ci: add static notebook validation and shell lint pipeline#21
Merged
Conversation
The repo had no CI, so dependency- and syntax-driven regressions in the notebook went undetected. Add a GitHub Actions workflow with two jobs: - notebook: validates the .ipynb is well-formed and that every code cell parses as Python (ci/check_notebook.py, stdlib-only, no GPU/dataset). - shell-lint: runs `bash -n` and shellcheck on generateCG.sh. End-to-end notebook execution is intentionally out of scope: it needs a CUDA GPU and the AMD dataset, which GitHub-hosted runners lack. That remains a future nbmake/papermill job on a self-hosted GPU runner. Closes #15 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #15. The repo had no CI, so syntax- and dependency-driven regressions went undetected. This adds
.github/workflows/ci.ymlwith two jobs:ci/check_notebook.py, a stdlib-only script that confirmsMy First Malware.ipynbis valid JSON/nbformat and that every code cell parses as Python (ast.parse). Catches the syntax/indentation class of breakage.bash -nandshellcheck --severity=warningongenerateCG.sh.Scope / honest limitations
The issue suggests executing the notebook end-to-end. That is not feasible on GitHub-hosted runners: the notebook needs a CUDA GPU and the ~20k-APK AMD dataset (
../amd_data). So this pipeline does the static checks that don't need either. I documented this directly in the workflow header.Importantly, a static check (or even a dependency import smoke test) would not have caught the historical
fn.copy_srcremoval — only executing the cell does, since it's a runtimeAttributeError. I deliberately did not add a deps-install/import job that would imply otherwise; full execution belongs in a futurenbmake/papermilljob on a self-hosted GPU runner with the dataset mounted (and after the remaining legacy DGL calls are modernized).Verification
python ci/check_notebook.py "My First Malware.ipynb"→OK(exit 0) locally.yaml.safe_load).🤖 Generated with Claude Code