-
Notifications
You must be signed in to change notification settings - Fork 0
141 lines (117 loc) · 4.24 KB
/
ci.yml
File metadata and controls
141 lines (117 loc) · 4.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: Python CI
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review, draft]
paths:
- 'src/codesphere/**'
- '.github/workflows/ci.yml'
- 'tests/**'
permissions:
contents: write
pull-requests: write
jobs:
security_check:
name: Security Check (Bandit)
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install uv package manager
uses: astral-sh/setup-uv@v6
with:
activate-environment: true
- name: Install dependencies
run: uv sync --extra dev
shell: bash
- name: Run Bandit security check
id: bandit_check
run: |
echo "Running Bandit security check..."
set +e
uv run bandit -r src/codesphere --format=custom --msg-template "{abspath}:{line}: {test_id}[{severity}]: {msg}" -o bandit-results.txt
BANDIT_EXIT_CODE=$?
set -e
echo "Bandit scan finished. Exit code: $BANDIT_EXIT_CODE"
# Zeige Ergebnisse im Log an
if [ -f bandit-results.txt ]; then
cat bandit-results.txt
fi
echo "BANDIT_EXIT_CODE=${BANDIT_EXIT_CODE}" >> $GITHUB_ENV
shell: bash
- name: Prepare Bandit comment body
id: prep_bandit_comment
if: github.event_name == 'pull_request'
run: |
echo "Preparing Bandit comment body..."
COMMENT_BODY_FILE="bandit-comment-body.md"
echo "COMMENT_BODY_FILE=${COMMENT_BODY_FILE}" >> $GITHUB_ENV
echo "### 🛡️ Bandit Security Scan Results" > $COMMENT_BODY_FILE
echo "" >> $COMMENT_BODY_FILE
# WICHTIG: Hier wurde der Pfad korrigiert (das 'backend/' Prefix entfernt)
if [ -s bandit-results.txt ]; then
echo "\`\`\`text" >> $COMMENT_BODY_FILE
cat bandit-results.txt >> $COMMENT_BODY_FILE
echo "\`\`\`" >> $COMMENT_BODY_FILE
else
echo "✅ No security issues found by Bandit." >> $COMMENT_BODY_FILE
fi
shell: bash
- name: Find Comment
uses: peter-evans/find-comment@v3
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: Bandit Security Scan Results
- name: Post Bandit results as PR comment
if: github.event_name == 'pull_request'
uses: peter-evans/create-or-update-comment@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ github.repository }}
issue-number: ${{ github.event.pull_request.number }}
comment-id: ${{ steps.fc.outputs.comment-id }}
body-file: ${{ env.COMMENT_BODY_FILE }}
edit-mode: replace
- name: Fail if Bandit found issues
if: env.BANDIT_EXIT_CODE != '0'
run: exit ${{ env.BANDIT_EXIT_CODE }}
- name: Minimize uv cache
run: uv cache prune --ci
pytest:
name: Python Tests
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
env:
CS_TOKEN: 'dummy-token-for-ci'
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install uv package manager
uses: astral-sh/setup-uv@v6
with:
activate-environment: true
- name: Install dependencies
run: uv sync --extra dev
shell: bash
- name: Run tests with pytest
run: |
uv run pytest --junitxml=junit/test-results.xml --cov-report=xml --cov-report=html --cov=. --ignore=tests/integration | tee pytest-coverage.txt
shell: bash
- name: Pytest coverage comment
if: github.event_name == 'pull_request' && always()
uses: MishaKav/pytest-coverage-comment@main
with:
unique-id-for-comment: coverage-report
pytest-xml-coverage-path: coverage.xml
pytest-coverage-path: pytest-coverage.txt
junitxml-path: junit/test-results.xml
title: Pytest Coverage Report
junitxml-title: Test Execution Summary
- name: Minimize uv cache
run: uv cache prune --ci