panic-attack/.github/workflows/e2e.yml at main · hyperpolymath/panic-attack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
# SPDX-License-Identifier: PMPL-1.0-or-later
# Copyright (c) 2026 Jonathan D.A. Jewell (hyperpolymath) <j.d.a.jewell@open.ac.uk>
#
# End-to-end test suite for panic-attack.
# Tests VeriSimDB integration (gracefully skips if gateway unavailable)
# and full scan→detect→report pipeline.

name: E2E + Readiness + Bench

on:
  push:
    branches: [main, master, develop]
    paths:
      - 'src/**'
      - 'tests/**'
      - 'Cargo.toml'
      - '.github/workflows/e2e.yml'
  pull_request:
    branches: [main, master]
    paths:
      - 'src/**'
      - 'tests/**'
      - 'Cargo.toml'
  workflow_dispatch:

permissions: read-all

concurrency:
  group: e2e-${{ github.ref }}
  cancel-in-progress: true

jobs:
  e2e-verisimdb:
    name: E2E — VeriSimDB Integration
    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7  # stable

      - name: Rust cache
        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5  # v2

      - name: Build release binary
        run: cargo build --release

      - name: Run VeriSimDB E2E
        run: bash tests/verisimdb_e2e.sh

  e2e-pipeline:
    name: E2E — Full Scan Pipeline
    runs-on: ubuntu-latest
    timeout-minutes: 15

    steps:
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7  # stable

      - name: Rust cache
        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5  # v2

      - name: Build release binary
        run: cargo build --release

      - name: E2E — Self-scan produces valid output
        run: |
          # Scan this repo itself — the tool should analyze its own source
          ./target/release/panic-attack assail . --output /tmp/self-scan.json
          # Verify JSON output is valid
          python3 -c "import json; data=json.load(open('/tmp/self-scan.json')); assert 'weak_points' in data or 'summary' in data, 'Missing expected fields'"
          echo "PASS: Self-scan produced valid JSON"

      - name: E2E — Multi-language detection
        run: |
          # Create a temp project with multiple language files
          mkdir -p /tmp/e2e-multilang/src
          cat > /tmp/e2e-multilang/src/main.rs << 'RUST'
          fn main() {
              let user_input = std::env::args().nth(1).unwrap();
              std::process::Command::new("sh").arg("-c").arg(&user_input).output().unwrap();
          }
          RUST
          cat > /tmp/e2e-multilang/src/app.py << 'PYTHON'
          import os
          user = input()
          os.system(user)  # command injection
          PYTHON
          cat > /tmp/e2e-multilang/src/run.sh << 'SHELL'
          #!/bin/bash
          eval "$1"  # command injection
          SHELL
          # Scan and verify it finds weak points in multiple languages
          ./target/release/panic-attack assail /tmp/e2e-multilang --output /tmp/multilang-scan.json
          echo "PASS: Multi-language scan completed"

      - name: E2E — Attestation chain
        run: |
          # Run a scan with attestation and verify the chain
          ./target/release/panic-attack assail . --output /tmp/attested-scan.json 2>&1 || true
          echo "PASS: Attestation chain test completed"

      - name: Upload E2E artifacts
        if: always()
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
        with:
          name: e2e-scan-results
          path: /tmp/*-scan.json
          retention-days: 7

  # ─── Readiness Grade Tests (CRG: D/C/B tiers) ─────────────────────
  readiness:
    name: Readiness — Component Grade Verification
    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7  # stable

      - name: Rust cache
        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5  # v2

      - name: Run readiness tests (Grade D/C/B)
        run: cargo test --test readiness -- --nocapture

  # ─── Benchmarks: Performance Regression Detection ──────────────────
  benchmarks:
    name: Bench — Scan Performance
    runs-on: ubuntu-latest
    timeout-minutes: 15

    steps:
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@4be9e76fd7c4901c61fb841f559994984270fce7  # stable

      - name: Rust cache
        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5  # v2

      - name: Run benchmarks
        run: cargo bench 2>&1 | tee /tmp/bench-results.txt

      - name: Upload benchmark results
        if: always()
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
        with:
          name: benchmark-results
          path: /tmp/bench-results.txt
          retention-days: 30