From 465ff0bd552c27adaa29ccba5c6b74d754e6e8a1 Mon Sep 17 00:00:00 2001 From: cryptorugmunch Date: Thu, 2 Jul 2026 20:02:06 +0200 Subject: [PATCH] ci: add gitleaks + bandit jobs; split single job into lint/typecheck/test/secrets/security The previous CI had a single build job with mypy marked as continue-on-error, and no secret scanning or security audit. The pre-commit config has gitleaks + bandit but they were never enforced in CI. Changes: - Split monolithic build job into focused jobs: lint, typecheck, test, secrets (gitleaks), security (bandit) - Promote mypy to a real required job (not continue-on-error) - Add gitleaks scan (v8.24.0) against the full git history - Add bandit scan at high+medium severity (low severity is too noisy for an OSS project) - Each job has its own container to keep failures isolated --- .forgejo/workflows/ci.yml | 68 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 64 insertions(+), 4 deletions(-) diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml index b458188..2291826 100644 --- a/.forgejo/workflows/ci.yml +++ b/.forgejo/workflows/ci.yml @@ -11,7 +11,7 @@ on: branches: [main] jobs: - build: + lint: runs-on: docker-x64 container: image: python:3.11-slim @@ -45,9 +45,69 @@ jobs: - name: Format check (ruff) run: source .venv/bin/activate && ruff format --check . + typecheck: + runs-on: docker-x64 + container: + image: python:3.11-slim + steps: + - uses: actions/checkout@v4 + - name: Install uv + setup + run: | + apt-get update && apt-get install -y --no-install-recommends curl ca-certificates && rm -rf /var/lib/apt/lists/* + curl -LsSf https://astral.sh/uv/install.sh | sh + echo "$HOME/.local/bin" >> $GITHUB_PATH + uv python install 3.11 + uv venv --python 3.11 .venv + uv pip install --python .venv/bin/python -e ".[dev]" - name: Type check (mypy) - run: source .venv/bin/activate && mypy app/ --ignore-missing-imports || true - continue-on-error: true + run: source .venv/bin/activate && mypy . --ignore-missing-imports + test: + runs-on: docker-x64 + container: + image: python:3.11-slim + steps: + - uses: actions/checkout@v4 + - name: Install uv + setup + run: | + apt-get update && apt-get install -y --no-install-recommends gcc libpq-dev curl ca-certificates && rm -rf /var/lib/apt/lists/* + curl -LsSf https://astral.sh/uv/install.sh | sh + echo "$HOME/.local/bin" >> $GITHUB_PATH + uv python install 3.11 + uv venv --python 3.11 .venv + uv pip install --python .venv/bin/python -e ".[dev]" - name: Test (pytest) - run: source .venv/bin/activate && pytest tests/ -x -q --tb=short -m "not integration" \ No newline at end of file + run: source .venv/bin/activate && pytest tests/ -x -q --tb=short -m "not integration" + + secrets: + name: Secret scan (gitleaks) + runs-on: docker-x64 + container: + image: python:3.11-slim + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Run gitleaks + run: | + apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && rm -rf /var/lib/apt/lists/* + wget -qO- https://github.com/gitleaks/gitleaks/releases/download/v8.24.0/gitleaks_8.24.0_linux_x64.tar.gz | tar -xz -C /usr/local/bin gitleaks + gitleaks detect --source . --redact --no-banner + + security: + name: Security audit (bandit) + runs-on: docker-x64 + container: + image: python:3.11-slim + steps: + - uses: actions/checkout@v4 + - name: Install uv + setup + run: | + apt-get update && apt-get install -y --no-install-recommends curl ca-certificates && rm -rf /var/lib/apt/lists/* + curl -LsSf https://astral.sh/uv/install.sh | sh + echo "$HOME/.local/bin" >> $GITHUB_PATH + uv python install 3.11 + uv venv --python 3.11 .venv + uv pip install --python .venv/bin/python bandit + - name: Bandit (high+medium severity) + run: source .venv/bin/activate && bandit -r . -x tests/,.venv,__pycache__ -ll