actions/gha-workflows
5
1
Fork 0
Code Issues Pull Requests Actions Packages Releases Activity

Compare commits

base: actions:main
Branches Tags
actions:main
..
compare: actions:6e29aefb58d2f802b0ca5580730914737f9f6ca6
Branches Tags
actions:main

1 Commits
main ... 6e29aefb58

Author SHA1 Message Date
Renovate [BOT]
6e29aefb58 chore(deps): update actions/setup-python action to v6 2025-09-04 04:37:45 +00:00
20 changed files with 255 additions and 305 deletions
Expand all files Collapse all files

2
.gitea/workflows/build-push-docker.yml
View File

@@ -43,7 +43,7 @@ jobs:
REPO: ${{ gitea.repository }}
- name: Check out repository
uses: actions/checkout@v6.0.2
uses: actions/checkout@v4.3.0
with:
fetch-depth: 0
ref: ${{ inputs.release }}

2
.gitea/workflows/changelog.yaml
View File

@@ -19,7 +19,7 @@ jobs:
clean_changelog: ${{ steps.get_next_version.outputs.clean_changelog }}
steps:
- name: Check out repository
uses: actions/checkout@v6.0.2
uses: actions/checkout@v4.3.0
with:
fetch-depth: 0

26
.gitea/workflows/ci-docker.yml
View File

@@ -12,26 +12,26 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v4.3.0
with:
fetch-depth: 0
- uses: hadolint/hadolint-action@v3.3.0
- uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
output-file: hadolint.out
format: sonarqube
no-fail: true
# - name: SonarQube Cloud Scan
# uses: SonarSource/sonarqube-scan-action@v7.0.0
# env:
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v5.3.1
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# - name: Snyk Vulnerability Scan
# uses: snyk/actions/python@master
# continue-on-error: true # Sometimes vulns aren't immediately fixable
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# args: test --all-projects
- name: Snyk Vulnerability Scan
uses: snyk/actions/python@master
continue-on-error: true # Sometimes vulns aren't immediately fixable
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: test --all-projects

38
.gitea/workflows/ci-python-poetry-with-docker.yml
View File

@@ -6,11 +6,11 @@ on:
type: string
default: "3.11"
description: "Version of Python to use for testing environment"
# secrets:
# SONAR_TOKEN:
# required: true
# SNYK_TOKEN:
# required: true
secrets:
SONAR_TOKEN:
required: true
SNYK_TOKEN:
required: true
env:
PATH: ${{ env.PATH }}:/root/.poetry/bin
@@ -20,11 +20,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v4.3.0
with:
fetch-depth: 0
- uses: hadolint/hadolint-action@v3.3.0
- uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
output-file: hadolint.out
@@ -44,7 +44,7 @@ jobs:
poetry config virtualenvs.create true --local
poetry config virtualenvs.in-project true --local
- uses: actions/cache@v5
- uses: actions/cache@v4
name: Define cache for dependencies
with:
path: ./.venv
@@ -65,15 +65,15 @@ jobs:
poetry run coverage xml
sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml
# - name: SonarQube Cloud Scan
# uses: SonarSource/sonarqube-scan-action@v7.0.0
# env:
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v5.3.1
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# - name: Snyk Vulnerability Scan
# uses: snyk/actions/python@master
# continue-on-error: true # Sometimes vulns aren't immediately fixable
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# args: test --all-projects
- name: Snyk Vulnerability Scan
uses: snyk/actions/python@master
continue-on-error: true # Sometimes vulns aren't immediately fixable
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: test --all-projects

36
.gitea/workflows/ci-python-poetry.yml
View File

@@ -6,11 +6,11 @@ on:
type: string
default: "3.11"
description: "Version of Python to use for testing environment"
# secrets:
# SONAR_TOKEN:
# required: true
# SNYK_TOKEN:
# required: true
secrets:
SONAR_TOKEN:
required: true
SNYK_TOKEN:
required: true
env:
PATH: ${{ env.PATH }}:/root/.poetry/bin
@@ -20,7 +20,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v4.3.0
with:
fetch-depth: 0
@@ -37,7 +37,7 @@ jobs:
poetry config virtualenvs.create true --local
poetry config virtualenvs.in-project true --local
- uses: actions/cache@v5
- uses: actions/cache@v4
name: Define cache for dependencies
with:
path: ./.venv
@@ -56,15 +56,15 @@ jobs:
poetry run coverage xml
sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml
# - name: SonarQube Cloud Scan
# uses: SonarSource/sonarqube-scan-action@v7.0.0
# env:
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v5.3.1
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# - name: Snyk Vulnerability Scan
# uses: snyk/actions/python@master
# continue-on-error: true # Sometimes vulns aren't immediately fixable
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# args: test --all-projects
- name: Snyk Vulnerability Scan
uses: snyk/actions/python@master
continue-on-error: true # Sometimes vulns aren't immediately fixable
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: test --all-projects

46
.gitea/workflows/ci-python-uv-with-docker.yml
View File

@@ -6,25 +6,25 @@ on:
type: string
default: "3.11"
description: "Version of Python to use for testing environment"
# secrets:
# SONAR_HOST_URL:
# required: false
# SONAR_TOKEN:
# required: true
# SNYK_TOKEN:
# required: true
secrets:
SONAR_HOST_URL:
required: false
SONAR_TOKEN:
required: true
SNYK_TOKEN:
required: true
jobs:
ci:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v4.3.0
with:
fetch-depth: 0
- name: Run Hadolint
uses: hadolint/hadolint-action@v3.3.0
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
output-file: hadolint.out
@@ -37,7 +37,7 @@ jobs:
python-version: "${{ vars.PYTHON_VERSION }}"
- name: uv cache
uses: actions/cache@v5
uses: actions/cache@v4
with:
path: /tmp/.uv-cache
key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
@@ -62,17 +62,17 @@ jobs:
- name: Minimize uv cache
run: uv cache prune --ci
# - name: SonarQube Scan
# uses: SonarSource/sonarqube-scan-action@v7.0.0
# env:
# SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: SonarQube Scan
uses: SonarSource/sonarqube-scan-action@v5.3.1
env:
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# - name: Snyk Vulnerability Scan
# uses: snyk/actions/python@master
# continue-on-error: true # Sometimes vulns aren't immediately fixable
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# command: snyk
# args: test --all-projects
- name: Snyk Vulnerability Scan
uses: snyk/actions/python@master
continue-on-error: true # Sometimes vulns aren't immediately fixable
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: snyk
args: test --all-projects

38
.gitea/workflows/ci-python-with-docker.yml
View File

@@ -6,22 +6,22 @@ on:
type: string
default: "3.11"
description: "Version of Python to use for testing environment"
# secrets:
# SONAR_TOKEN:
# required: true
# SNYK_TOKEN:
# required: true
secrets:
SONAR_TOKEN:
required: true
SNYK_TOKEN:
required: true
jobs:
ci:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v4.3.0
with:
fetch-depth: 0
- uses: hadolint/hadolint-action@v3.3.0
- uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
output-file: hadolint.out
@@ -36,7 +36,7 @@ jobs:
- name: Update Pip
run: pip install -U pip
- uses: actions/cache@v5
- uses: actions/cache@v4
name: Define cache for dependencies
with:
path: .
@@ -57,15 +57,15 @@ jobs:
coverage xml
sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml
# - name: SonarQube Cloud Scan
# uses: SonarSource/sonarqube-scan-action@v7.0.0
# env:
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v5.3.1
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# - name: Snyk Vulnerability Scan
# uses: snyk/actions/python@master
# continue-on-error: true # Sometimes vulns aren't immediately fixable
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# args: test --all-projects
- name: Snyk Vulnerability Scan
uses: snyk/actions/python@master
continue-on-error: true # Sometimes vulns aren't immediately fixable
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: test --all-projects

36
.gitea/workflows/ci-python.yml
View File

@@ -6,18 +6,18 @@ on:
type: string
default: "3.11"
description: "Version of Python to use for testing environment"
# secrets:
# SONAR_TOKEN:
# required: true
# SNYK_TOKEN:
# required: true
secrets:
SONAR_TOKEN:
required: true
SNYK_TOKEN:
required: true
jobs:
ci:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v4.3.0
with:
fetch-depth: 0
@@ -29,7 +29,7 @@ jobs:
- name: Update Pip
run: pip install -U pip
- uses: actions/cache@v5
- uses: actions/cache@v4
name: Define cache for dependencies
with:
path: .
@@ -50,15 +50,15 @@ jobs:
coverage xml
sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml
# - name: SonarQube Cloud Scan
# uses: SonarSource/sonarqube-scan-action@v7.0.0
# env:
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v5.3.1
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# - name: Snyk Vulnerability Scan
# uses: snyk/actions/python@master
# continue-on-error: true # Sometimes vulns aren't immediately fixable
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# args: test --all-projects
- name: Snyk Vulnerability Scan
uses: snyk/actions/python@master
continue-on-error: true # Sometimes vulns aren't immediately fixable
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: test --all-projects

4
.gitea/workflows/create-release.yml
View File

@@ -19,7 +19,7 @@ jobs:
clean_changelog: ${{ steps.get_next_version.outputs.clean_changelog }}
steps:
- name: Check out repository
uses: actions/checkout@v6.0.2
uses: actions/checkout@v4.3.0
with:
fetch-depth: 0
@@ -72,7 +72,7 @@ jobs:
needs: get_next_release
steps:
- name: Check out repository
uses: actions/checkout@v6.0.2
uses: actions/checkout@v4.3.0
with:
fetch-depth: 0

10
.gitea/workflows/docker-compose-deploy.yml
View File

@@ -24,7 +24,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: "[ON RUNNER] Notify Build Start"
uses: https://git.tainton.uk/actions/pushover-action@v1.1.4
uses: https://git.tainton.uk/actions/pushover-action@v1.1.3
env:
PUSHOVER_APP_TOKEN: ${{ secrets.PUSHOVER_APP_TOKEN }}
PUSHOVER_USER_TOKEN: ${{ secrets.PUSHOVER_USER_TOKEN }}
@@ -35,7 +35,7 @@ jobs:
url_title: 'View Logs'
- name: "[ON RUNNER] Checkout the repo"
uses: actions/checkout@v6
uses: actions/checkout@v4
- name: "[ON RUNNER] Set project variables"
run: |
@@ -54,7 +54,7 @@ jobs:
ALLSECRETS: ${{ toJSON(secrets) }}
- name: "[ON HOST] Make directory if not exists"
uses: appleboy/ssh-action@v1.2.5
uses: appleboy/ssh-action@v1.2.2
with:
host: ${{ secrets.DEPLOY_HOST }}
username: ${{ secrets.DEPLOY_USERNAME }}
@@ -74,7 +74,7 @@ jobs:
target: "${{ env.project_folder }}/"
- name: "[ON HOST] Deploy Stack"
uses: appleboy/ssh-action@v1.2.5
uses: appleboy/ssh-action@v1.2.2
with:
host: ${{ secrets.DEPLOY_HOST }}
username: ${{ secrets.DEPLOY_USERNAME }}
@@ -85,7 +85,7 @@ jobs:
docker compose --env-file .env up --detach
- name: "[ON RUNNER] Notify Build End"
uses: https://git.tainton.uk/actions/pushover-action@v1.1.4
uses: https://git.tainton.uk/actions/pushover-action@v1.1.3
env:
PUSHOVER_APP_TOKEN: ${{ secrets.PUSHOVER_APP_TOKEN }}
PUSHOVER_USER_TOKEN: ${{ secrets.PUSHOVER_USER_TOKEN }}

6
.gitea/workflows/docker-compose-remove.yml
View File

@@ -24,7 +24,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: "[ON RUNNER] Notify Build Start"
uses: https://git.tainton.uk/actions/pushover-action@v1.1.4
uses: https://git.tainton.uk/actions/pushover-action@v1.1.3
env:
PUSHOVER_APP_TOKEN: ${{ secrets.PUSHOVER_APP_TOKEN }}
PUSHOVER_USER_TOKEN: ${{ secrets.PUSHOVER_USER_TOKEN }}
@@ -41,7 +41,7 @@ jobs:
echo "project_folder=/home/${{ secrets.DEPLOY_USERNAME }}/$projectname" >> $GITEA_ENV
- name: "[ON HOST] Remove Stack"
uses: appleboy/ssh-action@v1.2.5
uses: appleboy/ssh-action@v1.2.2
with:
host: ${{ secrets.DEPLOY_HOST }}
username: ${{ secrets.DEPLOY_USERNAME }}
@@ -54,7 +54,7 @@ jobs:
rm -rf ${{ env.project_folder }}
- name: "[ON RUNNER] Notify Build End"
uses: https://git.tainton.uk/actions/pushover-action@v1.1.4
uses: https://git.tainton.uk/actions/pushover-action@v1.1.3
env:
PUSHOVER_APP_TOKEN: ${{ secrets.PUSHOVER_APP_TOKEN }}
PUSHOVER_USER_TOKEN: ${{ secrets.PUSHOVER_USER_TOKEN }}

2
.gitea/workflows/release-with-tag.yaml
View File

@@ -19,7 +19,7 @@ jobs:
clean_changelog: ${{ steps.get_next_version.outputs.clean_changelog }}
steps:
- name: Check out repository
uses: actions/checkout@v6.0.2
uses: actions/checkout@v4.3.0
with:
fetch-depth: 0

2
.github/workflows/build-push-attest-docker.yml vendored
View File

@@ -24,7 +24,7 @@ jobs:
success: ${{ steps.set_flag.outputs.success }}
steps:
- name: Check out the repo
uses: actions/checkout@v6
uses: actions/checkout@v4
with:
ref: ${{ inputs.release }}

49
.github/workflows/ci-docker.yml vendored
View File

@@ -1,43 +1,40 @@
name: Docker CI
on:
workflow_call:
# secrets:
# SONAR_TOKEN:
# required: true
# SNYK_TOKEN:
# required: true
secrets:
SONAR_TOKEN:
required: true
SNYK_TOKEN:
required: true
jobs:
ci:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v4.3.0
with:
fetch-depth: 0
- uses: hadolint/hadolint-action@v3.3.0
- uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
output-file: hadolint.out
format: sonarqube
no-fail: true
- name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v5.3.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Snyk Vulnerability Scan
uses: snyk/actions/python-3.10@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --sarif-file-output=snyk.sarif --all-projects
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
# - name: SonarQube Cloud Scan
# uses: SonarSource/sonarqube-scan-action@v7.0.0
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# - name: Snyk Vulnerability Scan
# uses: snyk/actions/python-3.10@master
# continue-on-error: true # To make sure that SARIF upload gets called
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# args: --sarif-file-output=snyk.sarif --all-projects
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v4
# with:
# sarif_file: snyk.sarif

56
.github/workflows/ci-python-poetry-with-docker.yml vendored
View File

@@ -6,11 +6,11 @@ on:
type: string
default: "3.11"
description: "Version of Python to use for testing environment"
# secrets:
# SONAR_TOKEN:
# required: true
# SNYK_TOKEN:
# required: true
secrets:
SONAR_TOKEN:
required: true
SNYK_TOKEN:
required: true
jobs:
ci:
@@ -21,56 +21,46 @@ jobs:
run: |
PYTHON_VERSION=${{ inputs.python-version }}
echo "value=${PYTHON_VERSION:-"3.11"}" >> $GITHUB_OUTPUT
- name: Check out repository code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v4.3.0
with:
fetch-depth: 0
- uses: hadolint/hadolint-action@v3.3.0
- uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
output-file: hadolint.out
format: sonarqube
no-fail: true
- name: Setup Python
uses: actions/setup-python@v6
with:
python-version: "${{ steps.python-version.outputs.value }}"
- name: Setup Poetry
uses: abatilo/actions-poetry@v4
- name: Install dependencies
run: poetry install
- name: Lint
run: |
poetry run pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt .
cat lintreport.txt
- name: Unit Test
run: |
poetry run coverage run -m pytest -v --junitxml=testresults.xml
poetry run coverage xml
sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml
# - name: SonarQube Cloud Scan
# uses: SonarSource/sonarqube-scan-action@v7.0.0
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# - name: Snyk Vulnerability Scan
# uses: snyk/actions/python-3.10@master
# continue-on-error: true # To make sure that SARIF upload gets called
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# args: --sarif-file-output=snyk.sarif --all-projects
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v4
# with:
# sarif_file: snyk.sarif
- name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v5.3.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Snyk Vulnerability Scan
uses: snyk/actions/python-3.10@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --sarif-file-output=snyk.sarif --all-projects
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif

53
.github/workflows/ci-python-poetry.yml vendored
View File

@@ -6,11 +6,11 @@ on:
type: string
default: "3.11"
description: "Version of Python to use for testing environment"
# secrets:
# SONAR_TOKEN:
# required: true
# SNYK_TOKEN:
# required: true
secrets:
SONAR_TOKEN:
required: true
SNYK_TOKEN:
required: true
jobs:
ci:
@@ -21,47 +21,38 @@ jobs:
run: |
PYTHON_VERSION=${{ inputs.python-version }}
echo "value=${PYTHON_VERSION:-"3.11"}" >> $GITHUB_OUTPUT
- name: Check out repository code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v4.3.0
with:
fetch-depth: 0
- name: Setup Python
uses: actions/setup-python@v6
with:
python-version: "${{ steps.python-version.outputs.value }}"
- name: Setup Poetry
uses: abatilo/actions-poetry@v4
- name: Install dependencies
run: poetry install
- name: Lint
run: poetry run pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt .
- name: Unit Test
run: |
poetry run coverage run -m pytest -v --junitxml=testresults.xml
poetry run coverage xml
sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml
# - name: SonarQube Cloud Scan
# uses: SonarSource/sonarqube-scan-action@v7.0.0
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# - name: Snyk Vulnerability Scan
# uses: snyk/actions/python-3.10@master
# continue-on-error: true # To make sure that SARIF upload gets called
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# args: --sarif-file-output=snyk.sarif --all-projects
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v4
# with:
# sarif_file: snyk.sarif
- name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v5.3.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Snyk Vulnerability Scan
uses: snyk/actions/python-3.10@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --sarif-file-output=snyk.sarif --all-projects
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif

56
.github/workflows/ci-python-with-docker.yml vendored
View File

@@ -6,11 +6,11 @@ on:
type: string
default: "3.11"
description: "Version of Python to use for testing environment"
# secrets:
# SONAR_TOKEN:
# required: true
# SNYK_TOKEN:
# required: true
secrets:
SONAR_TOKEN:
required: true
SNYK_TOKEN:
required: true
jobs:
ci:
@@ -21,57 +21,47 @@ jobs:
run: |
PYTHON_VERSION=${{ inputs.python-version }}
echo "value=${PYTHON_VERSION:-"3.11"}" >> $GITHUB_OUTPUT
- name: Check out repository code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v4.3.0
with:
fetch-depth: 0
- uses: hadolint/hadolint-action@v3.3.0
- uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
output-file: hadolint.out
format: sonarqube
no-fail: true
- name: Setup Python
uses: actions/setup-python@v6
with:
python-version: "${{ steps.python-version.outputs.value }}"
- name: Update Pip
run: |
pip install -U pip
- name: Install dependencies
run: |
pip install -r requirements.txt
pip install -r requirements-dev.txt
- name: Lint
run: pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt .
- name: Unit Test
run: |
coverage run -m pytest -v --junitxml=testresults.xml
coverage xml
sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml
# - name: SonarQube Cloud Scan
# uses: SonarSource/sonarqube-scan-action@v7.0.0
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# - name: Snyk Vulnerability Scan
# uses: snyk/actions/python-3.10@master
# continue-on-error: true # To make sure that SARIF upload gets called
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# args: --sarif-file-output=snyk.sarif --all-projects
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v4
# with:
# sarif_file: snyk.sarif
- name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v5.3.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Snyk Vulnerability Scan
uses: snyk/actions/python-3.10@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --sarif-file-output=snyk.sarif --all-projects
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif

53
.github/workflows/ci-python.yml vendored
View File

@@ -6,11 +6,11 @@ on:
type: string
default: "3.11"
description: "Version of Python to use for testing environment"
# secrets:
# SONAR_TOKEN:
# required: true
# SNYK_TOKEN:
# required: true
secrets:
SONAR_TOKEN:
required: true
SNYK_TOKEN:
required: true
jobs:
ci:
@@ -21,50 +21,41 @@ jobs:
run: |
PYTHON_VERSION=${{ inputs.python-version }}
echo "value=${PYTHON_VERSION:-"3.11"}" >> $GITHUB_OUTPUT
- name: Check out repository code
uses: actions/checkout@v6.0.2
uses: actions/checkout@v4.3.0
with:
fetch-depth: 0
- name: Setup Python
uses: actions/setup-python@v6
with:
python-version: "${{ steps.python-version.outputs.value }}"
- name: Update Pip
run: |
pip install -U pip
- name: Install dependencies
run: |
pip install -r requirements.txt
pip install -r requirements-dev.txt
- name: Lint
run: pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt .
- name: Unit Test
run: |
coverage run -m pytest -v --junitxml=testresults.xml
coverage xml
sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml
# - name: SonarQube Cloud Scan
# uses: SonarSource/sonarqube-scan-action@v7.0.0
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# - name: Snyk Vulnerability Scan
# uses: snyk/actions/python-3.10@master
# continue-on-error: true # To make sure that SARIF upload gets called
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# args: --sarif-file-output=snyk.sarif --all-projects
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v4
# with:
# sarif_file: snyk.sarif
- name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v5.3.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Snyk Vulnerability Scan
uses: snyk/actions/python-3.10@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --sarif-file-output=snyk.sarif --all-projects
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif

2
.github/workflows/create-release.yml vendored
View File

@@ -17,7 +17,7 @@ jobs:
release_name: ${{ steps.tag_version.outputs.new_tag }}
success: ${{ steps.set_flag.outputs.success }}
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v4
with:
fetch-depth: 0

41
renovate.json
View File

@@ -1,35 +1,26 @@
{
"extends": [
"config:recommended"
],
"ignorePaths": [
"**/.archive/**"
],
"platformCommit": "enabled",
"dependencyDashboardAutoclose": true,
"assignAutomerge": false,
"assigneesFromCodeOwners": false,
"dependencyDashboardAutoclose": true,
"extends": ["config:recommended"],
"ignorePaths": ["**/.archive/**"],
"labels": ["type/dependencies"],
"platformCommit": "enabled",
"rebaseWhen": "behind-base-branch",
"rollbackPrs": true,
"semanticCommits": "enabled",
"semanticCommitScope": "deps",
"semanticCommitType": "feat",
"osvVulnerabilityAlerts": true,
"dependencyDashboardOSVVulnerabilitySummary": "all",
"labels": [
"type/dependencies"
],
"vulnerabilityAlerts": {
"commitMessagePrefix": "[SECURITY] ",
"enabled": true,
"labels": ["security", "type/dependencies"],
"labels": [
"security",
"type/dependencies"
],
"commitMessagePrefix": "[SECURITY] ",
"prCreation": "immediate"
},
"lockFileMaintenance": {
"enabled": true
},
"packageRules": [
{
"matchDepTypes": ["devDependencies"],
"automerge": true
},
{
"matchUpdateTypes": ["patch"],
"automerge": true
}
]
}