pryscraper/.forgejo/workflows/ci.yml
cryptorugmunch f29112e8b9
All checks were successful
CI / lint (pull_request) Successful in 47s
CI / typecheck (pull_request) Successful in 50s
CI / Secret scan (gitleaks) (pull_request) Successful in 31s
CI / test (pull_request) Successful in 1m7s
CI / Security audit (bandit) (pull_request) Successful in 33s
ci: isolate bandit venv outside repo scan path
2026-07-03 00:36:55 +02:00

156 lines
5.6 KiB
YAML

# SPDX-License-Identifier: MIT
# Copyright (c) 2026 Rug Munch Media LLC
# Part of Pry — https://git.rugmunch.io/RugMunchMedia/pryscraper
# Licensed under MIT. See LICENSE.
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
env:
UV_BIN: /root/.local/bin/uv
jobs:
lint:
runs-on: docker-x64
container:
image: python:3.11-slim
steps:
- name: Install Node.js for actions/checkout
run: |
apt-get update
apt-get install -y --no-install-recommends curl ca-certificates
curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
apt-get install -y --no-install-recommends nodejs
rm -rf /var/lib/apt/lists/*
- uses: actions/checkout@v4
- name: Install system deps
run: |
apt-get update
apt-get install -y --no-install-recommends gcc libpq-dev curl git ca-certificates
rm -rf /var/lib/apt/lists/*
- name: Install uv
run: |
curl -LsSf https://astral.sh/uv/install.sh | sh
ln -sf /root/.local/bin/uv /usr/local/bin/uv
ln -sf /root/.local/bin/uvx /usr/local/bin/uvx
- name: Setup Python
run: |
uv python install 3.11
uv venv --python 3.11 .venv
- name: Install dependencies
run: |
uv pip install --python .venv/bin/python -r requirements.txt
uv pip install --python .venv/bin/python -e ".[dev]"
- name: Lint (ruff)
run: source .venv/bin/activate && ruff check . --exit-non-zero-on-fix
- name: Format check (ruff)
run: source .venv/bin/activate && ruff format --check .
typecheck:
runs-on: docker-x64
container:
image: python:3.11-slim
steps:
- name: Install Node.js for actions/checkout
run: |
apt-get update && apt-get install -y --no-install-recommends curl ca-certificates
curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
apt-get install -y --no-install-recommends nodejs
rm -rf /var/lib/apt/lists/*
- uses: actions/checkout@v4
- name: Install uv + setup
run: |
apt-get update && apt-get install -y --no-install-recommends curl ca-certificates && rm -rf /var/lib/apt/lists/*
curl -LsSf https://astral.sh/uv/install.sh | sh
ln -sf /root/.local/bin/uv /usr/local/bin/uv
ln -sf /root/.local/bin/uvx /usr/local/bin/uvx
uv python install 3.11
uv venv --python 3.11 .venv
uv pip install --python .venv/bin/python -e ".[dev]"
- name: Type check (mypy)
run: source .venv/bin/activate && mypy .
test:
runs-on: docker-x64
container:
image: python:3.11-slim
steps:
- name: Install Node.js for actions/checkout
run: |
apt-get update && apt-get install -y --no-install-recommends curl ca-certificates
curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
apt-get install -y --no-install-recommends nodejs
rm -rf /var/lib/apt/lists/*
- uses: actions/checkout@v4
- name: Install uv + setup
run: |
apt-get update && apt-get install -y --no-install-recommends gcc libpq-dev curl ca-certificates && rm -rf /var/lib/apt/lists/*
curl -LsSf https://astral.sh/uv/install.sh | sh
ln -sf /root/.local/bin/uv /usr/local/bin/uv
ln -sf /root/.local/bin/uvx /usr/local/bin/uvx
uv python install 3.11
uv venv --python 3.11 .venv
uv pip install --python .venv/bin/python -e ".[dev]"
- name: Test (pytest)
run: source .venv/bin/activate && pytest tests/ -x -q --tb=short -m "not integration"
secrets:
name: Secret scan (gitleaks)
runs-on: docker-x64
container:
image: python:3.11-slim
steps:
- name: Install Node.js for actions/checkout
run: |
apt-get update && apt-get install -y --no-install-recommends curl ca-certificates
curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
apt-get install -y --no-install-recommends nodejs
rm -rf /var/lib/apt/lists/*
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run gitleaks
run: |
apt-get update && apt-get install -y --no-install-recommends wget git ca-certificates && rm -rf /var/lib/apt/lists/*
wget -qO- https://github.com/gitleaks/gitleaks/releases/download/v8.24.0/gitleaks_8.24.0_linux_x64.tar.gz | tar -xz -C /usr/local/bin gitleaks
gitleaks detect --source . --redact --no-banner --no-git
security:
name: Security audit (bandit)
runs-on: docker-x64
container:
image: python:3.11-slim
steps:
- name: Install Node.js for actions/checkout
run: |
apt-get update && apt-get install -y --no-install-recommends curl ca-certificates
curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
apt-get install -y --no-install-recommends nodejs
rm -rf /var/lib/apt/lists/*
- uses: actions/checkout@v4
- name: Install uv + setup
run: |
apt-get update && apt-get install -y --no-install-recommends curl ca-certificates && rm -rf /var/lib/apt/lists/*
curl -LsSf https://astral.sh/uv/install.sh | sh
ln -sf /root/.local/bin/uv /usr/local/bin/uv
ln -sf /root/.local/bin/uvx /usr/local/bin/uvx
uv python install 3.11
uv venv --python 3.11 /tmp/bandit-venv
uv pip install --python /tmp/bandit-venv/bin/python bandit
- name: Bandit (high+medium severity)
run: source /tmp/bandit-venv/bin/activate && bandit -r . -x tests/,.venv,__pycache__ -ll