ci: install only job-specific tools#65
Merged
haasonsaas merged 2 commits intomainfrom Apr 29, 2026
Merged
Conversation
PR SummaryCursor Bugbot is generating a summary for commit 433dcfb. Configure here. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed:
ci-lintandci-teststill require all tools- Added
check-lint-toolsandcheck-test-toolsand wiredci-lint/ci-testto those narrower prerequisites instead ofcheck-tools.
- Added
Preview (bba17fad5a)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -31,8 +31,8 @@
- name: Install uv
uses: astral-sh/setup-uv@v7
- - name: Install toolchains
- run: make install-tools
+ - name: Install lint and format tooling
+ run: make install-format-tools install-lint-tools
- name: Format check
run: make ci-format-check
@@ -87,12 +87,13 @@
- name: Install Python dependencies
run: |
uv pip install --system -r app/requirements.txt
- make install-tools
+ make install-opa
- name: Wait for database
run: |
- for i in {1..30}; do
+ for attempt in {1..30}; do
pg_isready -h 127.0.0.1 -p 5432 -U postgres -d app_test && exit 0
+ echo "Waiting for Postgres ($attempt/30)..."
sleep 1
done
echo "Postgres did not become ready" >&2
@@ -121,11 +122,8 @@
go-version-file: go.mod
check-latest: true
- - name: Install uv
- uses: astral-sh/setup-uv@v7
-
- name: Prepare tooling
- run: make install-tools
+ run: make install-security-tools
- name: Run security checks
run: make security
@@ -190,16 +188,3 @@
# Start services briefly to test startup
timeout 30s docker compose -f docker-compose.secure.yml up --abort-on-container-exit || true
-
- opa-policy-test:
- name: Test OPA Policies
- runs-on: ubuntu-latest
- steps:
- - name: Checkout code
- uses: actions/checkout@v6
-
- - name: Setup OPA
- uses: open-policy-agent/setup-opa@v2
-
- - name: Run policy tests
- run: make opa-test
diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -8,7 +8,7 @@
OPA ?= opa
export PATH := $(GOBIN):$(PATH)
-.PHONY: all tidy build test lint format lint-go lint-python format-go format-python docker-up docker-down docker-logs db-migrate opa-test cert-refresh setup-venv security install-hooks
+.PHONY: all tidy build test lint format lint-go lint-python format-go format-python docker-up docker-down docker-logs db-migrate opa-test cert-refresh setup-venv security install-hooks install-tools install-format-tools install-lint-tools install-security-tools install-opa check-tools check-format-tools check-lint-tools check-test-tools
all: build
@@ -80,14 +80,31 @@
go run ./cmd/authz cert-refresh
# Tool installation and checks
-install-tools:
- @echo "Installing Go tools..."
+install-tools: install-format-tools install-lint-tools install-security-tools install-opa
+
+install-format-tools:
+ @echo "Installing format tools..."
mkdir -p $(GOBIN)
+ go install golang.org/x/tools/cmd/goimports@v0.36.0
+ uv tool install black
+ uv tool install isort
+
+install-lint-tools:
+ @echo "Installing lint tools..."
+ mkdir -p $(GOBIN)
GOPROXY=https://proxy.golang.org,direct go install github.com/golangci/golangci-lint/cmd/golangci-lint@v$(GOLANGCI_LINT_VERSION)
- go install golang.org/x/tools/cmd/goimports@v0.36.0
+ uv tool install flake8
+ uv tool install mypy
+
+install-security-tools:
+ @echo "Installing security tools..."
+ mkdir -p $(GOBIN)
go install golang.org/x/vuln/cmd/govulncheck@latest
go install github.com/securego/gosec/v2/cmd/gosec@v2.22.6
+
+install-opa:
@echo "Ensuring OPA CLI is available..."
+ mkdir -p $(GOBIN)
@NEED_OPA=1; \
if command -v opa >/dev/null 2>&1; then \
if opa version >/dev/null 2>&1; then \
@@ -115,11 +132,6 @@
chmod +x $(GOBIN)/opa.tmp; \
mv $(GOBIN)/opa.tmp $(GOBIN)/opa; \
fi
- @echo "Installing Python tools..."
- uv tool install black
- uv tool install flake8
- uv tool install isort
- uv tool install mypy
setup-venv:
uv venv $(VENV)
@@ -140,6 +152,18 @@
@command -v mypy >/dev/null 2>&1 || { echo "mypy not found. Run 'make install-tools'"; exit 1; }
@echo "All tools are available!"
+check-format-tools:
+ @command -v black >/dev/null 2>&1 || { echo "black not found. Run 'make install-format-tools'"; exit 1; }
+ @command -v isort >/dev/null 2>&1 || { echo "isort not found. Run 'make install-format-tools'"; exit 1; }
+
+check-lint-tools:
+ @test -x "$(GOLANGCI_LINT)" || { echo "golangci-lint not found at $(GOLANGCI_LINT). Run 'make install-lint-tools'"; exit 1; }
+ @command -v flake8 >/dev/null 2>&1 || { echo "flake8 not found. Run 'make install-lint-tools'"; exit 1; }
+ @command -v mypy >/dev/null 2>&1 || { echo "mypy not found. Run 'make install-lint-tools'"; exit 1; }
+
+check-test-tools:
+ @command -v pytest >/dev/null 2>&1 || { echo "pytest not found. Install app requirements first"; exit 1; }
+
security:
@echo "Running govulncheck..."
@# govulncheck currently fails due to golang.org/x/sync/semaphore type info missing via github.com/jackc/puddle/v2
@@ -150,9 +174,9 @@
$(GOSEC) ./...
# CI/CD targets
-ci-lint: check-tools lint
-ci-test: check-tools test
-ci-format-check: check-tools
+ci-lint: check-lint-tools lint
+ci-test: check-test-tools test
+ci-format-check: check-format-tools
@echo "Checking Go formatting..."
@if [ "$$(gofmt -l . | wc -l)" -ne 0 ]; then echo "Go files need formatting. Run 'make format-go'"; exit 1; fi
@echo "Checking Python formatting..."You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 433dcfb. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
make install-toolstarget into format/lint/security/OPA install targets.Run Testsalready runsmake opa-test.Evidence
Recent GitHub Actions timing showed
CI/CD Pipelineas the largest sampled EvalOps CI consumer: 47 recent runs, ~353 total workflow-minutes. The heaviest repeated jobs wereSecurity Scanning(~288 sampled job-min),Run Tests(~278), andLint and Format Check(~274), all paying for oversized tool setup.Validation
git diff --checkactionlint .github/workflows/ci.ymlmake -n install-tools ci-format-check opa-test