From 0e27a6665dcce19817e3e334b62419312a8e7c13 Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Fri, 17 Apr 2026 19:09:12 +0100 Subject: [PATCH 1/5] fix(docker): add user creation and permissions in Dockerfile Co-authored-by: Copilot --- Dockerfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Dockerfile b/Dockerfile index 672f2b5..88e994f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,6 +2,8 @@ FROM python:3.13.12-slim LABEL maintainer="Luke Tainton " USER root +RUN useradd -r -s /sbin/nologin -M user + ENV PYTHONPATH="/run:/usr/local/lib/python3.13/lib-dynload:/usr/local/lib/python3.13/site-packages:/usr/local/lib/python3.13" ENV UV_PROJECT_ENVIRONMENT="/usr/local/" @@ -24,3 +26,6 @@ ARG version="dev" ENV APP_VERSION=$version COPY app /run/app + +RUN chown -R user:user /run +USER user -- 2.49.1 From bf8b57b835da16831fc93cba60b116ff03002c9d Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Fri, 17 Apr 2026 19:13:05 +0100 Subject: [PATCH 2/5] fix(docker): optimize pip install command in Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 88e994f..62d31ce 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,7 @@ WORKDIR /run RUN mkdir -p /.local && \ chmod -R 777 /.local && \ - pip install -U pip uv==0.9.21 + pip install --no-cache-dir -U pip uv==0.9.21 COPY pyproject.toml /run/pyproject.toml COPY uv.lock /run/uv.lock -- 2.49.1 From f0903f4efdb8a0d09a4307a2298ba5774513a5ce Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Fri, 17 Apr 2026 19:13:52 +0100 Subject: [PATCH 3/5] fix(tests): add NOSONAR comment to config import in test cases --- tests/test_config_1.py | 2 +- tests/test_config_2.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_config_1.py b/tests/test_config_1.py index dd51a55..f1d203d 100644 --- a/tests/test_config_1.py +++ b/tests/test_config_1.py @@ -27,7 +27,7 @@ def test_config() -> None: os.environ[config_var] = value # needs to be imported AFTER environment variables are set - from app.utils.config import config # pragma: no cover + from app.utils.config import config # pragma: no cover # NOSONAR (C0415) assert config.admin_emails == config_vars["ADMIN_EMAIL"].split(",") assert config.admin_first_name == config_vars["ADMIN_FIRST_NAME"] diff --git a/tests/test_config_2.py b/tests/test_config_2.py index 26f8595..c6ad76d 100644 --- a/tests/test_config_2.py +++ b/tests/test_config_2.py @@ -24,7 +24,7 @@ def test_config_no_admin_vars() -> None: os.environ[config_var] = value # needs to be imported AFTER environment variables are set - from app.utils.config import config # pragma: no cover + from app.utils.config import config # pragma: no cover # NOSONAR (C0415) assert config.approved_domains == [] assert config.approved_rooms == [] -- 2.49.1 From 6c14683770c8d74ac6fcb2bc65aa01494d388d6e Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Fri, 17 Apr 2026 19:14:50 +0100 Subject: [PATCH 4/5] fix(tests): remove unnecessary shebang from test files --- tests/test_config_1.py | 2 -- tests/test_config_2.py | 2 -- tests/test_datetime.py | 2 -- tests/test_helpers.py | 2 -- 4 files changed, 8 deletions(-) diff --git a/tests/test_config_1.py b/tests/test_config_1.py index f1d203d..7ec623a 100644 --- a/tests/test_config_1.py +++ b/tests/test_config_1.py @@ -1,5 +1,3 @@ -#!/usr/bin/env python3 - # ruff: noqa: E402 pylint: disable=wrong-import-position """Provides test cases for app/utils/config.py.""" diff --git a/tests/test_config_2.py b/tests/test_config_2.py index c6ad76d..5d38dd3 100644 --- a/tests/test_config_2.py +++ b/tests/test_config_2.py @@ -1,5 +1,3 @@ -#!/usr/bin/env python3 - # ruff: noqa: E402 pylint: disable=wrong-import-position """Provides test cases for app/utils/config.py.""" diff --git a/tests/test_datetime.py b/tests/test_datetime.py index 08b3721..a7cbe7d 100644 --- a/tests/test_datetime.py +++ b/tests/test_datetime.py @@ -1,5 +1,3 @@ -#!/usr/bin/env python3 - """Provides test cases for app/utils/datetime.py.""" import pytest diff --git a/tests/test_helpers.py b/tests/test_helpers.py index d5ac9a0..3980a57 100644 --- a/tests/test_helpers.py +++ b/tests/test_helpers.py @@ -1,5 +1,3 @@ -#!/usr/bin/env python3 - """Provides test cases for app/utils/helpers.py.""" from app.utils.helpers import validate_email_syntax # pragma: no cover -- 2.49.1 From a47d1f7cd7d5ac31eb3c3bb007868f4ca6e8803d Mon Sep 17 00:00:00 2001 From: Luke Tainton Date: Fri, 17 Apr 2026 19:20:15 +0100 Subject: [PATCH 5/5] feat(ci): add SonarQube workflow for code quality analysis Co-authored-by: Copilot --- .gitea/workflows/ci.yml | 46 ---------------------------- .gitea/workflows/sonar.yml | 61 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 46 deletions(-) create mode 100644 .gitea/workflows/sonar.yml diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 2e80841..9cf1a5e 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -16,14 +16,6 @@ jobs: with: fetch-depth: 0 - - name: Run Hadolint - uses: hadolint/hadolint-action@v3.3.0 - with: - dockerfile: Dockerfile - output-file: hadolint.out - format: sonarqube - no-fail: true - - name: Setup Python uses: actions/setup-python@v6 with: @@ -53,44 +45,6 @@ jobs: run: | uv run coverage run -m pytest -v --junitxml=testresults.xml uv run coverage report - uv run coverage xml -q -o coverage.xml - sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml - name: Minimize uv cache run: uv cache prune --ci - - - name: SonarQube Scan - uses: SonarSource/sonarqube-scan-action@v7.1.0 - env: - SONAR_HOST_URL: ${{ vars.SONAR_URL }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - # - name: Set up environment for Snyk - # run: | - # uv pip freeze > requirements.txt - # mv pyproject.toml pyproject.toml.bak - # mv uv.lock uv.lock.bak - - # - name: Snyk SAST Scan - # uses: snyk/actions/python@master - # env: - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # with: - # # command: snyk - # args: snyk code test #--all-projects --exclude=.archive - - # - name: Snyk Vulnerability Scan - # uses: snyk/actions/python@master - # continue-on-error: true # Sometimes vulns aren't immediately fixable - # env: - # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # DEBUG: "*snyk*" - # with: - # # command: snyk - # args: snyk test #--all-projects --exclude=.archive - - # - name: Reverse set up environment for Snyk - # run: | - # rm -f requirements.txt - # mv pyproject.toml.bak pyproject.toml - # mv uv.lock.bak uv.lock diff --git a/.gitea/workflows/sonar.yml b/.gitea/workflows/sonar.yml new file mode 100644 index 0000000..d2e416e --- /dev/null +++ b/.gitea/workflows/sonar.yml @@ -0,0 +1,61 @@ +name: Sonar +on: + push: + branches: + - main + +jobs: + ci: + runs-on: ubuntu-latest + steps: + - name: Check out repository code + uses: actions/checkout@v6.0.2 + with: + fetch-depth: 0 + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.3.0 + with: + dockerfile: Dockerfile + output-file: hadolint.out + format: sonarqube + no-fail: true + + - name: Setup Python + uses: actions/setup-python@v6 + with: + python-version: "3.14" + + - name: uv cache + uses: actions/cache@v5 + with: + path: /tmp/.uv-cache + key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }} + restore-keys: | + uv-${{ runner.os }}-${{ hashFiles('uv.lock') }} + uv-${{ runner.os }} + + - name: Install dependencies + run: uv sync + + + - name: Lint + run: | + uv run pylint --recursive=yes --output-format=parseable --output=lintreport.txt app/ tests/ + cat lintreport.txt + + - name: Unit Test + run: | + uv run coverage run -m pytest -v --junitxml=testresults.xml + uv run coverage report + uv run coverage xml -q -o coverage.xml + sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml + + - name: Minimize uv cache + run: uv cache prune --ci + + - name: SonarQube Scan + uses: SonarSource/sonarqube-scan-action@v7.1.0 + env: + SONAR_HOST_URL: ${{ vars.SONAR_URL }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} -- 2.49.1