Skip to content
.github/workflows/comprehensive-quality.yml

Remove contamination #14

Sign in to view logs

Remove contamination

Remove contamination #14

Workflow file for this run

.github/workflows/comprehensive-quality.yml at 2aa7d6f
name: Comprehensive Quality Gates

Check failure on line 1 in .github/workflows/comprehensive-quality.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/comprehensive-quality.yml

Invalid workflow file 

(Line: 144, Col: 9): Unrecognized function: 'hashFiles'. Located at position 1 within expression: hashFiles('**/*.html') != ''
on:
push:
branches: [main, master]
pull_request:
schedule:
- cron: '0 5 * * 0'
jobs:
# DEPENDABILITY - Stability and reliability
dependability:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check test coverage
run: |
echo "Checking for test files..."
TESTS=$(find . -name "*_test.*" -o -name "test_*" -o -name "*_spec.*" -o -name "*.test.*" | wc -l)
echo "Found $TESTS test files"
if [ "$TESTS" -lt 1 ]; then
echo "::warning::No test files detected"
fi
- name: Check error handling
run: |
# Check for proper error handling patterns
PANICS=$(grep -rE "panic!|unwrap\(\)|expect\(" --include="*.rs" . 2>/dev/null | wc -l || echo "0")
echo "Rust panics/unwraps: $PANICS"
# SECURITY - Multi-layer security scanning
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Secret scanning
uses: trufflesecurity/trufflehog@main
continue-on-error: true
- name: Dependency vulnerabilities
run: |
if [ -f "Cargo.toml" ]; then
cargo install cargo-audit && cargo audit || true
fi
if [ -f "requirements.txt" ]; then
pip install safety && safety check -r requirements.txt || true
fi
- name: SAST scan
uses: returntocorp/semgrep-action@v1
continue-on-error: true
# INTEROPERABILITY - API and format compatibility
interoperability:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check API specs
run: |
if [ -f "openapi.yaml" ] || [ -f "openapi.json" ]; then
echo "✅ OpenAPI spec found"
fi
if [ -f "schema.graphql" ]; then
echo "✅ GraphQL schema found"
fi
- name: Validate JSON/YAML schemas
run: |
find . -name "*.json" -exec python3 -m json.tool {} \; 2>/dev/null | head -5 || true
# VALIDATION - Input/output validation
validation:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check for validation patterns
run: |
VALIDATION=$(grep -rE "validate|sanitize|Schema|Validator" --include="*.rs" --include="*.res" --include="*.ex" . 2>/dev/null | wc -l || echo "0")
echo "Validation patterns found: $VALIDATION"
# ATTESTATION - Supply chain integrity (SLSA)
attestation:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
attestations: write
steps:
- uses: actions/checkout@v4
- name: Generate SBOM
run: |
echo "SBOM generation would run here"
# For Rust: cargo-sbom
# For Node: npm sbom
- name: Check signatures
run: |
if [ -f "CHECKSUMS.txt" ] || [ -f "SHA256SUMS" ]; then
echo "✅ Checksums file present"
fi
# VERIFICATION - Formal methods where applicable
verification:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check SPARK proofs
run: |
if find . -name "*.ads" | grep -q .; then
echo "Ada/SPARK files found - formal verification applicable"
fi
- name: Type coverage
run: |
if [ -f "rescript.json" ]; then
echo "ReScript provides 100% type coverage"
fi
# FUNCTIONALITY - Feature completeness
functionality:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check TODOs and FIXMEs
run: |
echo "=== Incomplete items ==="
grep -rn "TODO\|FIXME\|UNIMPLEMENTED\|unimplemented!" . 2>/dev/null | head -20 || echo "None"
- name: Check deprecated usage
run: |
grep -rn "deprecated\|DEPRECATED" . 2>/dev/null | head -10 || echo "No deprecations"
# PERFORMANCE - Benchmarks and profiling
performance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check for benchmarks
run: |
BENCHES=$(find . -name "*bench*" -o -name "*perf*" | wc -l)
echo "Benchmark files: $BENCHES"
- name: Binary size check (Rust)
run: |
if [ -f "Cargo.toml" ]; then
cargo build --release 2>/dev/null || true
find target/release -maxdepth 1 -type f -executable -exec ls -lh {} \; 2>/dev/null || true
fi
# ACCESSIBILITY - A11y compliance
accessibility:
runs-on: ubuntu-latest
if: hashFiles('**/*.html') != ''
steps:
- uses: actions/checkout@v4
- name: HTML accessibility check
run: |
echo "Checking for a11y attributes..."
A11Y=$(grep -rE 'aria-|role=|alt=' --include="*.html" . 2>/dev/null | wc -l || echo "0")
echo "A11y attributes found: $A11Y"
- name: Lighthouse (if web project)
run: |
echo "Lighthouse would run on deployed URL"
# LICENSE COMPLIANCE
license:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check license files
run: |
if [ -f "LICENSE" ] || [ -f "LICENSE.txt" ] || [ -f "LICENSE.md" ]; then
echo "✅ License file present"
head -5 LICENSE* 2>/dev/null
else
echo "::warning::No LICENSE file"
fi
- name: Check SPDX headers
run: |
SPDX=$(grep -rE "SPDX-License-Identifier" . 2>/dev/null | wc -l || echo "0")
echo "Files with SPDX headers: $SPDX"
# DOCUMENTATION QUALITY
documentation:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check docs completeness
run: |
DOCS=""
[ -f "README.md" ] || [ -f "README.adoc" ] && DOCS="$DOCS README"
[ -f "CONTRIBUTING.md" ] || [ -f "CONTRIBUTING.adoc" ] && DOCS="$DOCS CONTRIBUTING"
[ -f "CHANGELOG.md" ] && DOCS="$DOCS CHANGELOG"
[ -f "SECURITY.md" ] && DOCS="$DOCS SECURITY"
[ -d "docs" ] && DOCS="$DOCS docs/"
echo "Documentation:$DOCS"
- name: Check code comments
run: |
COMMENTS=$(grep -rE "^[[:space:]]*(//|#|/\*)" --include="*.rs" --include="*.res" --include="*.py" . 2>/dev/null | wc -l || echo "0")
echo "Comment lines: $COMMENTS"