actions/gha-workflows
5
1
Fork 0
Code Issues Pull Requests Actions Packages Releases Activity

chore(ci): update CI workflows to comment out SonarQube and Snyk scans #57

Merged
luke merged 1 commits from snyk into main 2026-01-21 21:09:09 +00:00
Conversation 0 Commits 1 Files Changed 12 +243 -200
12 changed files with 243 additions and 200 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
.gitea/workflows/ci-docker.yml
View File

@@ -23,15 +23,15 @@ jobs:
format: sonarqube format: sonarqube
no-fail: true no-fail: true
- name: SonarQube Cloud Scan # - name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v7.0.0 # uses: SonarSource/sonarqube-scan-action@v7.0.0
env: # env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Snyk Vulnerability Scan # - name: Snyk Vulnerability Scan
uses: snyk/actions/python@master # uses: snyk/actions/python@master
continue-on-error: true # Sometimes vulns aren't immediately fixable # continue-on-error: true # Sometimes vulns aren't immediately fixable
env: # env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with: # with:
args: test --all-projects # args: test --all-projects

32
.gitea/workflows/ci-python-poetry-with-docker.yml
View File

@@ -6,11 +6,11 @@ on:
type: string type: string
default: "3.11" default: "3.11"
description: "Version of Python to use for testing environment" description: "Version of Python to use for testing environment"
secrets: # secrets:
SONAR_TOKEN: # SONAR_TOKEN:
required: true # required: true
SNYK_TOKEN: # SNYK_TOKEN:
required: true # required: true
env: env:
PATH: ${{ env.PATH }}:/root/.poetry/bin PATH: ${{ env.PATH }}:/root/.poetry/bin
@@ -65,15 +65,15 @@ jobs:
poetry run coverage xml poetry run coverage xml
sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml
- name: SonarQube Cloud Scan # - name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v7.0.0 # uses: SonarSource/sonarqube-scan-action@v7.0.0
env: # env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Snyk Vulnerability Scan # - name: Snyk Vulnerability Scan
uses: snyk/actions/python@master # uses: snyk/actions/python@master
continue-on-error: true # Sometimes vulns aren't immediately fixable # continue-on-error: true # Sometimes vulns aren't immediately fixable
env: # env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with: # with:
args: test --all-projects # args: test --all-projects

32
.gitea/workflows/ci-python-poetry.yml
View File

@@ -6,11 +6,11 @@ on:
type: string type: string
default: "3.11" default: "3.11"
description: "Version of Python to use for testing environment" description: "Version of Python to use for testing environment"
secrets: # secrets:
SONAR_TOKEN: # SONAR_TOKEN:
required: true # required: true
SNYK_TOKEN: # SNYK_TOKEN:
required: true # required: true
env: env:
PATH: ${{ env.PATH }}:/root/.poetry/bin PATH: ${{ env.PATH }}:/root/.poetry/bin
@@ -56,15 +56,15 @@ jobs:
poetry run coverage xml poetry run coverage xml
sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml
- name: SonarQube Cloud Scan # - name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v7.0.0 # uses: SonarSource/sonarqube-scan-action@v7.0.0
env: # env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Snyk Vulnerability Scan # - name: Snyk Vulnerability Scan
uses: snyk/actions/python@master # uses: snyk/actions/python@master
continue-on-error: true # Sometimes vulns aren't immediately fixable # continue-on-error: true # Sometimes vulns aren't immediately fixable
env: # env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with: # with:
args: test --all-projects # args: test --all-projects

40
.gitea/workflows/ci-python-uv-with-docker.yml
View File

@@ -6,13 +6,13 @@ on:
type: string type: string
default: "3.11" default: "3.11"
description: "Version of Python to use for testing environment" description: "Version of Python to use for testing environment"
secrets: # secrets:
SONAR_HOST_URL: # SONAR_HOST_URL:
required: false # required: false
SONAR_TOKEN: # SONAR_TOKEN:
required: true # required: true
SNYK_TOKEN: # SNYK_TOKEN:
required: true # required: true
jobs: jobs:
ci: ci:
@@ -62,17 +62,17 @@ jobs:
- name: Minimize uv cache - name: Minimize uv cache
run: uv cache prune --ci run: uv cache prune --ci
- name: SonarQube Scan # - name: SonarQube Scan
uses: SonarSource/sonarqube-scan-action@v7.0.0 # uses: SonarSource/sonarqube-scan-action@v7.0.0
env: # env:
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Snyk Vulnerability Scan # - name: Snyk Vulnerability Scan
uses: snyk/actions/python@master # uses: snyk/actions/python@master
continue-on-error: true # Sometimes vulns aren't immediately fixable # continue-on-error: true # Sometimes vulns aren't immediately fixable
env: # env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with: # with:
command: snyk # command: snyk
args: test --all-projects # args: test --all-projects

32
.gitea/workflows/ci-python-with-docker.yml
View File

@@ -6,11 +6,11 @@ on:
type: string type: string
default: "3.11" default: "3.11"
description: "Version of Python to use for testing environment" description: "Version of Python to use for testing environment"
secrets: # secrets:
SONAR_TOKEN: # SONAR_TOKEN:
required: true # required: true
SNYK_TOKEN: # SNYK_TOKEN:
required: true # required: true
jobs: jobs:
ci: ci:
@@ -57,15 +57,15 @@ jobs:
coverage xml coverage xml
sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml
- name: SonarQube Cloud Scan # - name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v7.0.0 # uses: SonarSource/sonarqube-scan-action@v7.0.0
env: # env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Snyk Vulnerability Scan # - name: Snyk Vulnerability Scan
uses: snyk/actions/python@master # uses: snyk/actions/python@master
continue-on-error: true # Sometimes vulns aren't immediately fixable # continue-on-error: true # Sometimes vulns aren't immediately fixable
env: # env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with: # with:
args: test --all-projects # args: test --all-projects

32
.gitea/workflows/ci-python.yml
View File

@@ -6,11 +6,11 @@ on:
type: string type: string
default: "3.11" default: "3.11"
description: "Version of Python to use for testing environment" description: "Version of Python to use for testing environment"
secrets: # secrets:
SONAR_TOKEN: # SONAR_TOKEN:
required: true # required: true
SNYK_TOKEN: # SNYK_TOKEN:
required: true # required: true
jobs: jobs:
ci: ci:
@@ -50,15 +50,15 @@ jobs:
coverage xml coverage xml
sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml
- name: SonarQube Cloud Scan # - name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v7.0.0 # uses: SonarSource/sonarqube-scan-action@v7.0.0
env: # env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Snyk Vulnerability Scan # - name: Snyk Vulnerability Scan
uses: snyk/actions/python@master # uses: snyk/actions/python@master
continue-on-error: true # Sometimes vulns aren't immediately fixable # continue-on-error: true # Sometimes vulns aren't immediately fixable
env: # env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with: # with:
args: test --all-projects # args: test --all-projects

45
.github/workflows/ci-docker.yml vendored
View File

@@ -1,11 +1,11 @@
name: Docker CI name: Docker CI
on: on:
workflow_call: workflow_call:
secrets: # secrets:
SONAR_TOKEN: # SONAR_TOKEN:
required: true # required: true
SNYK_TOKEN: # SNYK_TOKEN:
required: true # required: true
jobs: jobs:
ci: ci:
@@ -15,26 +15,29 @@ jobs:
uses: actions/checkout@v6.0.1 uses: actions/checkout@v6.0.1
with: with:
fetch-depth: 0 fetch-depth: 0
- uses: hadolint/hadolint-action@v3.3.0 - uses: hadolint/hadolint-action@v3.3.0
with: with:
dockerfile: Dockerfile dockerfile: Dockerfile
output-file: hadolint.out output-file: hadolint.out
format: sonarqube format: sonarqube
no-fail: true no-fail: true
- name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v7.0.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Snyk Vulnerability Scan
uses: snyk/actions/python-3.10@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --sarif-file-output=snyk.sarif --all-projects
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: snyk.sarif
# - name: SonarQube Cloud Scan
# uses: SonarSource/sonarqube-scan-action@v7.0.0
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# - name: Snyk Vulnerability Scan
# uses: snyk/actions/python-3.10@master
# continue-on-error: true # To make sure that SARIF upload gets called
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# args: --sarif-file-output=snyk.sarif --all-projects
# - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v4
# with:
# sarif_file: snyk.sarif

52
.github/workflows/ci-python-poetry-with-docker.yml vendored
View File

@@ -6,11 +6,11 @@ on:
type: string type: string
default: "3.11" default: "3.11"
description: "Version of Python to use for testing environment" description: "Version of Python to use for testing environment"
secrets: # secrets:
SONAR_TOKEN: # SONAR_TOKEN:
required: true # required: true
SNYK_TOKEN: # SNYK_TOKEN:
required: true # required: true
jobs: jobs:
ci: ci:
@@ -21,46 +21,56 @@ jobs:
run: | run: |
PYTHON_VERSION=${{ inputs.python-version }} PYTHON_VERSION=${{ inputs.python-version }}
echo "value=${PYTHON_VERSION:-"3.11"}" >> $GITHUB_OUTPUT echo "value=${PYTHON_VERSION:-"3.11"}" >> $GITHUB_OUTPUT
- name: Check out repository code - name: Check out repository code
uses: actions/checkout@v6.0.1 uses: actions/checkout@v6.0.1
with: with:
fetch-depth: 0 fetch-depth: 0
- uses: hadolint/hadolint-action@v3.3.0 - uses: hadolint/hadolint-action@v3.3.0
with: with:
dockerfile: Dockerfile dockerfile: Dockerfile
output-file: hadolint.out output-file: hadolint.out
format: sonarqube format: sonarqube
no-fail: true no-fail: true
- name: Setup Python - name: Setup Python
uses: actions/setup-python@v6 uses: actions/setup-python@v6
with: with:
python-version: "${{ steps.python-version.outputs.value }}" python-version: "${{ steps.python-version.outputs.value }}"
- name: Setup Poetry - name: Setup Poetry
uses: abatilo/actions-poetry@v4 uses: abatilo/actions-poetry@v4
- name: Install dependencies - name: Install dependencies
run: poetry install run: poetry install
- name: Lint - name: Lint
run: | run: |
poetry run pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt . poetry run pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt .
cat lintreport.txt cat lintreport.txt
- name: Unit Test - name: Unit Test
run: | run: |
poetry run coverage run -m pytest -v --junitxml=testresults.xml poetry run coverage run -m pytest -v --junitxml=testresults.xml
poetry run coverage xml poetry run coverage xml
sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml
- name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v7.0.0 # - name: SonarQube Cloud Scan
env: # uses: SonarSource/sonarqube-scan-action@v7.0.0
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Snyk Vulnerability Scan # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
uses: snyk/actions/python-3.10@master
continue-on-error: true # To make sure that SARIF upload gets called # - name: Snyk Vulnerability Scan
env: # uses: snyk/actions/python-3.10@master
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # continue-on-error: true # To make sure that SARIF upload gets called
with: # env:
args: --sarif-file-output=snyk.sarif --all-projects # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload result to GitHub Code Scanning # with:
uses: github/codeql-action/upload-sarif@v4 # args: --sarif-file-output=snyk.sarif --all-projects
with:
sarif_file: snyk.sarif # - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v4
# with:
# sarif_file: snyk.sarif

51
.github/workflows/ci-python-poetry.yml vendored
View File

@@ -6,11 +6,11 @@ on:
type: string type: string
default: "3.11" default: "3.11"
description: "Version of Python to use for testing environment" description: "Version of Python to use for testing environment"
secrets: # secrets:
SONAR_TOKEN: # SONAR_TOKEN:
required: true # required: true
SNYK_TOKEN: # SNYK_TOKEN:
required: true # required: true
jobs: jobs:
ci: ci:
@@ -21,38 +21,47 @@ jobs:
run: | run: |
PYTHON_VERSION=${{ inputs.python-version }} PYTHON_VERSION=${{ inputs.python-version }}
echo "value=${PYTHON_VERSION:-"3.11"}" >> $GITHUB_OUTPUT echo "value=${PYTHON_VERSION:-"3.11"}" >> $GITHUB_OUTPUT
- name: Check out repository code - name: Check out repository code
uses: actions/checkout@v6.0.1 uses: actions/checkout@v6.0.1
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Setup Python - name: Setup Python
uses: actions/setup-python@v6 uses: actions/setup-python@v6
with: with:
python-version: "${{ steps.python-version.outputs.value }}" python-version: "${{ steps.python-version.outputs.value }}"
- name: Setup Poetry - name: Setup Poetry
uses: abatilo/actions-poetry@v4 uses: abatilo/actions-poetry@v4
- name: Install dependencies - name: Install dependencies
run: poetry install run: poetry install
- name: Lint - name: Lint
run: poetry run pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt . run: poetry run pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt .
- name: Unit Test - name: Unit Test
run: | run: |
poetry run coverage run -m pytest -v --junitxml=testresults.xml poetry run coverage run -m pytest -v --junitxml=testresults.xml
poetry run coverage xml poetry run coverage xml
sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml
- name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v7.0.0 # - name: SonarQube Cloud Scan
env: # uses: SonarSource/sonarqube-scan-action@v7.0.0
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Snyk Vulnerability Scan # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
uses: snyk/actions/python-3.10@master
continue-on-error: true # To make sure that SARIF upload gets called # - name: Snyk Vulnerability Scan
env: # uses: snyk/actions/python-3.10@master
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # continue-on-error: true # To make sure that SARIF upload gets called
with: # env:
args: --sarif-file-output=snyk.sarif --all-projects # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload result to GitHub Code Scanning # with:
uses: github/codeql-action/upload-sarif@v4 # args: --sarif-file-output=snyk.sarif --all-projects
with:
sarif_file: snyk.sarif # - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v4
# with:
# sarif_file: snyk.sarif

52
.github/workflows/ci-python-with-docker.yml vendored
View File

@@ -6,11 +6,11 @@ on:
type: string type: string
default: "3.11" default: "3.11"
description: "Version of Python to use for testing environment" description: "Version of Python to use for testing environment"
secrets: # secrets:
SONAR_TOKEN: # SONAR_TOKEN:
required: true # required: true
SNYK_TOKEN: # SNYK_TOKEN:
required: true # required: true
jobs: jobs:
ci: ci:
@@ -21,47 +21,57 @@ jobs:
run: | run: |
PYTHON_VERSION=${{ inputs.python-version }} PYTHON_VERSION=${{ inputs.python-version }}
echo "value=${PYTHON_VERSION:-"3.11"}" >> $GITHUB_OUTPUT echo "value=${PYTHON_VERSION:-"3.11"}" >> $GITHUB_OUTPUT
- name: Check out repository code - name: Check out repository code
uses: actions/checkout@v6.0.1 uses: actions/checkout@v6.0.1
with: with:
fetch-depth: 0 fetch-depth: 0
- uses: hadolint/hadolint-action@v3.3.0 - uses: hadolint/hadolint-action@v3.3.0
with: with:
dockerfile: Dockerfile dockerfile: Dockerfile
output-file: hadolint.out output-file: hadolint.out
format: sonarqube format: sonarqube
no-fail: true no-fail: true
- name: Setup Python - name: Setup Python
uses: actions/setup-python@v6 uses: actions/setup-python@v6
with: with:
python-version: "${{ steps.python-version.outputs.value }}" python-version: "${{ steps.python-version.outputs.value }}"
- name: Update Pip - name: Update Pip
run: | run: |
pip install -U pip pip install -U pip
- name: Install dependencies - name: Install dependencies
run: | run: |
pip install -r requirements.txt pip install -r requirements.txt
pip install -r requirements-dev.txt pip install -r requirements-dev.txt
- name: Lint - name: Lint
run: pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt . run: pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt .
- name: Unit Test - name: Unit Test
run: | run: |
coverage run -m pytest -v --junitxml=testresults.xml coverage run -m pytest -v --junitxml=testresults.xml
coverage xml coverage xml
sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml
- name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v7.0.0 # - name: SonarQube Cloud Scan
env: # uses: SonarSource/sonarqube-scan-action@v7.0.0
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Snyk Vulnerability Scan # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
uses: snyk/actions/python-3.10@master
continue-on-error: true # To make sure that SARIF upload gets called # - name: Snyk Vulnerability Scan
env: # uses: snyk/actions/python-3.10@master
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # continue-on-error: true # To make sure that SARIF upload gets called
with: # env:
args: --sarif-file-output=snyk.sarif --all-projects # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload result to GitHub Code Scanning # with:
uses: github/codeql-action/upload-sarif@v4 # args: --sarif-file-output=snyk.sarif --all-projects
with:
sarif_file: snyk.sarif # - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v4
# with:
# sarif_file: snyk.sarif

51
.github/workflows/ci-python.yml vendored
View File

@@ -6,11 +6,11 @@ on:
type: string type: string
default: "3.11" default: "3.11"
description: "Version of Python to use for testing environment" description: "Version of Python to use for testing environment"
secrets: # secrets:
SONAR_TOKEN: # SONAR_TOKEN:
required: true # required: true
SNYK_TOKEN: # SNYK_TOKEN:
required: true # required: true
jobs: jobs:
ci: ci:
@@ -21,41 +21,50 @@ jobs:
run: | run: |
PYTHON_VERSION=${{ inputs.python-version }} PYTHON_VERSION=${{ inputs.python-version }}
echo "value=${PYTHON_VERSION:-"3.11"}" >> $GITHUB_OUTPUT echo "value=${PYTHON_VERSION:-"3.11"}" >> $GITHUB_OUTPUT
- name: Check out repository code - name: Check out repository code
uses: actions/checkout@v6.0.1 uses: actions/checkout@v6.0.1
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Setup Python - name: Setup Python
uses: actions/setup-python@v6 uses: actions/setup-python@v6
with: with:
python-version: "${{ steps.python-version.outputs.value }}" python-version: "${{ steps.python-version.outputs.value }}"
- name: Update Pip - name: Update Pip
run: | run: |
pip install -U pip pip install -U pip
- name: Install dependencies - name: Install dependencies
run: | run: |
pip install -r requirements.txt pip install -r requirements.txt
pip install -r requirements-dev.txt pip install -r requirements-dev.txt
- name: Lint - name: Lint
run: pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt . run: pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt .
- name: Unit Test - name: Unit Test
run: | run: |
coverage run -m pytest -v --junitxml=testresults.xml coverage run -m pytest -v --junitxml=testresults.xml
coverage xml coverage xml
sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml sed -i 's@${{ github.workspace }}@/github/workspace@g' coverage.xml
- name: SonarQube Cloud Scan
uses: SonarSource/sonarqube-scan-action@v7.0.0 # - name: SonarQube Cloud Scan
env: # uses: SonarSource/sonarqube-scan-action@v7.0.0
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Snyk Vulnerability Scan # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
uses: snyk/actions/python-3.10@master
continue-on-error: true # To make sure that SARIF upload gets called # - name: Snyk Vulnerability Scan
env: # uses: snyk/actions/python-3.10@master
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # continue-on-error: true # To make sure that SARIF upload gets called
with: # env:
args: --sarif-file-output=snyk.sarif --all-projects # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload result to GitHub Code Scanning # with:
uses: github/codeql-action/upload-sarif@v4 # args: --sarif-file-output=snyk.sarif --all-projects
with:
sarif_file: snyk.sarif # - name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v4
# with:
# sarif_file: snyk.sarif

2
renovate.json
View File

@@ -17,6 +17,8 @@
"labels": [ "labels": [
"type/dependencies" "type/dependencies"
], ],
"osvVulnerabilityAlerts": true,
"dependencyDashboardOSVVulnerabilitySummary": "all",
"vulnerabilityAlerts": { "vulnerabilityAlerts": {
"enabled": true, "enabled": true,
"labels": [ "labels": [