Skip to content

VERSO-UVM/.github

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.github
.github
 
 
profile
profile
 
 
README.md
README.md
 
 
VERSO-github-repo-setup-prompt.md
VERSO-github-repo-setup-prompt.md
 
 

Repository files navigation

VERSO-UVM .github Repo

This is the organization-level configuration repository for VERSO-UVM. It hosts the shared CI/CD pipeline used by all VERSO projects.

What's here

Path Purpose
.github/workflows/verso-ci.yml Reusable workflow — the actual CI logic
.github/workflow-templates/ Starter template shown in the GitHub Actions UI
profile/README.md Org profile shown at github.com/VERSO-UVM

Adopting shared CI in a new repo

Option 1 — GitHub UI (recommended for new repos)

Go to your repo → Actions → New workflow → choose VERSO Quality & Security CI.

Option 2 — Copy the starter workflow manually

Create .github/workflows/ci.yml in your repo:

name: CI

on:
  pull_request:
  push:
    branches: [main, develop]

jobs:
  quality:
    uses: VERSO-UVM/.github/.github/workflows/verso-ci.yml@main

That's it. The workflow auto-detects whether your repo has Python, Node, or both.

What runs and what blocks PRs

Check Tool Blocks PR?
Python lint ruff check Yes
Python format ruff format --check Yes
Python security scan bandit (HIGH severity) Yes
Python dependency audit pip-audit Yes
Python type check mypy Only if enable-mypy: true
Node lint eslint No (non-blocking by default)
Node dependency audit npm audit --audit-level=high Yes
Node type check tsc --noEmit Only if enable-tsc-strict: true
Multi-language security semgrep (ERROR severity) Yes

Overriding defaults

jobs:
  quality:
    uses: VERSO-UVM/.github/.github/workflows/verso-ci.yml@main
    with:
      python-version: "3.12"
      node-version: "22"
      bandit-fail-severity: "MEDIUM"   # HIGH | MEDIUM | LOW
      enable-mypy: true
      enable-tsc-strict: true

Repo-specific tool configuration

Override CI tool behavior by adding config files in your project repo:

File Tool Purpose
ruff.toml or pyproject.toml [tool.ruff] ruff Ignore rules, set line length, etc.
.bandit or pyproject.toml [tool.bandit] bandit Skip tests, adjust severity filters
.semgrep.yml semgrep Add or ignore rules
.eslintrc.* / eslint.config.* eslint Lint rules for JS/TS
tsconfig.json tsc TypeScript compiler options

For ORCA students — what to expect when you open a PR

When you open a pull request, CI runs automatically. Here's what each check means:

  • Ruff lint / format — catches Python style issues. Fix them by running ruff check . --fix and ruff format . locally.
  • Bandit — scans for common security mistakes in Python code (e.g., hardcoded passwords, use of eval). Read the uploaded bandit-report artifact for details.
  • pip-audit / npm audit — checks your dependencies for known vulnerabilities. If this fails, a dependency you're using has a published CVE — ping your project lead.
  • Semgrep — language-agnostic security rules. Findings at ERROR severity block the PR.
  • mypy / tsc — type checking. These are non-blocking by default unless your project lead has enabled strict mode.

If CI fails and you're not sure why, download the bandit-report artifact from the Actions run for details, or ask in your project's Slack channel.

Planned improvements

  • Job summaries — add $GITHUB_STEP_SUMMARY output to each job so a formatted pass/fail table appears directly on the PR's Checks tab, without needing to click into individual job logs. Useful for students who aren't yet familiar with the Actions UI.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors