From fec00ae7f0dca5b47544be64b9b1ad43e7a40441 Mon Sep 17 00:00:00 2001 From: timon0305 Date: Tue, 5 May 2026 00:21:24 +0200 Subject: [PATCH 1/2] ci: add GitHub Actions workflow that runs the unittest suite (closes #13) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There was no CI on this repository — 137 unit tests in tests/ were only ever run when a developer remembered to run them locally. A regression that broke CLI parity, exclusion rules, exporter output, alias inference, or search filtering could land on master with no gate. New workflow `.github/workflows/tests.yml`: - Triggers on every push to master and every pull request. - Single ubuntu-latest runner, Python 3.12. - Installs only what the tests need (flask, fpdf2). pywebview from requirements.txt is the desktop-launcher dep and pulls GTK / Qt system packages — out of scope for the unittest suite, so it is deliberately omitted from the CI install. The unittest suite imports neither. - Runs `python -m unittest discover tests -v`. Local sanity-check with the same command on Python 3.12: 137/137 OK. --- .github/workflows/tests.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/tests.yml diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 0000000..6e53a02 --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,30 @@ +name: Tests + +on: + push: + branches: [master] + pull_request: + +jobs: + unittest: + name: Unit tests + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.12' + + - name: Install runtime + test dependencies + # Only what the tests actually exercise. `pywebview` from requirements.txt + # is the desktop-launcher dep and pulls GTK / Qt system packages on Linux + # — out of scope for the unittest suite, so it's deliberately omitted here. + run: | + python -m pip install --upgrade pip + python -m pip install 'flask>=3.0' 'fpdf2>=2.7' + + - name: Run unittest suite + run: python -m unittest discover tests -v From 7177d9d3463edb3dd9995ac47620c17a24c0dc6d Mon Sep 17 00:00:00 2001 From: timon0305 Date: Tue, 5 May 2026 00:32:47 +0200 Subject: [PATCH 2/2] ci: pin action versions to immutable commit SHAs (CodeRabbit on PR #14) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace @v4 / @v5 tag refs with the matching commit SHAs on actions/checkout and actions/setup-python. Tags are mutable — a compromised maintainer can repoint them, silently swapping the code that runs in our CI runner. SHAs are immutable and remove that class of supply-chain risk. Verified each SHA against the live tag on github.com: gh api repos/actions/checkout/git/ref/tags/v4 \ --jq '.object.sha' # 34e114876b0b11c390a56381ad16ebd13914f8d5 gh api repos/actions/setup-python/git/ref/tags/v5 \ --jq '.object.sha' # a26af69be951a213d495a4c3e4e4022e16d87065 The trailing `# v4` / `# v5` comments preserve the major-version intent so future bumps stay deliberate. The leading comment block documents the bump procedure for the next person. --- .github/workflows/tests.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 6e53a02..0cef4fa 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -11,10 +11,14 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + # Pinned to immutable commit SHAs (not @v4 / @v5) so a compromised tag + # cannot silently swap the underlying action code on this CI runner. + # When bumping, verify the new SHA via: + # gh api repos/actions//git/ref/tags/ --jq '.object.sha' + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.12'