm.com>
pdettori
left a comment
pdettori
left a comment
There was a problem hiding this comment.
Orchestration review: LGTM
CI phase reviewed. All checks passing. All 16 Actions SHA-pinned, least-privilege permissions, comprehensive coverage (lint, test, Trivy, CodeQL, dependency-review, Hadolint, Scorecard, Dependabot).
Fix applied: Changed pytest path to use pyproject.toml testpaths (3c0fdeb).
Non-blocking observations: Trivy exit-code: 0 is informational only. Consider dependabot groups: for the 45 entries.
mrsabath
left a comment
mrsabath
left a comment
There was a problem hiding this comment.
Review Summary
Comprehensive CI/security orchestration PR for agent-examples. All 15 GitHub Actions SHA-pinned with least-privilege permissions and timeouts on every job. Python changes are purely ruff formatting/lint fixes with no functional changes. Security scanning coverage is thorough.
Areas reviewed: CI/GitHub Actions, security scanning, Python code, Dockerfile, Dependabot config
Commits: 2 commits, both signed-off, using Assisted-By (correct convention)
CI status: all 9 checks passing
Action Pinning Audit (all 15 SHA-pinned)
All actions verified SHA-pinned: actions/checkout, actions/setup-python, actions/upload-artifact, actions/dependency-review-action, docker/setup-qemu-action, docker/setup-buildx-action, docker/login-action, docker/metadata-action, docker/build-push-action, ossf/scorecard-action, github/codeql-action (init/analyze/upload-sarif), aquasecurity/trivy-action, hadolint/hadolint-action.
Suggestions (non-blocking)
1. Dependabot groups (.github/dependabot.yml)
With 45 directories (21 pip + 23 docker + 1 github-actions), this will generate a high volume of individual PRs. Consider adding groups: blocks to batch related updates:
groups:
a2a-python:
patterns: ["*"]This was also noted in the self-review comment (3c0fdeb).
2. pyproject.toml ruff config (nit)
W291 (trailing whitespace) in the ignore list is unnecessary since ruff format already strips trailing whitespace.
3. Trivy exit-code (acknowledged)
Trivy exit-code: 0 makes the scan informational only. Reasonable for a community examples repo -- just noting for visibility.
Highlights
- Excellent supply chain hardening across all workflows
- Clean separation of CI (ci.yaml) and security (security-scans.yaml) workflows
- Scorecard for post-merge OpenSSF assessment
- Proper DL3020 fix (ADD -> COPY in Dockerfile)
- All Python changes are formatting-only, verified by ruff
LGTM
2 participants
Summary
Phase 4 of repo orchestration (supersedes #161 with clean commit history).
Test plan
ruff check .+ruff format --check .)pytest tests/ -v)🤖 Generated with Claude Code