diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 2e80841..9cf1a5e 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -16,14 +16,6 @@ jobs: with: fetch-depth: 0 - - name: Run Hadolint - uses: hadolint/hadolint-action@v3.3.0 - with: - dockerfile: Dockerfile - output-file: hadolint.out - format: sonarqube - no-fail: true - - name: Setup Python uses: actions/setup-python@v6 with: @@ -53,44 +45,6 @@ jobs: run: | uv run coverage run -m pytest -v --junitxml=testresults.xml uv run coverage report - uv run coverage xml -q -o coverage.xml - sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml - name: Minimize uv cache run: uv cache prune --ci - - - name: SonarQube Scan - uses: SonarSource/sonarqube-scan-action@v7.1.0 - env: - SONAR_HOST_URL: ${{ vars.SONAR_URL }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - # - name: Set up environment for Snyk - # run: | - # uv pip freeze > requirements.txt - # mv pyproject.toml pyproject.toml.bak - # mv uv.lock uv.lock.bak - - # - name: Snyk SAST Scan - # uses: snyk/actions/python@master - # env: - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # with: - # # command: snyk - # args: snyk code test #--all-projects --exclude=.archive - - # - name: Snyk Vulnerability Scan - # uses: snyk/actions/python@master - # continue-on-error: true # Sometimes vulns aren't immediately fixable - # env: - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # DEBUG: "*snyk*" - # with: - # # command: snyk - # args: snyk test #--all-projects --exclude=.archive - - # - name: Reverse set up environment for Snyk - # run: | - # rm -f requirements.txt - # mv pyproject.toml.bak pyproject.toml - # mv uv.lock.bak uv.lock diff --git a/.gitea/workflows/sonar.yml b/.gitea/workflows/sonar.yml new file mode 100644 index 0000000..d2e416e --- /dev/null +++ b/.gitea/workflows/sonar.yml @@ -0,0 +1,61 @@ +name: Sonar +on: + push: + branches: + - main + +jobs: + ci: + runs-on: ubuntu-latest + steps: + - name: Check out repository code + uses: actions/checkout@v6.0.2 + with: + fetch-depth: 0 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.3.0 + with: + dockerfile: Dockerfile + output-file: hadolint.out + format: sonarqube + no-fail: true + + - name: Setup Python + uses: actions/setup-python@v6 + with: + python-version: "3.14" + + - name: uv cache + uses: actions/cache@v5 + with: + path: /tmp/.uv-cache + key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }} + restore-keys: | + uv-${{ runner.os }}-${{ hashFiles('uv.lock') }} + uv-${{ runner.os }} + + - name: Install dependencies + run: uv sync + + + - name: Lint + run: | + uv run pylint --recursive=yes --output-format=parseable --output=lintreport.txt app/ tests/ + cat lintreport.txt + + - name: Unit Test + run: | + uv run coverage run -m pytest -v --junitxml=testresults.xml + uv run coverage report + uv run coverage xml -q -o coverage.xml + sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml + + - name: Minimize uv cache + run: uv cache prune --ci + + - name: SonarQube Scan + uses: SonarSource/sonarqube-scan-action@v7.1.0 + env: + SONAR_HOST_URL: ${{ vars.SONAR_URL }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/Dockerfile b/Dockerfile index 672f2b5..62d31ce 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,6 +2,8 @@ FROM python:3.13.12-slim LABEL maintainer="Luke Tainton " USER root +RUN useradd -r -s /sbin/nologin -M user + ENV PYTHONPATH="/run:/usr/local/lib/python3.13/lib-dynload:/usr/local/lib/python3.13/site-packages:/usr/local/lib/python3.13" ENV UV_PROJECT_ENVIRONMENT="/usr/local/" @@ -9,7 +11,7 @@ WORKDIR /run RUN mkdir -p /.local && \ chmod -R 777 /.local && \ - pip install -U pip uv==0.9.21 + pip install --no-cache-dir -U pip uv==0.9.21 COPY pyproject.toml /run/pyproject.toml COPY uv.lock /run/uv.lock @@ -24,3 +26,6 @@ ARG version="dev" ENV APP_VERSION=$version COPY app /run/app + +RUN chown -R user:user /run +USER user diff --git a/tests/test_config_1.py b/tests/test_config_1.py index dd51a55..7ec623a 100644 --- a/tests/test_config_1.py +++ b/tests/test_config_1.py @@ -1,5 +1,3 @@ -#!/usr/bin/env python3 - # ruff: noqa: E402 pylint: disable=wrong-import-position """Provides test cases for app/utils/config.py.""" @@ -27,7 +25,7 @@ def test_config() -> None: os.environ[config_var] = value # needs to be imported AFTER environment variables are set - from app.utils.config import config # pragma: no cover + from app.utils.config import config # pragma: no cover # NOSONAR (C0415) assert config.admin_emails == config_vars["ADMIN_EMAIL"].split(",") assert config.admin_first_name == config_vars["ADMIN_FIRST_NAME"] diff --git a/tests/test_config_2.py b/tests/test_config_2.py index 26f8595..5d38dd3 100644 --- a/tests/test_config_2.py +++ b/tests/test_config_2.py @@ -1,5 +1,3 @@ -#!/usr/bin/env python3 - # ruff: noqa: E402 pylint: disable=wrong-import-position """Provides test cases for app/utils/config.py.""" @@ -24,7 +22,7 @@ def test_config_no_admin_vars() -> None: os.environ[config_var] = value # needs to be imported AFTER environment variables are set - from app.utils.config import config # pragma: no cover + from app.utils.config import config # pragma: no cover # NOSONAR (C0415) assert config.approved_domains == [] assert config.approved_rooms == [] diff --git a/tests/test_datetime.py b/tests/test_datetime.py index 08b3721..a7cbe7d 100644 --- a/tests/test_datetime.py +++ b/tests/test_datetime.py @@ -1,5 +1,3 @@ -#!/usr/bin/env python3 - """Provides test cases for app/utils/datetime.py.""" import pytest diff --git a/tests/test_helpers.py b/tests/test_helpers.py index d5ac9a0..3980a57 100644 --- a/tests/test_helpers.py +++ b/tests/test_helpers.py @@ -1,5 +1,3 @@ -#!/usr/bin/env python3 - """Provides test cases for app/utils/helpers.py.""" from app.utils.helpers import validate_email_syntax # pragma: no cover