security: add gitleaks pre-commit hook and CI scan #143
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: run-integration-tests | |
| on: | |
| pull_request: | |
| jobs: | |
| changes: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| should_run: ${{ steps.filter.outputs.code }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dorny/paths-filter@v3 | |
| id: filter | |
| with: | |
| filters: | | |
| code: | |
| - 'audio_separator/**' | |
| - 'tests/**' | |
| - 'pyproject.toml' | |
| - 'poetry.lock' | |
| - '.github/workflows/run-integration-tests.yaml' | |
| # ── Integration test jobs (parallel across 3 GPU runners) ────────── | |
| # | |
| # Balanced to ~7 min each so all 3 finish around the same time. | |
| # | |
| # ensemble-presets (~8 min): test_ensemble_integration (heaviest single file) | |
| # core-models (~7 min): test_24bit + test_cli + test_separator_output + roformer tests | |
| # stems-and-quality (~6 min): test_ensemble_meaningful + test_multi_stem + test_remote_api | |
| ensemble-presets: | |
| needs: changes | |
| if: needs.changes.outputs.should_run == 'true' | |
| runs-on: [self-hosted, gpu] | |
| timeout-minutes: 15 | |
| env: | |
| AUDIO_SEPARATOR_MODEL_DIR: /opt/audio-separator-models | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Verify GPU availability | |
| run: nvidia-smi --query-gpu=driver_version,name,memory.total --format=csv,noheader | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.13' | |
| - name: Install pipx and poetry | |
| run: | | |
| python -m pip install --user pipx && python -m pipx ensurepath | |
| python -m pipx install poetry | |
| echo "$HOME/.local/bin" >> $GITHUB_PATH | |
| - name: Install system dependencies | |
| run: sudo apt-get update && sudo apt-get install -y ffmpeg libsamplerate0 libsamplerate-dev | |
| - name: Set up Python with cache | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.13' | |
| cache: poetry | |
| - name: Install Poetry dependencies (GPU) | |
| run: poetry install -E gpu | |
| - name: Verify pre-cached models | |
| run: | | |
| MODEL_COUNT=$(ls -1 $AUDIO_SEPARATOR_MODEL_DIR | wc -l) | |
| echo "Pre-cached models: $MODEL_COUNT" | |
| if [ "$MODEL_COUNT" -lt 10 ]; then | |
| echo "::warning::Expected at least 10 pre-cached model files, found $MODEL_COUNT" | |
| fi | |
| - name: "Run: ensemble preset tests (~8 min)" | |
| run: poetry run pytest -sv tests/integration/test_ensemble_integration.py | |
| - name: Upload test artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ensemble-presets-results | |
| path: | | |
| *.flac | |
| tests/*.flac | |
| core-models: | |
| needs: changes | |
| if: needs.changes.outputs.should_run == 'true' | |
| runs-on: [self-hosted, gpu] | |
| timeout-minutes: 15 | |
| env: | |
| AUDIO_SEPARATOR_MODEL_DIR: /opt/audio-separator-models | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.13' | |
| - name: Install pipx and poetry | |
| run: | | |
| python -m pip install --user pipx && python -m pipx ensurepath | |
| python -m pipx install poetry | |
| echo "$HOME/.local/bin" >> $GITHUB_PATH | |
| - name: Install system dependencies | |
| run: sudo apt-get update && sudo apt-get install -y ffmpeg libsamplerate0 libsamplerate-dev | |
| - name: Set up Python with cache | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.13' | |
| cache: poetry | |
| - name: Install Poetry dependencies (GPU) | |
| run: poetry install -E gpu | |
| - name: "Run: 24-bit, CLI, output, and roformer tests (~7 min)" | |
| run: | | |
| poetry run pytest -sv \ | |
| tests/integration/test_24bit_preservation.py \ | |
| tests/integration/test_cli_integration.py \ | |
| tests/integration/test_separator_output_integration.py \ | |
| tests/integration/test_roformer_audio_quality.py \ | |
| tests/integration/test_roformer_backward_compatibility.py \ | |
| tests/integration/test_roformer_config_validation.py \ | |
| tests/integration/test_roformer_e2e.py \ | |
| tests/integration/test_roformer_fallback_mechanism.py \ | |
| tests/integration/test_roformer_model_switching.py \ | |
| tests/integration/test_roformer_new_parameters.py | |
| - name: Upload test artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: core-models-results | |
| path: | | |
| *.flac | |
| tests/*.flac | |
| stems-and-quality: | |
| needs: changes | |
| if: needs.changes.outputs.should_run == 'true' | |
| runs-on: [self-hosted, gpu] | |
| timeout-minutes: 15 | |
| env: | |
| AUDIO_SEPARATOR_MODEL_DIR: /opt/audio-separator-models | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.13' | |
| - name: Install pipx and poetry | |
| run: | | |
| python -m pip install --user pipx && python -m pipx ensurepath | |
| python -m pipx install poetry | |
| echo "$HOME/.local/bin" >> $GITHUB_PATH | |
| - name: Install system dependencies | |
| run: sudo apt-get update && sudo apt-get install -y ffmpeg libsamplerate0 libsamplerate-dev | |
| - name: Set up Python with cache | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.13' | |
| cache: poetry | |
| - name: Install Poetry dependencies (GPU) | |
| run: poetry install -E gpu | |
| - name: "Run: ensemble quality, multi-stem, and remote API tests (~6 min)" | |
| run: | | |
| poetry run pytest -sv \ | |
| tests/integration/test_ensemble_meaningful.py \ | |
| tests/integration/test_multi_stem_verification.py \ | |
| tests/integration/test_remote_api_integration.py | |
| - name: Upload test artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: stems-and-quality-results | |
| path: | | |
| *.flac | |
| tests/*.flac | |
| # ── Gate job for branch protection ──────────────────────────────── | |
| integration-test: | |
| needs: [changes, ensemble-presets, core-models, stems-and-quality] | |
| if: always() | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check test results | |
| run: | | |
| if [[ "${{ needs.changes.outputs.should_run }}" != "true" ]]; then | |
| echo "Tests skipped - no code changes detected" | |
| exit 0 | |
| fi | |
| echo "ensemble-presets: ${{ needs.ensemble-presets.result }}" | |
| echo "core-models: ${{ needs.core-models.result }}" | |
| echo "stems-and-quality: ${{ needs.stems-and-quality.result }}" | |
| if [[ "${{ needs.ensemble-presets.result }}" == "failure" ]] || \ | |
| [[ "${{ needs.core-models.result }}" == "failure" ]] || \ | |
| [[ "${{ needs.stems-and-quality.result }}" == "failure" ]]; then | |
| echo "Integration tests failed" | |
| exit 1 | |
| fi | |
| echo "All integration tests passed" |