nathan
a961e241cd
- Implement 4 production-ready audit scan tools in src/shards/audit.py - scan_status_reconciliation: detect terminated users still enabled in AD - scan_job_title_drift: detect title mismatches between Workday and AD - scan_department_mismatches: detect department/cost center drift - scan_name_variance_mismatches: detect display name inconsistencies - Add comprehensive integration test suite (tests/integration_test_audit_shard.py) - Create demo client (test_client.py) and MCP protocol simulator (test_mcp_protocol.py) - Add tool catalog generator (list_tools.py) for visibility across all 33 registered tools - Fix Windows console encoding in src/main.py to support emoji in shard status output - Add version management utility (scripts/bump_version.py) for release automation - Update workday test imports to use new drift_detection module path Completes session goal of establishing SOC 2-compliant cross-system drift detection per SESSION_SNAPSHOT_2026-04-13.md. All audit tools validated against mock data with expected mismatch scenarios (Bob Martinez, Carol Chen, David Kim cases). Refs: WIS-014, WIS-015, WIS-016, WIS-017, WIS-018
239 lines
6.5 KiB
YAML
239 lines
6.5 KiB
YAML
name: Nexus MCP - CI/CD Pipeline
|
|
|
|
on:
|
|
push:
|
|
branches: [ main, develop, rebuild-* ]
|
|
pull_request:
|
|
branches: [ main, develop ]
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
test:
|
|
name: Test Suite
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
python-version: ["3.11", "3.12", "3.13"]
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Python ${{ matrix.python-version }}
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: ${{ matrix.python-version }}
|
|
|
|
- name: Cache pip dependencies
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: ~/.cache/pip
|
|
key: ${{ runner.os }}-pip-${{ hashFiles('nexus-mcp/pyproject.toml') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-pip-
|
|
|
|
- name: Install dependencies
|
|
working-directory: nexus-mcp
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip install -e .
|
|
pip install pytest pytest-cov black ruff
|
|
|
|
- name: Lint with ruff
|
|
working-directory: nexus-mcp
|
|
run: |
|
|
ruff check src/ lib/ tests/ --ignore E501,F401
|
|
continue-on-error: true
|
|
|
|
- name: Format check with black
|
|
working-directory: nexus-mcp
|
|
run: |
|
|
black --check --diff src/ lib/ tests/
|
|
continue-on-error: true
|
|
|
|
- name: Run unit tests
|
|
working-directory: nexus-mcp
|
|
run: |
|
|
pytest tests/workday_tests/test_mismatch_scans.py -v --tb=short
|
|
|
|
- name: Run integration tests
|
|
working-directory: nexus-mcp
|
|
run: |
|
|
pytest tests/integration_test_audit_shard.py -v --tb=short
|
|
|
|
- name: Run all tests with coverage
|
|
working-directory: nexus-mcp
|
|
run: |
|
|
pytest tests/ -v --cov=src --cov=lib --cov-report=term --cov-report=xml
|
|
|
|
- name: Upload coverage reports
|
|
uses: codecov/codecov-action@v3
|
|
with:
|
|
file: nexus-mcp/coverage.xml
|
|
flags: unittests
|
|
name: codecov-${{ matrix.python-version }}
|
|
if: matrix.python-version == '3.13'
|
|
|
|
validate-server:
|
|
name: Validate MCP Server
|
|
runs-on: ubuntu-latest
|
|
needs: test
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.13"
|
|
|
|
- name: Install dependencies
|
|
working-directory: nexus-mcp
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip install -e .
|
|
|
|
- name: Validate server imports
|
|
working-directory: nexus-mcp
|
|
run: |
|
|
python -c "
|
|
import sys, os
|
|
sys.path.insert(0, 'lib')
|
|
sys.path.insert(0, 'src')
|
|
from dotenv import load_dotenv
|
|
load_dotenv()
|
|
from mcp.server.fastmcp import FastMCP
|
|
from shards import identity, workday, itsm, assets, logistics, audit
|
|
print('✅ All imports successful')
|
|
"
|
|
|
|
- name: Test server initialization
|
|
working-directory: nexus-mcp
|
|
run: |
|
|
python test_client.py > /tmp/test_output.txt
|
|
grep -q "All audit tools executed successfully" /tmp/test_output.txt
|
|
echo "✅ Server initialization validated"
|
|
|
|
- name: Verify tool registration
|
|
working-directory: nexus-mcp
|
|
run: |
|
|
python list_tools.py > /tmp/tools.txt
|
|
grep -q "48 tools available" /tmp/tools.txt
|
|
echo "✅ Tool registration validated"
|
|
|
|
security-scan:
|
|
name: Security & Dependency Check
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.13"
|
|
|
|
- name: Install safety
|
|
run: pip install safety
|
|
|
|
- name: Check dependencies for vulnerabilities
|
|
working-directory: nexus-mcp
|
|
run: |
|
|
pip install -e .
|
|
safety check --json || echo "⚠️ Security vulnerabilities found"
|
|
continue-on-error: true
|
|
|
|
- name: Scan for secrets
|
|
uses: trufflesecurity/trufflehog@main
|
|
with:
|
|
path: ./
|
|
base: ${{ github.event.repository.default_branch }}
|
|
head: HEAD
|
|
|
|
version-check:
|
|
name: Version & Changelog Check
|
|
runs-on: ubuntu-latest
|
|
if: github.event_name == 'pull_request'
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Check version bump
|
|
run: |
|
|
CURRENT_VERSION=$(grep -Po 'version = "\K[^"]*' nexus-mcp/pyproject.toml)
|
|
echo "Current version: $CURRENT_VERSION"
|
|
|
|
# Get main branch version
|
|
git fetch origin main
|
|
MAIN_VERSION=$(git show origin/main:nexus-mcp/pyproject.toml | grep -Po 'version = "\K[^"]*')
|
|
echo "Main branch version: $MAIN_VERSION"
|
|
|
|
if [ "$CURRENT_VERSION" == "$MAIN_VERSION" ]; then
|
|
echo "⚠️ Version not bumped in pyproject.toml"
|
|
echo "Please update version before merging to main"
|
|
exit 1
|
|
fi
|
|
|
|
echo "✅ Version bumped: $MAIN_VERSION → $CURRENT_VERSION"
|
|
|
|
- name: Check for CHANGELOG updates
|
|
run: |
|
|
if ! git diff origin/main...HEAD --name-only | grep -q "CHANGELOG.md\|nexus-mcp/README.md"; then
|
|
echo "⚠️ No CHANGELOG or README updates detected"
|
|
echo "Consider documenting your changes"
|
|
else
|
|
echo "✅ Documentation updated"
|
|
fi
|
|
|
|
build:
|
|
name: Build Distribution
|
|
runs-on: ubuntu-latest
|
|
needs: [test, validate-server]
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.13"
|
|
|
|
- name: Install build tools
|
|
run: pip install build twine
|
|
|
|
- name: Build package
|
|
working-directory: nexus-mcp
|
|
run: python -m build
|
|
|
|
- name: Check distribution
|
|
working-directory: nexus-mcp
|
|
run: twine check dist/*
|
|
|
|
- name: Upload artifacts
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: nexus-mcp-dist-${{ github.sha }}
|
|
path: nexus-mcp/dist/
|
|
retention-days: 30
|
|
|
|
notify:
|
|
name: Notify Status
|
|
runs-on: ubuntu-latest
|
|
needs: [test, validate-server, security-scan, build]
|
|
if: always()
|
|
|
|
steps:
|
|
- name: Report status
|
|
run: |
|
|
echo "Pipeline completed"
|
|
echo "Tests: ${{ needs.test.result }}"
|
|
echo "Validation: ${{ needs.validate-server.result }}"
|
|
echo "Security: ${{ needs.security-scan.result }}"
|
|
echo "Build: ${{ needs.build.result }}"
|