diff --git a/.github/workflows/ci-python-with-docker.yml b/.github/workflows/ci-python-with-docker.yml new file mode 100644 index 0000000..b489b6a --- /dev/null +++ b/.github/workflows/ci-python-with-docker.yml @@ -0,0 +1,58 @@ +name: Python + Docker CI +on: + workflow_call: + secrets: + SONAR_TOKEN: + required: true + SNYK_TOKEN: + required: true + +jobs: + ci: + runs-on: ubuntu-latest + steps: + - name: Check out repository code + uses: actions/checkout@v4.1.4 + with: + fetch-depth: 0 + - uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: Dockerfile + output-file: hadolint.out + format: sonarqube + no-fail: true + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: "3.11" + - name: Update Pip + run: | + pip install -U pip + - name: Install dependencies + run: | + pip install -r requirements.txt + pip install -r requirements-dev.txt + pip install pylint-exit + - name: Lint + run: pylint --recursive=yes --output-format=parseable --output=lintreport.txt . || pylint-exit $? + - name: Unit Test + run: | + coverage run -m pytest -v --junitxml=testresults.xml + coverage xml + sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml + - name: SonarCloud Scan + uses: SonarSource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + - name: Snyk Vulnerability Scan + uses: snyk/actions/python-3.10@master + continue-on-error: true # To make sure that SARIF upload gets called + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --sarif-file-output=snyk.sarif + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk.sarif