Post audit 1c #120
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| jobs: | |
| # This job runs on all PRs and serves as a gatekeeper. It determines if | |
| # code-related jobs need to run. | |
| paths-filter: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| code_changed: ${{ steps.filter.outputs.code_changed }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: dorny/paths-filter@v2 | |
| id: filter | |
| with: | |
| filters: | | |
| code_changed: | |
| - 'api/src/**' | |
| - 'api/tests/**' | |
| - 'scripts/**' | |
| - 'snitch/**' | |
| - 'gonk-testUI/**' | |
| - 'pyproject.toml' | |
| - 'go.mod' | |
| # This job runs on all PRs to check for documentation governance. | |
| doc-linter: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@v44 | |
| with: | |
| files_ignore: | | |
| **/*.md | |
| **/*.yml | |
| # We need the status for the linter, but this action doesn't provide it easily. | |
| # We will just get the filenames and assume 'M' in the linter. | |
| # This is a reasonable simplification for the doc linter's purpose. | |
| - name: List changed files for debugging | |
| run: | | |
| echo "Changed files: ${{ steps.changed-files.outputs.all_changed_files }}" | |
| # Write the list of changed files to a file for the linter to consume | |
| echo "${{ steps.changed-files.outputs.all_changed_files }}" > changed_files.txt | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.12' | |
| - name: Install documentation dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install PyYAML mkdocs mkdocs-material mkdocs-monorepo-plugin | |
| - name: Run documentation linter | |
| run: python3 scripts/linter.py --from-file changed_files.txt | |
| # This job only runs if the paths-filter job determines that code files have changed. | |
| code-quality: | |
| runs-on: ubuntu-latest | |
| needs: paths-filter | |
| if: needs.paths-filter.outputs.code_changed == 'true' | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.12' | |
| - name: Cache pip dependencies | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pip- | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e ./api | |
| pip install ruff black pytest pytest-cov "safety<3.0.0" | |
| - name: Create required directories for tests | |
| run: mkdir -p api/storage api/logs | |
| - name: Create admin API key file for tests | |
| run: echo "test-ci-key" > api/src/.admin_api_key | |
| - name: Run Ruff linter | |
| run: python -m ruff check . | |
| - name: Run Black formatter check | |
| run: python -m black --check . | |
| - name: Run mypy type checker | |
| run: | | |
| cd api | |
| python -m mypy --config-file mypy.ini src tests | |
| - name: Run Bandit security scanner | |
| run: | | |
| cd api | |
| python -m bandit -r . -c bandit.yml | |
| - name: Run Safety dependency scanner | |
| run: python -m safety check --ignore=51167 --ignore=77740 | |
| - name: Run tests with coverage | |
| run: | | |
| cd api | |
| python -m pytest --cov=src/zotify_api --cov-report=xml --cov-fail-under=85 | |
| - name: Set up Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: '1.22' | |
| cache: false | |
| - name: Run golangci-lint | |
| uses: golangci/golangci-lint-action@v4 | |
| with: | |
| version: v1.55.2 | |
| working-directory: snitch |