name: CI w/ Poetry and Docker on: pull_request: types: [opened, synchronize, reopened] paths-ignore: - "README.md" - "LICENSE.md" - ".gitignore" - "renovate.json" - ".gitea/CODEOWNERS" - ".archive" jobs: ci: runs-on: ubuntu-poetry-latest steps: - name: Check out repository code uses: actions/checkout@v4.2.2 with: fetch-depth: 0 - name: Run Hadolint uses: hadolint/hadolint-action@v3.1.0 with: dockerfile: Dockerfile output-file: hadolint.out format: sonarqube no-fail: true - name: Setup Python uses: actions/setup-python@v5 with: python-version: "${{ vars.PYTHON_VERSION }}" cache: 'poetry' - name: Install dependencies run: poetry install - name: Lint run: | poetry run pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt app/ tests/ cat lintreport.txt - name: Unit Test run: | poetry run coverage run -m pytest -v --junitxml=testresults.xml poetry run coverage xml sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml - name: SonarQube Cloud Scan uses: SonarSource/sonarqube-scan-action@v4.2.1 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - name: Snyk Vulnerability Scan continue-on-error: true # Sometimes vulns aren't immediately fixable run: | echo ${{ github.workspace }} docker run --rm -v "${{ gitea.workspace }}:/app" -e "SNYK_TOKEN=${{ secrets.SNYK_TOKEN }}" snyk/snyk:python snyk test --all-projects --json # - name: Snyk Vulnerability Scan # uses: snyk/actions/python-3.10@master # continue-on-error: true # Sometimes vulns aren't immediately fixable # env: # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # with: # command: test # args: --all-projects # json: true