roboluke/.gitea/workflows/ci.yml

name: CI
on:
  pull_request:
    types:
      - opened
      - edited
      - synchronize
      - reopened

jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository code
        uses: actions/checkout@v4.2.2
        with:
          fetch-depth: 0

      - name: Run Hadolint
        uses: hadolint/hadolint-action@v3.1.0
        with:
          dockerfile: Dockerfile
          output-file: hadolint.out
          format: sonarqube
          no-fail: true

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.13"

      - name: uv cache
        uses: actions/cache@v4
        with:
          path: /tmp/.uv-cache
          key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
          restore-keys: |
            uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
            uv-${{ runner.os }}

      - name: Install dependencies
        run: uv sync
      
      - name: Check Import Sorting
        run: uv run isort --check app/ tests/

      - name: Lint
        run: |
          uv run pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt app/ tests/
          cat lintreport.txt

      - name: Unit Test
        run: |
          uv run coverage run -m pytest -v --junitxml=testresults.xml
          uv run coverage report
        # sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml

      - name: Minimize uv cache
        run: uv cache prune --ci

      # - name: SonarQube Scan
      #   uses: SonarSource/sonarqube-scan-action@v5.2.0
      #   env:
      #     SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
      #     SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}

      - name: Set up environment for Snyk
        run: |
          uv pip freeze > requirements.txt
          mv pyproject.toml pyproject.toml.bak
          mv uv.lock uv.lock.bak

      - name: Snyk SAST Scan
        uses: snyk/actions/python@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          # command: snyk
          args: snyk code test #--all-projects --exclude=.archive

      # - name: Snyk Vulnerability Scan
      #   uses: snyk/actions/python@master
      #   continue-on-error: true # Sometimes vulns aren't immediately fixable
      #   env:
      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      #     DEBUG: "*snyk*"
      #   with:
      #     # command: snyk
      #     args: snyk test #--all-projects --exclude=.archive
      
      - name: Reverse set up environment for Snyk
        run: |
          rm -f requirements.txt
          mv pyproject.toml.bak pyproject.toml
          mv uv.lock.bak uv.lock