The previous CI had a single build job with mypy marked as continue-on-error, and no secret scanning or security audit. The pre-commit config has gitleaks + bandit but they were never enforced in CI. Changes: - Split monolithic build job into focused jobs: lint, typecheck, test, secrets (gitleaks), security (bandit) - Promote mypy to a real required job (not continue-on-error) - Add gitleaks scan (v8.24.0) against the full git history - Add bandit scan at high+medium severity (low severity is too noisy for an OSS project) - Each job has its own container to keep failures isolated
113 lines
3.7 KiB
YAML
113 lines
3.7 KiB
YAML
# SPDX-License-Identifier: MIT
|
|
# Copyright (c) 2026 Rug Munch Media LLC
|
|
# Part of Pry — https://git.rugmunch.io/RugMunchMedia/pryscraper
|
|
# Licensed under MIT. See LICENSE.
|
|
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
jobs:
|
|
lint:
|
|
runs-on: docker-x64
|
|
container:
|
|
image: python:3.11-slim
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install system deps
|
|
run: |
|
|
apt-get update
|
|
apt-get install -y --no-install-recommends gcc libpq-dev curl git ca-certificates
|
|
rm -rf /var/lib/apt/lists/*
|
|
|
|
- name: Install uv
|
|
run: |
|
|
curl -LsSf https://astral.sh/uv/install.sh | sh
|
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
|
|
|
- name: Setup Python
|
|
run: |
|
|
uv python install 3.11
|
|
uv venv --python 3.11 .venv
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
uv pip install --python .venv/bin/python -r requirements.txt
|
|
uv pip install --python .venv/bin/python -e ".[dev]"
|
|
|
|
- name: Lint (ruff)
|
|
run: source .venv/bin/activate && ruff check . --exit-non-zero-on-fix
|
|
|
|
- name: Format check (ruff)
|
|
run: source .venv/bin/activate && ruff format --check .
|
|
|
|
typecheck:
|
|
runs-on: docker-x64
|
|
container:
|
|
image: python:3.11-slim
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Install uv + setup
|
|
run: |
|
|
apt-get update && apt-get install -y --no-install-recommends curl ca-certificates && rm -rf /var/lib/apt/lists/*
|
|
curl -LsSf https://astral.sh/uv/install.sh | sh
|
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
|
uv python install 3.11
|
|
uv venv --python 3.11 .venv
|
|
uv pip install --python .venv/bin/python -e ".[dev]"
|
|
- name: Type check (mypy)
|
|
run: source .venv/bin/activate && mypy . --ignore-missing-imports
|
|
|
|
test:
|
|
runs-on: docker-x64
|
|
container:
|
|
image: python:3.11-slim
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Install uv + setup
|
|
run: |
|
|
apt-get update && apt-get install -y --no-install-recommends gcc libpq-dev curl ca-certificates && rm -rf /var/lib/apt/lists/*
|
|
curl -LsSf https://astral.sh/uv/install.sh | sh
|
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
|
uv python install 3.11
|
|
uv venv --python 3.11 .venv
|
|
uv pip install --python .venv/bin/python -e ".[dev]"
|
|
- name: Test (pytest)
|
|
run: source .venv/bin/activate && pytest tests/ -x -q --tb=short -m "not integration"
|
|
|
|
secrets:
|
|
name: Secret scan (gitleaks)
|
|
runs-on: docker-x64
|
|
container:
|
|
image: python:3.11-slim
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Run gitleaks
|
|
run: |
|
|
apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && rm -rf /var/lib/apt/lists/*
|
|
wget -qO- https://github.com/gitleaks/gitleaks/releases/download/v8.24.0/gitleaks_8.24.0_linux_x64.tar.gz | tar -xz -C /usr/local/bin gitleaks
|
|
gitleaks detect --source . --redact --no-banner
|
|
|
|
security:
|
|
name: Security audit (bandit)
|
|
runs-on: docker-x64
|
|
container:
|
|
image: python:3.11-slim
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Install uv + setup
|
|
run: |
|
|
apt-get update && apt-get install -y --no-install-recommends curl ca-certificates && rm -rf /var/lib/apt/lists/*
|
|
curl -LsSf https://astral.sh/uv/install.sh | sh
|
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
|
uv python install 3.11
|
|
uv venv --python 3.11 .venv
|
|
uv pip install --python .venv/bin/python bandit
|
|
- name: Bandit (high+medium severity)
|
|
run: source .venv/bin/activate && bandit -r . -x tests/,.venv,__pycache__ -ll
|