chore(deps): update python to v3.14.4

.gitea/workflows/ci.yml

@@ -16,6 +16,14 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Run Hadolint
+        uses: hadolint/hadolint-action@v3.3.0
+        with:
+          dockerfile: Dockerfile
+          output-file: hadolint.out
+          format: sonarqube
+          no-fail: true
+
       - name: Setup Python
         uses: actions/setup-python@v6
         with:
@@ -45,6 +53,44 @@ jobs:
         run: |
           uv run coverage run -m pytest -v --junitxml=testresults.xml
           uv run coverage report
+          uv run coverage xml -q -o coverage.xml
+          sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml
 
       - name: Minimize uv cache
         run: uv cache prune --ci
+
+      - name: SonarQube Scan
+        uses: SonarSource/sonarqube-scan-action@v7.1.0
+        env:
+          SONAR_HOST_URL: ${{ vars.SONAR_URL }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+      # - name: Set up environment for Snyk
+      #   run: |
+      #     uv pip freeze > requirements.txt
+      #     mv pyproject.toml pyproject.toml.bak
+      #     mv uv.lock uv.lock.bak
+
+      # - name: Snyk SAST Scan
+      #   uses: snyk/actions/python@master
+      #   env:
+      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      #   with:
+      #     # command: snyk
+      #     args: snyk code test #--all-projects --exclude=.archive
+
+      # - name: Snyk Vulnerability Scan
+      #   uses: snyk/actions/python@master
+      #   continue-on-error: true # Sometimes vulns aren't immediately fixable
+      #   env:
+      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      #     DEBUG: "*snyk*"
+      #   with:
+      #     # command: snyk
+      #     args: snyk test #--all-projects --exclude=.archive
+      
+      # - name: Reverse set up environment for Snyk
+      #   run: |
+      #     rm -f requirements.txt
+      #     mv pyproject.toml.bak pyproject.toml
+      #     mv uv.lock.bak uv.lock

.gitea/workflows/sonar.yml

@@ -1,61 +0,0 @@
-name: Sonar
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-  sonar:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out repository code
-        uses: actions/checkout@v6.0.2
-        with:
-          fetch-depth: 0
-
-      - name: Run Hadolint
-        uses: hadolint/hadolint-action@v3.3.0
-        with:
-          dockerfile: Dockerfile
-          output-file: hadolint.out
-          format: sonarqube
-          no-fail: true
-
-      - name: Setup Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: "3.14"
-
-      - name: uv cache
-        uses: actions/cache@v5
-        with:
-          path: /tmp/.uv-cache
-          key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
-          restore-keys: |
-            uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
-            uv-${{ runner.os }}
-
-      - name: Install dependencies
-        run: uv sync
-      
-
-      - name: Lint
-        run: |
-          uv run pylint --exit-zero --recursive=yes --output-format=parseable --output=lintreport.txt app/ tests/
-          cat lintreport.txt
-
-      - name: Unit Test
-        run: |
-          uv run coverage run -m pytest -v --junitxml=testresults.xml
-          uv run coverage report
-          uv run coverage xml -q -o coverage.xml
-          sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml
-
-      - name: Minimize uv cache
-        run: uv cache prune --ci
-
-      - name: SonarQube Scan
-        uses: SonarSource/sonarqube-scan-action@v7.1.0
-        env:
-          SONAR_HOST_URL: ${{ vars.SONAR_URL }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Dockerfile

@@ -2,8 +2,6 @@ FROM python:3.14.4-slim
 LABEL maintainer="Luke Tainton <luke@tainton.uk>"
 USER root
 
-RUN useradd -r -s /sbin/nologin -M user
-
 ENV PYTHONPATH="/run:/usr/local/lib/python3.13/lib-dynload:/usr/local/lib/python3.13/site-packages:/usr/local/lib/python3.13"
 ENV UV_PROJECT_ENVIRONMENT="/usr/local/"
 
@@ -11,7 +9,7 @@ WORKDIR /run
 
 RUN mkdir -p /.local && \
     chmod -R 777 /.local && \
-    pip install --no-cache-dir -U pip uv==0.9.21
+    pip install -U pip uv==0.9.21
 
 COPY pyproject.toml /run/pyproject.toml
 COPY uv.lock /run/uv.lock
@@ -26,6 +24,3 @@ ARG version="dev"
 ENV APP_VERSION=$version
 
 COPY app /run/app
-
-RUN chown -R user:user /run
-USER user

tests/test_config_1.py

@@ -1,3 +1,5 @@
+#!/usr/bin/env python3
+
 # ruff: noqa: E402 pylint: disable=wrong-import-position
 
 """Provides test cases for app/utils/config.py."""
@@ -25,7 +27,7 @@ def test_config() -> None:
         os.environ[config_var] = value
 
     # needs to be imported AFTER environment variables are set
-    from app.utils.config import config  # pragma: no cover # NOSONAR (C0415)
+    from app.utils.config import config  # pragma: no cover
 
     assert config.admin_emails == config_vars["ADMIN_EMAIL"].split(",")
     assert config.admin_first_name == config_vars["ADMIN_FIRST_NAME"]

tests/test_config_2.py

@@ -1,3 +1,5 @@
+#!/usr/bin/env python3
+
 # ruff: noqa: E402 pylint: disable=wrong-import-position
 
 """Provides test cases for app/utils/config.py."""
@@ -22,7 +24,7 @@ def test_config_no_admin_vars() -> None:
         os.environ[config_var] = value
 
     # needs to be imported AFTER environment variables are set
-    from app.utils.config import config  # pragma: no cover # NOSONAR (C0415)
+    from app.utils.config import config  # pragma: no cover
 
     assert config.approved_domains == []
     assert config.approved_rooms == []

tests/test_datetime.py

@@ -1,3 +1,5 @@
+#!/usr/bin/env python3
+
 """Provides test cases for app/utils/datetime.py."""
 
 import pytest

tests/test_helpers.py

@@ -1,3 +1,5 @@
+#!/usr/bin/env python3
+
 """Provides test cases for app/utils/helpers.py."""
 
 from app.utils.helpers import validate_email_syntax  # pragma: no cover