deps(security): pin pillow >= 12.2.0 (GHSA-whj4-6x5x-4v2j) (#228) #139
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Main Validation | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| env: | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true' | |
| concurrency: | |
| group: main-validation-${{ github.ref }} | |
| cancel-in-progress: false | |
| jobs: | |
| python-full-validation: | |
| name: python-full-validation | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | |
| - name: Setup Python environment | |
| uses: ./.github/actions/setup-geosync | |
| with: | |
| python-version: '3.11' | |
| cache-prefix: main-full-tests | |
| - name: Verify pip executable | |
| run: .venv/bin/python -m pip --version | |
| - name: Run broader post-merge validation suite | |
| run: | | |
| .venv/bin/pytest tests/ -m "not nightly and not flaky" \ | |
| --cov=core \ | |
| --cov=backtest \ | |
| --cov=execution \ | |
| --cov-config=configs/quality/critical_surface.coveragerc \ | |
| --cov-report=term-missing \ | |
| --cov-report=xml | |
| - name: Enforce coverage guardrail | |
| run: | | |
| .venv/bin/python -m tools.coverage.guardrail \ | |
| --config configs/quality/critical_surface.toml \ | |
| --coverage coverage.xml | |
| packaging-smoke: | |
| name: packaging-smoke | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | |
| - name: Setup Python environment | |
| uses: ./.github/actions/setup-geosync | |
| with: | |
| python-version: '3.11' | |
| cache-prefix: main-package | |
| - name: Verify pip executable | |
| run: .venv/bin/python -m pip --version | |
| - name: Build Python package artifacts | |
| run: .venv/bin/python -m build --sdist --wheel --outdir dist | |
| frontend-build-smoke: | |
| name: frontend-build-smoke | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: '24' | |
| cache: npm | |
| cache-dependency-path: apps/web/package-lock.json | |
| - name: Build frontend | |
| working-directory: apps/web | |
| run: | | |
| npm ci | |
| npm run build | |
| brand-consistency: | |
| name: brand-consistency | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | |
| - name: Setup Python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 | |
| with: | |
| python-version: '3.11' | |
| - name: Scan for legacy brand identifiers | |
| run: python tools/quality/brand_consistency.py |