Conversation
- Updated `.flake8` to extend ignore for E501. - Modified `pyproject.toml` to include additional ignore rules for Ruff. - Refactored type hints in `cli.py`, `config.py`, `engine.py`, `pipeline.py`, `registry.py`, and other files for better clarity and consistency. - Improved logging and error handling in various modules. - Enhanced readability by reformatting long lines and ensuring consistent indentation. - Updated hardcoded credential patterns in `auth.py` and `injection.py` for better regex clarity. - Adjusted datetime handling to use UTC consistently across models.
There was a problem hiding this comment.
Pull request overview
Adds GitHub Actions CI/CD automation for the SENTINEL Python package, alongside dependency and small codebase cleanups to support consistent linting/testing and versioning.
Changes:
- Introduces CI workflow to enforce VERSION bumping and run ruff/black/mypy/pytest (with coverage).
- Introduces CD workflow to build artifacts and create a tag + GitHub Release when VERSION changes on
main. - Updates packaging/dev-dependency configuration (uv groups) and performs minor typing/formatting refactors across the codebase.
Reviewed changes
Copilot reviewed 25 out of 26 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
VERSION |
Bumps project version to 0.1.4. |
uv.lock |
Adds coverage/pytest-cov and updates lock metadata for new dev dependency grouping. |
sentinel/rules/builtin/injection.py |
Minor regex string formatting consistency changes. |
sentinel/rules/builtin/auth.py |
Formatting/line-wrapping adjustments to patterns and exploit-chain construction. |
sentinel/reporting/sarif_reporter.py |
Minor formatting change for locations fallback expression. |
sentinel/reporting/markdown_reporter.py |
Minor formatting change in markdown table header lines. |
sentinel/parsers/treesitter.py |
Splits multi-import for clarity/formatting. |
sentinel/models/graph.py |
Migrates enum types to StrEnum (Py 3.11+) for better string-enum ergonomics. |
sentinel/models/finding.py |
Migrates to StrEnum and uses datetime.UTC in default timestamp. |
sentinel/models/audit.py |
Migrates to StrEnum, tightens typing, and cleans up annotations. |
sentinel/mcp.py |
Formatting cleanup; adds debug logging for parse failures; minor refactors for readability. |
sentinel/logging.py |
Improves typing and readability around structlog processor configuration. |
sentinel/llm/openai.py |
Minor formatting of structured-system prompt assembly. |
sentinel/llm/claude.py |
Minor formatting of structured-system prompt assembly. |
sentinel/graph/builder.py |
Formatting + safer string conversion for AST child text extraction. |
sentinel/graph/backend.py |
Formatting cleanup in list comprehensions / path finding. |
sentinel/core/registry.py |
Improves typing for decorator registration and removes type: ignore via cast(). |
sentinel/core/pipeline.py |
Updates return type annotation to non-string form (relies on future annotations). |
sentinel/core/engine.py |
Uses datetime.UTC; removes unused import; uses zip(..., strict=True) for safer pairing. |
sentinel/config.py |
Formatting cleanup in settings source tuple return. |
sentinel/cli.py |
Typing improvements, Optional modernizations, and some formatting tidy-ups. |
pyproject.toml |
Moves dev deps to [dependency-groups], adds pytest-cov, and updates ruff ignores. |
.github/workflows/ci.yml |
Adds CI workflow (lint/format/typecheck/tests + VERSION bump gate). |
.github/workflows/cd.yml |
Adds CD workflow (build + tag/release on VERSION change). |
.flake8 |
Simplifies flake8 config (now only ignores E501). |
Comment on lines
+24
to
+33
| - name: Check if VERSION changed | ||
| id: ver | ||
| run: | | ||
| if git diff HEAD~1 HEAD -- VERSION | grep -q '^+[^+]'; then | ||
| echo "changed=true" >> $GITHUB_OUTPUT | ||
| echo "version=$(cat VERSION | tr -d '[:space:]')" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "changed=false" >> $GITHUB_OUTPUT | ||
| echo "version=$(cat VERSION | tr -d '[:space:]')" >> $GITHUB_OUTPUT | ||
| fi |
Contributor
There was a problem hiding this comment.
Implemented in 48dd2ed: CD now checks VERSION changes across the full push range (${{ github.event.before }}..${{ github.sha }}), with a null-SHA fallback path, so multi-commit pushes won’t miss a VERSION bump.
Comment on lines
+43
to
+48
| - name: Sync version to static manifests | ||
| run: python scripts/sync_version.py | ||
|
|
||
| - name: Build package | ||
| run: uv build | ||
|
|
Contributor
There was a problem hiding this comment.
Applied in b886a34: CD no longer relies on workflow-time manifest mutation for release output correctness; it now runs sync_version.py and fails if any workspace changes are introduced, so releases only proceed when synced manifest updates are already committed.
Comment on lines
+20
to
+29
| - name: Ensure VERSION was bumped | ||
| if: github.event_name == 'pull_request' | ||
| shell: bash | ||
| run: | | ||
| BASE_VERSION="$(git show "${{ github.event.pull_request.base.sha }}:VERSION")" | ||
| HEAD_VERSION="$(git show "${{ github.event.pull_request.head.sha }}:VERSION")" | ||
| if [ "$BASE_VERSION" = "$HEAD_VERSION" ]; then | ||
| echo "::error::VERSION not bumped. Bump VERSION before merging." | ||
| exit 1 | ||
| fi |
Contributor
There was a problem hiding this comment.
Implemented in b0cae5c: CI now trims whitespace from base/head VERSION values, validates both as semver, and then checks that VERSION was actually bumped. No UI changes in this update.
Agent-Logs-Url: https://github.com/Wembie/Sentinel/sessions/ac47afdf-b5d7-423c-a4ae-48969a4cdda1 Co-authored-by: Wembie <73087520+Wembie@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Wembie/Sentinel/sessions/ac47afdf-b5d7-423c-a4ae-48969a4cdda1 Co-authored-by: Wembie <73087520+Wembie@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Wembie/Sentinel/sessions/ac47afdf-b5d7-423c-a4ae-48969a4cdda1 Co-authored-by: Wembie <73087520+Wembie@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Wembie/Sentinel/sessions/ac47afdf-b5d7-423c-a4ae-48969a4cdda1 Co-authored-by: Wembie <73087520+Wembie@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Wembie/Sentinel/sessions/b33259f7-53dc-427f-8103-7c90bb5fcd4d Co-authored-by: Wembie <73087520+Wembie@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Wembie/Sentinel/sessions/b33259f7-53dc-427f-8103-7c90bb5fcd4d Co-authored-by: Wembie <73087520+Wembie@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Wembie/Sentinel/sessions/b33259f7-53dc-427f-8103-7c90bb5fcd4d Co-authored-by: Wembie <73087520+Wembie@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Wembie/Sentinel/sessions/b33259f7-53dc-427f-8103-7c90bb5fcd4d Co-authored-by: Wembie <73087520+Wembie@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Wembie/Sentinel/sessions/2813ab75-17b1-40ec-bdf5-7408fad85718 Co-authored-by: Wembie <73087520+Wembie@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.