feat: code quality audit + autoresearch integration + infra hardening (#150)

.github/workflows/tests.yml

@@ -7,8 +7,30 @@ on:
     branches: ["**"]
 
 jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install linters
+        run: pip install black==23.12.1 isort==5.13.2 bandit==1.7.5
+
+      - name: Check formatting (black)
+        run: black --check --line-length 100 src/ tests/
+
+      - name: Check import order (isort)
+        run: isort --check --profile black --line-length 100 src/ tests/
+
+      - name: Security scan (bandit)
+        run: bandit -r src/ -ll -s B101,B104,B307,B310,B324,B601,B608 -q
+
   test:
     runs-on: ubuntu-latest
+    needs: lint
 
     # Required for publish-unit-test-result-action to post check runs and PR comments
     permissions:
@@ -22,7 +44,15 @@ jobs:
       - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
-          cache: "pip"
+
+      - name: Cache Poetry virtualenv
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/pypoetry
+            ~/.cache/pip
+          key: poetry-${{ hashFiles('poetry.lock') }}
+          restore-keys: poetry-
 
       - name: Install dependencies
         run: |
@@ -60,3 +90,11 @@ jobs:
           name: coverage-report
           path: reports/coverage.xml
           retention-days: 14
+
+  docker-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build Docker image
+        run: DOCKER_BUILDKIT=1 docker build -t timmy-time:ci .