Fixing CIs

[NiveditJain]

No description provided.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Python SDK releases now include provenance, SBOMs (CycloneDX JSON/XML), and a vulnerability report. These artifacts are uploaded with releases for transparency and verification.

• Documentation

  • Added an “Integration Tests (main)” status badge to the README.
  • Expanded Python SDK README with a “Supply Chain Security” section covering provenance, SBOMs, vulnerability scanning, verification steps, and available security artifacts.

• Chores

  • Integration tests workflow renamed and now also runs on relevant pull requests, with scoped working directory and repository guard.

Walkthrough

Renames and gates the integration-tests workflow; adds PR trigger and working-directory scoping. Enhances python-sdk publish/release workflows with SBOM generation, pip-audit vulnerability reporting, provenance-enabled publish, and artifact uploads. Updates README badges and adds a Supply Chain Security section to python-sdk docs.

Changes

Cohort / File(s)	Summary of changes
CI: Integration Tests workflow .github/workflows/integration-tests.yml	Renamed workflow, added pull_request trigger (branches: main, limited paths), added if: github.repository == 'exospherehost/exospherehost', and set defaults.run.working-directory: integration-tests.
CI: Python SDK publish workflow (SBOM + provenance) .github/workflows/publish-python-sdk.yml	Added steps to export requirements.txt, install cyclonedx-bom and pip-audit, generate CycloneDX SBOM (JSON) and non-blocking vulnerability report, upload SBOM artifacts, and perform uv publish --provenance with a PyPI version existence check.
CI: Python SDK release workflow (SBOM, provenance, release assets) .github/workflows/release-python-sdk.yml	After version verification, generate requirements, install SBOM tools, produce CycloneDX JSON/XML, run non-blocking pip-audit report, create sbom-summary.md, run uv publish --provenance, upload SBOM artifacts (90-day retention), and attach artifacts/summary to the GitHub release.
Docs: Badges README.md	Added two "Integration Tests (main)" GitHub Actions badges linking to the integration-tests workflow (branch main).
Docs: Supply chain security python-sdk/README.md	Removed two bullets in Key Features and added a new "Supply Chain Security" section covering provenance, SBOMs, verification instructions, and security artifacts (documentation-only changes).

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Dev as Developer
    participant GH as GitHub Actions
    participant Job as publish-python-sdk Job
    participant PyPI as PyPI

    Dev->>GH: Push (publish trigger)
    GH->>Job: Start job (wd: python-sdk)
    Job->>Job: Export requirements.txt
    Job->>Job: Install cyclonedx-bom, pip-audit
    Job->>Job: Generate CycloneDX SBOM (JSON)
    Job->>Job: Run pip-audit (non-blocking) -> vulnerability-report.json
    Job->>GH: Upload sbom-artifacts (SBOM, requirements, vuln report)
    Job->>PyPI: uv publish --provenance (skip if version exists)
    Note over Job,PyPI: Provenance attestation produced during publish

Loading

sequenceDiagram
    autonumber
    actor RelEng as Release Engineer
    participant GH as GitHub Actions
    participant Rel as release-python-sdk Job
    participant PyPI as PyPI
    participant GHRel as GitHub Release

    RelEng->>GH: Push tag (release trigger)
    GH->>Rel: Start job (after version check)
    Rel->>Rel: Export requirements.txt
    Rel->>Rel: Install cyclonedx-bom, pip-audit
    Rel->>Rel: Generate SBOM (JSON & XML)
    Rel->>Rel: Run pip-audit (non-blocking) -> vulnerability-report.json
    Rel->>Rel: Create sbom-summary.md
    Rel->>PyPI: uv publish --provenance
    Rel->>GH: Upload SBOM artifacts (90-day retention)
    Rel->>GHRel: Attach SBOM artifacts and summary to release
    Note over Rel,GHRel: Release body appended with SBOM summary

Loading

sequenceDiagram
    autonumber
    actor Any as Any event
    participant GH as GitHub Actions
    participant IT as integration-tests Job

    Any->>GH: Event triggers workflow
    GH->>IT: Evaluate `if: github.repository == ...`
    alt repository matches
        IT->>IT: Run with defaults.run.working-directory = integration-tests
    else
        IT--xGH: Job skipped
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• Add provenance and SBOM support to Python SDK release workflow #265 — Requests provenance, SBOM generation and artifact handling; this PR implements SBOM/pip-audit and provenance publishing which aligns with that request.

Possibly related PRs

• v0.0.4b for exospherehost pypi sdk #122 — Related to python-sdk version export changes; this PR reads exospherehost._version when checking PyPI, so version surface changes may intersect.
• Add python sdk unit tests and ci #214 — Also modifies .github/workflows/publish-python-sdk.yml; likely overlaps in CI steps for Python SDK publishing.
• Minor fixes in docs #283 — Modifies README badges/markup; overlaps with the README badge changes in this PR.

Poem

Hop, hop—SBOMs in tow,
Provenance signed beneath my toe.
Pip-audit hums a cautious tune,
Badges gleam beneath the moon.
I nibble logs and stamp release—secure and neat, hooray, I feast! 🐇🔐

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 67e001a and 586ec1a.

📒 Files selected for processing (3)

• .github/workflows/integration-tests.yml (2 hunks)
• .github/workflows/publish-python-sdk.yml (1 hunks)
• .github/workflows/release-python-sdk.yml (1 hunks)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[gemini-code-assist]

Summary of Changes

Hello @NiveditJain, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the project's documentation by adding a status badge for integration tests to the README.md file. While the title suggests the addition of the tests themselves, this change specifically focuses on improving the visibility and accessibility of their current status via a GitHub Actions workflow badge.

Highlights

• Integration Test Visibility: A new badge has been added to the README.md file, providing a direct visual indicator of the status of the project's integration tests.
• README Update: The README.md file now includes a link to the integration-tests.yml GitHub Actions workflow, allowing quick access to test results.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds a status badge for the integration tests workflow to the README.md file. The change is functional, but for better consistency with other badges in the file, I've suggested using shields.io. Additionally, the pull request title 'Adding actual integration tests' is a bit misleading since the change only adds a badge; a title like 'docs: Add integration test status badge' would be more accurate.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/integration-tests.yml (1)

56-57: Mongo auth likely fails without authSource=admin.

Root user is created in the admin DB; add authSource to the URI.

-            MONGO_URI: mongodb://admin:password@localhost:27017
+            MONGO_URI: mongodb://admin:password@localhost:27017/?authSource=admin

♻️ Duplicate comments (1)

README.md (1)

12-12: Badge choice looks good; consistent with shields.io.

Matches prior suggestion to use shields.io for uniformity. No further action.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d6d44a6 and 67e001a.

📒 Files selected for processing (5)

• .github/workflows/integration-tests.yml (2 hunks)
• .github/workflows/publish-python-sdk.yml (1 hunks)
• .github/workflows/release-python-sdk.yml (1 hunks)
• README.md (1 hunks)
• python-sdk/README.md (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/release-python-sdk.yml

[error] 193-193: no new line character at the end of file

(new-line-at-end-of-file)

---

[error] 193-193: trailing spaces

(trailing-spaces)

.github/workflows/integration-tests.yml

[error] 15-15: wrong indentation: expected 12 but found 10

(indentation)

---

[error] 16-16: wrong indentation: expected 14 but found 12

(indentation)

🪛 markdownlint-cli2 (0.17.2)

README.md

12-12: Inline HTML
Element: a

(MD033, no-inline-html)

---

12-12: Inline HTML
Element: img

(MD033, no-inline-html)

🪛 LanguageTool

python-sdk/README.md

[grammar] ~82-~82: Use correct spacing
Context: ...s or clusters) ## Supply Chain Security The ExosphereHost Python SDK includes co...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~84-~84: Use correct spacing
Context: ...sure package integrity and transparency: ### Package Provenance All releases are pub...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~86-~86: Use correct spacing
Context: ...nd transparency: ### Package Provenance All releases are published with cryptogr...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~88-~88: Use correct spacing
Context: ...d the Sigstore ecosystem. This provides: - Cryptographic proof that packages were...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~90-~90: There might be a mistake here.
Context: ...by the official ExosphereHost repository - Tamper detection to verify packages ha...

(QB_NEW_EN)

---

[grammar] ~91-~91: There might be a mistake here.
Context: ... haven't been modified after publication - Build transparency showing exactly how...

(QB_NEW_EN)

---

[grammar] ~92-~92: Use correct spacing
Context: ...ctly how and where packages were created ### Software Bill of Materials (SBOM) Each ...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~94-~94: Use correct spacing
Context: ...d ### Software Bill of Materials (SBOM) Each release includes a complete Softwar...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~96-~96: Use correct spacing
Context: ...s in industry-standard CycloneDX format: - Complete dependency inventory listing ...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~98-~98: There might be a mistake here.
Context: ...g all direct and transitive dependencies - Vulnerability scanning results for all...

(QB_NEW_EN)

---

[grammar] ~99-~99: There might be a mistake here.
Context: ... scanning** results for all dependencies - License compliance information for ent...

(QB_NEW_EN)

---

[grammar] ~100-~100: There might be a mistake here.
Context: ... information for enterprise environments - Version tracking for security auditing...

(QB_NEW_EN)

---

[grammar] ~101-~101: Use correct spacing
Context: ...g** for security auditing and compliance ### Verification You can verify the authent...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~103-~103: Use correct spacing
Context: ...uditing and compliance ### Verification You can verify the authenticity of any E...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~105-~105: Use correct spacing
Context: ...thenticity of any ExosphereHost package: bash # Install verification tools pip install sigstore # Verify package provenance (replace X.Y.Z with actual version) python -m sigstore verify --bundle <bundle-file> exospherehost==X.Y.Z ### Security Artifacts For each release, yo...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~115-~115: Use correct spacing
Context: ...ehost==X.Y.Z ``` ### Security Artifacts For each release, you can find the follo...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~117-~117: Use correct spacing
Context: ...n find the following security artifacts: - SBOM files (JSON and XML formats) atta...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~119-~119: There might be a mistake here.
Context: ...XML formats) attached to GitHub releases - Vulnerability reports showing security...

(QB_NEW_EN)

---

[grammar] ~120-~120: There might be a mistake here.
Context: ... reports** showing security scan results - Provenance attestations available on P...

(QB_NEW_EN)

---

[grammar] ~121-~121: There might be a mistake here.
Context: ...venance attestations** available on PyPI - Build logs publicly available in GitHu...

(QB_NEW_EN)

---

[grammar] ~122-~122: Use correct spacing
Context: ...s** publicly available in GitHub Actions These features align with modern softwar...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

---

[grammar] ~124-~124: Use correct spacing
Context: ...p meet enterprise security requirements. ## Architecture The SDK is built around tw...

(QB_NEW_EN_OTHER_ERROR_IDS_5)

🔇 Additional comments (2)

.github/workflows/publish-python-sdk.yml (1)

118-126: Artifact paths are correct with defaults.run; LGTM.

Artifacts resolve under python-sdk as intended.

python-sdk/README.md (1)

107-113: Use pypi-attestations for PEP 740 provenance verification
In python-sdk/README.md (lines 107–113), replace the current Sigstore snippet with:

# Install verification tools
pip install pypi-attestations

# Verify PyPI package provenance (replace <repository-url> and <package>.whl)
pypi-attestations verify pypi --repository <repository-url> pypi:<package>.whl

(docs.pypi.org)

For fully offline bundle verification, retain Sigstore:

pip install sigstore
python -m sigstore verify identity \
  --bundle <artifact>.sigstore \
  --cert-identity <identity> \
  --cert-oidc-issuer <issuer-url> \
  <artifact>

(python.org)