Test

build: keep provenance in ci only #50

	name: Test

	on:
	push:
	branches: ["master"]
	pull_request:

	jobs:
	validate:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: "3.12"

	- name: Install Python dependencies
	run: \|
	python -m pip install --upgrade pip
	python -m pip install pyyaml

	- name: Run unit tests
	run: python -m unittest discover -s skills/libro-wcag/scripts/tests -p "test_*.py"

	- name: Validate skill
	run: python scripts/validate_skill.py skills/libro-wcag

	dependency-audit:
	if: ${{ vars.LIBRO_RUN_DEPENDENCY_AUDIT == '1' }}
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: "3.12"

	- name: Set up Node.js
	uses: actions/setup-node@v4
	with:
	node-version: "20"

	- name: Run Python dependency audit
	run: \|
	python -m pip install --upgrade pip
	python -m pip install pyyaml pip-audit
	python -m pip-audit --strict --desc

	- name: Run Node scanner dependency audit
	run: \|
	mkdir -p .ci/scanner-toolchain
	npm install --prefix .ci/scanner-toolchain --package-lock-only @axe-core/cli@4.10.2 lighthouse@12.3.0
	npm audit --prefix .ci/scanner-toolchain --audit-level=high

Provide feedback