roboluke/.gitea/workflows/ci.yml

name: CI
on:
  pull_request:
    types:
      - opened
      - edited
      - synchronize
      - reopened

jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository code
        uses: actions/checkout@v4.2.2
        with:
          fetch-depth: 0

      - name: Run Hadolint
        uses: hadolint/hadolint-action@v3.1.0
        with:
          dockerfile: Dockerfile
          output-file: hadolint.out
          format: sonarqube
          no-fail: true

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.13"

      - name: uv cache
        uses: actions/cache@v4
        with:
          path: /tmp/.uv-cache
          key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
          restore-keys: |
            uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
            uv-${{ runner.os }}

      - name: Install dependencies
        run: uv sync

      - name: Lint
        run: |
          uv run pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt app/ tests/
          cat lintreport.txt

      - name: Unit Test
        run: |
          uv run coverage run -m pytest -v --junitxml=testresults.xml
          uv run coverage xml
          sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml

      - name: Minimize uv cache
        run: uv cache prune --ci

      # - name: SonarQube Scan
      #   uses: SonarSource/sonarqube-scan-action@v5.2.0
      #   env:
      #     SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
      #     SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}

      # - name: Snyk Vulnerability Scan
      #   uses: snyk/actions/python@master
      #   continue-on-error: true # Sometimes vulns aren't immediately fixable
      #   env:
      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      #   with:
      #     command: snyk
      #     args: test --all-projects

      - name: Trivy Vulnerability Scan
        uses: aquasecurity/trivy-action@0.30.0
        with:
          scan-type: "fs"
          scan-ref: "${{ gitea.workspace }}"
          exit-code: "1"
          ignore-unfixed: true
          format: "table"
          severity: "CRITICAL,HIGH,MEDIUM"
          scanners: "vuln,secret,misconfig,license"