pryscraper/.forgejo/workflows/ci.yml
cryptorugmunch 465ff0bd55 ci: add gitleaks + bandit jobs; split single job into lint/typecheck/test/secrets/security
The previous CI had a single build job with mypy marked as
continue-on-error, and no secret scanning or security audit. The
pre-commit config has gitleaks + bandit but they were never enforced
in CI.

Changes:
- Split monolithic build job into focused jobs: lint, typecheck, test,
  secrets (gitleaks), security (bandit)
- Promote mypy to a real required job (not continue-on-error)
- Add gitleaks scan (v8.24.0) against the full git history
- Add bandit scan at high+medium severity (low severity is too noisy
  for an OSS project)
- Each job has its own container to keep failures isolated
2026-07-02 20:02:06 +02:00

113 lines
3.7 KiB
YAML

# SPDX-License-Identifier: MIT
# Copyright (c) 2026 Rug Munch Media LLC
# Part of Pry — https://git.rugmunch.io/RugMunchMedia/pryscraper
# Licensed under MIT. See LICENSE.
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
lint:
runs-on: docker-x64
container:
image: python:3.11-slim
steps:
- uses: actions/checkout@v4
- name: Install system deps
run: |
apt-get update
apt-get install -y --no-install-recommends gcc libpq-dev curl git ca-certificates
rm -rf /var/lib/apt/lists/*
- name: Install uv
run: |
curl -LsSf https://astral.sh/uv/install.sh | sh
echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Setup Python
run: |
uv python install 3.11
uv venv --python 3.11 .venv
- name: Install dependencies
run: |
uv pip install --python .venv/bin/python -r requirements.txt
uv pip install --python .venv/bin/python -e ".[dev]"
- name: Lint (ruff)
run: source .venv/bin/activate && ruff check . --exit-non-zero-on-fix
- name: Format check (ruff)
run: source .venv/bin/activate && ruff format --check .
typecheck:
runs-on: docker-x64
container:
image: python:3.11-slim
steps:
- uses: actions/checkout@v4
- name: Install uv + setup
run: |
apt-get update && apt-get install -y --no-install-recommends curl ca-certificates && rm -rf /var/lib/apt/lists/*
curl -LsSf https://astral.sh/uv/install.sh | sh
echo "$HOME/.local/bin" >> $GITHUB_PATH
uv python install 3.11
uv venv --python 3.11 .venv
uv pip install --python .venv/bin/python -e ".[dev]"
- name: Type check (mypy)
run: source .venv/bin/activate && mypy . --ignore-missing-imports
test:
runs-on: docker-x64
container:
image: python:3.11-slim
steps:
- uses: actions/checkout@v4
- name: Install uv + setup
run: |
apt-get update && apt-get install -y --no-install-recommends gcc libpq-dev curl ca-certificates && rm -rf /var/lib/apt/lists/*
curl -LsSf https://astral.sh/uv/install.sh | sh
echo "$HOME/.local/bin" >> $GITHUB_PATH
uv python install 3.11
uv venv --python 3.11 .venv
uv pip install --python .venv/bin/python -e ".[dev]"
- name: Test (pytest)
run: source .venv/bin/activate && pytest tests/ -x -q --tb=short -m "not integration"
secrets:
name: Secret scan (gitleaks)
runs-on: docker-x64
container:
image: python:3.11-slim
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run gitleaks
run: |
apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && rm -rf /var/lib/apt/lists/*
wget -qO- https://github.com/gitleaks/gitleaks/releases/download/v8.24.0/gitleaks_8.24.0_linux_x64.tar.gz | tar -xz -C /usr/local/bin gitleaks
gitleaks detect --source . --redact --no-banner
security:
name: Security audit (bandit)
runs-on: docker-x64
container:
image: python:3.11-slim
steps:
- uses: actions/checkout@v4
- name: Install uv + setup
run: |
apt-get update && apt-get install -y --no-install-recommends curl ca-certificates && rm -rf /var/lib/apt/lists/*
curl -LsSf https://astral.sh/uv/install.sh | sh
echo "$HOME/.local/bin" >> $GITHUB_PATH
uv python install 3.11
uv venv --python 3.11 .venv
uv pip install --python .venv/bin/python bandit
- name: Bandit (high+medium severity)
run: source .venv/bin/activate && bandit -r . -x tests/,.venv,__pycache__ -ll