ci: add gitleaks + bandit jobs; split single job into lint/typecheck/test/secrets/security
The previous CI had a single build job with mypy marked as continue-on-error, and no secret scanning or security audit. The pre-commit config has gitleaks + bandit but they were never enforced in CI. Changes: - Split monolithic build job into focused jobs: lint, typecheck, test, secrets (gitleaks), security (bandit) - Promote mypy to a real required job (not continue-on-error) - Add gitleaks scan (v8.24.0) against the full git history - Add bandit scan at high+medium severity (low severity is too noisy for an OSS project) - Each job has its own container to keep failures isolated
This commit is contained in:
parent
3048e22e1f
commit
465ff0bd55
1 changed files with 64 additions and 4 deletions
|
|
@ -11,7 +11,7 @@ on:
|
|||
branches: [main]
|
||||
|
||||
jobs:
|
||||
build:
|
||||
lint:
|
||||
runs-on: docker-x64
|
||||
container:
|
||||
image: python:3.11-slim
|
||||
|
|
@ -45,9 +45,69 @@ jobs:
|
|||
- name: Format check (ruff)
|
||||
run: source .venv/bin/activate && ruff format --check .
|
||||
|
||||
typecheck:
|
||||
runs-on: docker-x64
|
||||
container:
|
||||
image: python:3.11-slim
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Install uv + setup
|
||||
run: |
|
||||
apt-get update && apt-get install -y --no-install-recommends curl ca-certificates && rm -rf /var/lib/apt/lists/*
|
||||
curl -LsSf https://astral.sh/uv/install.sh | sh
|
||||
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
||||
uv python install 3.11
|
||||
uv venv --python 3.11 .venv
|
||||
uv pip install --python .venv/bin/python -e ".[dev]"
|
||||
- name: Type check (mypy)
|
||||
run: source .venv/bin/activate && mypy app/ --ignore-missing-imports || true
|
||||
continue-on-error: true
|
||||
run: source .venv/bin/activate && mypy . --ignore-missing-imports
|
||||
|
||||
test:
|
||||
runs-on: docker-x64
|
||||
container:
|
||||
image: python:3.11-slim
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Install uv + setup
|
||||
run: |
|
||||
apt-get update && apt-get install -y --no-install-recommends gcc libpq-dev curl ca-certificates && rm -rf /var/lib/apt/lists/*
|
||||
curl -LsSf https://astral.sh/uv/install.sh | sh
|
||||
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
||||
uv python install 3.11
|
||||
uv venv --python 3.11 .venv
|
||||
uv pip install --python .venv/bin/python -e ".[dev]"
|
||||
- name: Test (pytest)
|
||||
run: source .venv/bin/activate && pytest tests/ -x -q --tb=short -m "not integration"
|
||||
run: source .venv/bin/activate && pytest tests/ -x -q --tb=short -m "not integration"
|
||||
|
||||
secrets:
|
||||
name: Secret scan (gitleaks)
|
||||
runs-on: docker-x64
|
||||
container:
|
||||
image: python:3.11-slim
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Run gitleaks
|
||||
run: |
|
||||
apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && rm -rf /var/lib/apt/lists/*
|
||||
wget -qO- https://github.com/gitleaks/gitleaks/releases/download/v8.24.0/gitleaks_8.24.0_linux_x64.tar.gz | tar -xz -C /usr/local/bin gitleaks
|
||||
gitleaks detect --source . --redact --no-banner
|
||||
|
||||
security:
|
||||
name: Security audit (bandit)
|
||||
runs-on: docker-x64
|
||||
container:
|
||||
image: python:3.11-slim
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Install uv + setup
|
||||
run: |
|
||||
apt-get update && apt-get install -y --no-install-recommends curl ca-certificates && rm -rf /var/lib/apt/lists/*
|
||||
curl -LsSf https://astral.sh/uv/install.sh | sh
|
||||
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
||||
uv python install 3.11
|
||||
uv venv --python 3.11 .venv
|
||||
uv pip install --python .venv/bin/python bandit
|
||||
- name: Bandit (high+medium severity)
|
||||
run: source .venv/bin/activate && bandit -r . -x tests/,.venv,__pycache__ -ll
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue