ci: add gitleaks + bandit jobs; split single job into lint/typecheck/test/secrets/security
The previous CI had a single build job with mypy marked as continue-on-error, and no secret scanning or security audit. The pre-commit config has gitleaks + bandit but they were never enforced in CI. Changes: - Split monolithic build job into focused jobs: lint, typecheck, test, secrets (gitleaks), security (bandit) - Promote mypy to a real required job (not continue-on-error) - Add gitleaks scan (v8.24.0) against the full git history - Add bandit scan at high+medium severity (low severity is too noisy for an OSS project) - Each job has its own container to keep failures isolated
This commit is contained in:
parent
3048e22e1f
commit
465ff0bd55
1 changed files with 64 additions and 4 deletions
|
|
@ -11,7 +11,7 @@ on:
|
||||||
branches: [main]
|
branches: [main]
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
lint:
|
||||||
runs-on: docker-x64
|
runs-on: docker-x64
|
||||||
container:
|
container:
|
||||||
image: python:3.11-slim
|
image: python:3.11-slim
|
||||||
|
|
@ -45,9 +45,69 @@ jobs:
|
||||||
- name: Format check (ruff)
|
- name: Format check (ruff)
|
||||||
run: source .venv/bin/activate && ruff format --check .
|
run: source .venv/bin/activate && ruff format --check .
|
||||||
|
|
||||||
|
typecheck:
|
||||||
|
runs-on: docker-x64
|
||||||
|
container:
|
||||||
|
image: python:3.11-slim
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- name: Install uv + setup
|
||||||
|
run: |
|
||||||
|
apt-get update && apt-get install -y --no-install-recommends curl ca-certificates && rm -rf /var/lib/apt/lists/*
|
||||||
|
curl -LsSf https://astral.sh/uv/install.sh | sh
|
||||||
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
||||||
|
uv python install 3.11
|
||||||
|
uv venv --python 3.11 .venv
|
||||||
|
uv pip install --python .venv/bin/python -e ".[dev]"
|
||||||
- name: Type check (mypy)
|
- name: Type check (mypy)
|
||||||
run: source .venv/bin/activate && mypy app/ --ignore-missing-imports || true
|
run: source .venv/bin/activate && mypy . --ignore-missing-imports
|
||||||
continue-on-error: true
|
|
||||||
|
|
||||||
|
test:
|
||||||
|
runs-on: docker-x64
|
||||||
|
container:
|
||||||
|
image: python:3.11-slim
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- name: Install uv + setup
|
||||||
|
run: |
|
||||||
|
apt-get update && apt-get install -y --no-install-recommends gcc libpq-dev curl ca-certificates && rm -rf /var/lib/apt/lists/*
|
||||||
|
curl -LsSf https://astral.sh/uv/install.sh | sh
|
||||||
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
||||||
|
uv python install 3.11
|
||||||
|
uv venv --python 3.11 .venv
|
||||||
|
uv pip install --python .venv/bin/python -e ".[dev]"
|
||||||
- name: Test (pytest)
|
- name: Test (pytest)
|
||||||
run: source .venv/bin/activate && pytest tests/ -x -q --tb=short -m "not integration"
|
run: source .venv/bin/activate && pytest tests/ -x -q --tb=short -m "not integration"
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
name: Secret scan (gitleaks)
|
||||||
|
runs-on: docker-x64
|
||||||
|
container:
|
||||||
|
image: python:3.11-slim
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
fetch-depth: 0
|
||||||
|
- name: Run gitleaks
|
||||||
|
run: |
|
||||||
|
apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && rm -rf /var/lib/apt/lists/*
|
||||||
|
wget -qO- https://github.com/gitleaks/gitleaks/releases/download/v8.24.0/gitleaks_8.24.0_linux_x64.tar.gz | tar -xz -C /usr/local/bin gitleaks
|
||||||
|
gitleaks detect --source . --redact --no-banner
|
||||||
|
|
||||||
|
security:
|
||||||
|
name: Security audit (bandit)
|
||||||
|
runs-on: docker-x64
|
||||||
|
container:
|
||||||
|
image: python:3.11-slim
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- name: Install uv + setup
|
||||||
|
run: |
|
||||||
|
apt-get update && apt-get install -y --no-install-recommends curl ca-certificates && rm -rf /var/lib/apt/lists/*
|
||||||
|
curl -LsSf https://astral.sh/uv/install.sh | sh
|
||||||
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
||||||
|
uv python install 3.11
|
||||||
|
uv venv --python 3.11 .venv
|
||||||
|
uv pip install --python .venv/bin/python bandit
|
||||||
|
- name: Bandit (high+medium severity)
|
||||||
|
run: source .venv/bin/activate && bandit -r . -x tests/,.venv,__pycache__ -ll
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue