From 0937f2da8d9e86fc4a20cb6da2e186f0f852e2c2 Mon Sep 17 00:00:00 2001 From: docushell-admin Date: Wed, 17 Jun 2026 14:26:55 +0530 Subject: [PATCH] Add security report alpha target Signed-off-by: docushell-admin --- .github/scripts/test_ci_workflow.py | 1 + .github/scripts/test_security_report_alpha.py | 79 +++++++++++++++++++ .github/workflows/ci.yml | 2 + Makefile | 8 +- 4 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 .github/scripts/test_security_report_alpha.py diff --git a/.github/scripts/test_ci_workflow.py b/.github/scripts/test_ci_workflow.py index f104562..b484ef6 100644 --- a/.github/scripts/test_ci_workflow.py +++ b/.github/scripts/test_ci_workflow.py @@ -51,6 +51,7 @@ def test_ci_workflow_guard_is_run_by_ci(self) -> None: self.assertIn("python3 .github/scripts/test_ci_workflow.py", text) self.assertIn("python3 .github/scripts/test_milestone_b_internal_checks.py", text) self.assertIn("python3 .github/scripts/test_rag_chunk_alpha.py", text) + self.assertIn("python3 .github/scripts/test_security_report_alpha.py", text) self.assertIn("python3 .github/scripts/test_execution_status.py", text) self.assertIn("python3 .github/scripts/test_roadmap_status.py", text) self.assertIn("python3 .github/scripts/test_milestone_b_closeout_record.py", text) diff --git a/.github/scripts/test_security_report_alpha.py b/.github/scripts/test_security_report_alpha.py new file mode 100644 index 0000000..f3e32d8 --- /dev/null +++ b/.github/scripts/test_security_report_alpha.py @@ -0,0 +1,79 @@ +#!/usr/bin/env python3 +# +# Copyright 2026 The Ethos maintainers +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import annotations + +import unittest +from pathlib import Path + + +ROOT = Path(__file__).resolve().parents[2] +MAKEFILE = ROOT / "Makefile" + + +def makefile_text() -> str: + return MAKEFILE.read_text(encoding="utf-8") + + +def target_block(target: str) -> str: + lines = makefile_text().splitlines() + start = None + for index, line in enumerate(lines): + if line == f"{target}:": + start = index + 1 + break + if start is None: + raise AssertionError(f"{target} target is missing") + + block: list[str] = [] + for line in lines[start:]: + if line and not line.startswith(("\t", " ")): + break + block.append(line) + return "\n".join(block) + + +class SecurityReportAlphaTests(unittest.TestCase): + def test_target_is_declared_phony(self) -> None: + text = makefile_text() + + self.assertIn(".PHONY:", text) + self.assertIn("security-report-alpha", text) + + def test_target_composes_security_report_artifact_gates(self) -> None: + block = target_block("security-report-alpha") + + required = [ + "$(PYTHON) schemas/validate_examples.py", + "$(PYTHON) schemas/test_security_report_validation.py", + "$(PYTHON) .github/scripts/test_security_report_alpha.py", + "git diff --check", + ] + for command in required: + self.assertIn(command, block) + + def test_target_stays_security_report_scoped(self) -> None: + block = target_block("security-report-alpha") + + self.assertNotIn("cargo test", block) + self.assertNotIn("rag-chunk-alpha", block) + self.assertNotIn("layout-evaluator-alpha", block) + self.assertNotIn("python-surface-test", block) + + +if __name__ == "__main__": + unittest.main() diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 95d064f..9598d77 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,6 +60,8 @@ jobs: run: python3 .github/scripts/test_milestone_b_internal_checks.py - name: RAG chunk alpha target tests run: python3 .github/scripts/test_rag_chunk_alpha.py + - name: Security report alpha target tests + run: python3 .github/scripts/test_security_report_alpha.py - name: execution status tests run: python3 .github/scripts/test_execution_status.py - name: roadmap status tests diff --git a/Makefile b/Makefile index 49164af..ca2f241 100644 --- a/Makefile +++ b/Makefile @@ -13,7 +13,7 @@ COMPARE_RENDERED_CROPS_LEFT ?= $(VERIFY_RENDERED_CROPS_OUT)/run1 COMPARE_RENDERED_CROPS_RIGHT ?= $(VERIFY_RENDERED_CROPS_OUT)/run2 LAYOUT_EVALUATOR_OUT ?= $(ROOT)/target/layout-evaluator-alpha -.PHONY: verify-alpha verify-alpha-tree rag-chunk-alpha verify-rendered-crops compare-rendered-crops layout-evaluator-alpha python-surface-test milestone-b-internal-checks release-hygiene release-advisory third-party-license-manifest release-notice-draft +.PHONY: verify-alpha verify-alpha-tree rag-chunk-alpha security-report-alpha verify-rendered-crops compare-rendered-crops layout-evaluator-alpha python-surface-test milestone-b-internal-checks release-hygiene release-advisory third-party-license-manifest release-notice-draft $(ETHOS_BIN): cargo build --locked -p ethos-cli @@ -40,6 +40,12 @@ rag-chunk-alpha: $(PYTHON) .github/scripts/test_rag_chunk_alpha.py git diff --check +security-report-alpha: + $(PYTHON) schemas/validate_examples.py + $(PYTHON) schemas/test_security_report_validation.py + $(PYTHON) .github/scripts/test_security_report_alpha.py + git diff --check + verify-rendered-crops: $(ETHOS_BIN) $(PYTHON) examples/verify/check_rendered_crops.py --repo-root $(ROOT) --ethos-bin $(ETHOS_BIN) --out-dir $(VERIFY_RENDERED_CROPS_OUT) git diff --check