forked from HomeLab/unraid-mcp
2b777be927
Security: - Remove /mnt/ from _ALLOWED_LOG_PREFIXES to prevent Unraid share exposure - Add early .. detection for disk/logs and live/log_tail path validation - Add /boot/ prefix restriction for flash_backup source_path - Use hmac.compare_digest for timing-safe API key verification in server.py - Gate include_traceback on DEBUG log level (no tracebacks in production) Correctness: - Re-raise CredentialsNotConfiguredError in health check instead of swallowing - Fix ups_device query (remove non-existent nominalPower/currentPower fields) Best practices (BP-01, BP-05, BP-06): - Add # noqa: ASYNC109 to timeout params in _handle_live and unraid() - Fix start_array* → start_array in docstring (not in ARRAY_DESTRUCTIVE) - Remove from __future__ import annotations from snapshot.py - Replace import-time UNRAID_API_KEY/URL bindings with _settings.ATTR pattern in manager.py, snapshot.py, utils.py, diagnostics.py — fixes stale binding after apply_runtime_config() post-elicitation (BP-05) CI/CD: - Add .github/workflows/ci.yml (5-job pipeline: lint, typecheck, test, version-sync, audit) - Add fail_under = 80 to [tool.coverage.report] - Add version sync check to scripts/validate-marketplace.sh Documentation: - Sync plugin.json version 1.1.1 → 1.1.2 with pyproject.toml - Update CLAUDE.md: 3 tools, system domain count 18, scripts comment fix - Update README.md: 3 tools, security notes - Update docs/AUTHENTICATION.md: H1 title fix - Add UNRAID_CREDENTIALS_DIR to .env.example Bump: 1.1.1 → 1.1.2 Co-Authored-By: Claude <noreply@anthropic.com>
80 lines
2.3 KiB
YAML
80 lines
2.3 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: ["main", "feat/**", "fix/**"]
|
|
pull_request:
|
|
branches: ["main"]
|
|
|
|
jobs:
|
|
lint:
|
|
name: Lint & Format
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: astral-sh/setup-uv@v5
|
|
with:
|
|
version: "0.9.25"
|
|
- name: Install dependencies
|
|
run: uv sync --group dev
|
|
- name: Ruff check
|
|
run: uv run ruff check unraid_mcp/ tests/
|
|
- name: Ruff format
|
|
run: uv run ruff format --check unraid_mcp/ tests/
|
|
|
|
typecheck:
|
|
name: Type Check
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: astral-sh/setup-uv@v5
|
|
with:
|
|
version: "0.9.25"
|
|
- name: Install dependencies
|
|
run: uv sync --group dev
|
|
- name: ty check
|
|
run: uv run ty check unraid_mcp/
|
|
|
|
test:
|
|
name: Test
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: astral-sh/setup-uv@v5
|
|
with:
|
|
version: "0.9.25"
|
|
- name: Install dependencies
|
|
run: uv sync --group dev
|
|
- name: Run tests (excluding integration/slow)
|
|
run: uv run pytest -m "not slow and not integration" --tb=short -q
|
|
- name: Check coverage
|
|
run: uv run pytest -m "not slow and not integration" --cov=unraid_mcp --cov-report=term-missing --tb=short -q
|
|
|
|
version-sync:
|
|
name: Version Sync Check
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Check pyproject.toml and plugin.json versions match
|
|
run: |
|
|
TOML_VER=$(grep '^version = ' pyproject.toml | sed 's/version = "//;s/"//')
|
|
PLUGIN_VER=$(python3 -c "import json; print(json.load(open('.claude-plugin/plugin.json'))['version'])")
|
|
echo "pyproject.toml: $TOML_VER"
|
|
echo "plugin.json: $PLUGIN_VER"
|
|
if [ "$TOML_VER" != "$PLUGIN_VER" ]; then
|
|
echo "ERROR: Version mismatch! Update .claude-plugin/plugin.json to match pyproject.toml"
|
|
exit 1
|
|
fi
|
|
echo "Versions in sync: $TOML_VER"
|
|
|
|
audit:
|
|
name: Security Audit
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: astral-sh/setup-uv@v5
|
|
with:
|
|
version: "0.9.25"
|
|
- name: Dependency audit
|
|
run: uv audit
|