-
Notifications
You must be signed in to change notification settings - Fork 8
Add CI Configuration #76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
pablo-schmeiser
wants to merge
9
commits into
HaDiNet:master
Choose a base branch
from
pablo-schmeiser:ci/add-ci
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
e224cdd
ci: Add commitlint config
pablo-schmeiser be88b38
ci: Add check for dependency changes introducing problems in PRs
pablo-schmeiser 5eb4c22
ci: Add OWASP Noir config
pablo-schmeiser d05f735
ci: Add linter config
pablo-schmeiser 91a4516
ci: Add action to check build integrity
pablo-schmeiser 713708d
ci: Add CI badges to README
pablo-schmeiser 3611f29
fix: Add commitlint to pre-commit hooks
pablo-schmeiser 68257cd
Pinning commitlint
pablo-schmeiser 16947ce
Add .coverage to gitignore
pablo-schmeiser File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| const Configuration = { | ||
| /* | ||
| * Resolve and load @commitlint/config-conventional from node_modules. | ||
| * Referenced packages must be installed | ||
| */ | ||
| extends: ["@commitlint/config-conventional"], | ||
| // config-conventional implements conventional commits rules as defined at https://www.conventionalcommits.org | ||
|
|
||
| /* | ||
| * Any rules defined here will override rules from @commitlint/config-conventional | ||
| */ | ||
| rules: { | ||
| "type-enum": [1, "always", ['build', 'chore', 'ci', 'docs', 'feat', 'fix', 'perf', 'refactor', 'revert', 'style', 'test']], | ||
| "header-trim": [2, "always"], | ||
| "reference-empty": [2, "never"], | ||
| }, | ||
|
|
||
| /* | ||
| * Array of functions that return true if commitlint should ignore the given message. | ||
| * Given array is merged with predefined functions, which consist of matchers like: | ||
| * | ||
| * - 'Merge pull request', 'Merge X into Y' or 'Merge branch X' | ||
| * - 'Revert X' | ||
| * - 'v1.2.3' (ie semver matcher) | ||
| * - 'Automatic merge X' or 'Auto-merged X into Y' | ||
| * | ||
| * To see full list, check https://github.com/conventional-changelog/commitlint/blob/master/%40commitlint/is-ignored/src/defaults.ts. | ||
| * To disable those ignores and run rules always, set `defaultIgnores: false` as shown below. | ||
| */ | ||
| ignores: [(commit) => commit === ""], | ||
| /* | ||
| * Whether commitlint uses the default ignore rules, see the description above. | ||
| */ | ||
| defaultIgnores: true, | ||
|
|
||
| /* | ||
| * Custom URL to show upon failure | ||
| */ | ||
| helpUrl: | ||
| "", | ||
| }; | ||
|
|
||
| export default Configuration; | ||
|
pablo-schmeiser marked this conversation as resolved.
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| --- | ||
| name: 'Dependency Check' | ||
|
|
||
| on: [pull_request] | ||
|
|
||
| jobs: | ||
| dependency-review: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: 'Checkout Repository' | ||
| uses: actions/checkout@v6 | ||
| - name: 'Dependency Review' | ||
| uses: actions/dependency-review-action@v4 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| --- | ||
| # Build the project and use django's check command to check for common errors. | ||
| name: Check Integrity | ||
|
|
||
| on: [push, pull_request, workflow_dispatch, workflow_call] | ||
|
|
||
| jobs: | ||
| python-versions: | ||
| uses: ./.github/workflows/extract_python_versions.yml | ||
|
|
||
| check-integrity: | ||
| runs-on: ubuntu-latest | ||
| needs: python-versions | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| issues: write | ||
| statuses: write | ||
|
|
||
| strategy: | ||
| matrix: | ||
| python-version: ${{ fromJson(needs['python-versions'].outputs.versions) }} | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v6 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| - name: Install dependencies | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| pip install . | ||
| - name: Check integrity | ||
| run: | | ||
| python src/manage.py check --deploy --fail-level=WARNING | ||
|
|
||
| update-readme-integrity-badges: | ||
| runs-on: ubuntu-latest | ||
| needs: [python-versions, check-integrity] | ||
| if: github.event_name == 'push' && github.ref == 'refs/heads/master' | ||
|
|
||
| permissions: | ||
| contents: write | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
| ref: ${{ github.ref }} | ||
| - name: Add integrity badges to README between comments | ||
| env: | ||
| PYTHON_VERSIONS: ${{ needs['python-versions'].outputs.versions }} | ||
| GITHUB_REPOSITORY: ${{ github.repository }} | ||
| run: python .github/workflows/update_integrity_badges.py | ||
| - uses: stefanzweifel/git-auto-commit-action@v7 | ||
| with: | ||
| commit_message: 'ci: update integrity badges in README' | ||
| file_pattern: README.md |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| --- | ||
| name: Extract Python Versions | ||
|
|
||
| description: Extract Python versions from pyproject.toml classifiers and output as JSON array for use in other workflows. | ||
|
|
||
| on: | ||
| workflow_call: | ||
| outputs: | ||
| versions: | ||
| description: JSON array of Python versions from pyproject.toml classifiers | ||
| value: ${{ jobs.extract.outputs.versions }} | ||
|
|
||
| jobs: | ||
| extract: | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| versions: ${{ steps.get.outputs.versions }} | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v6 | ||
|
|
||
| - name: Read versions from pyproject.toml | ||
| id: get | ||
| run: | | ||
| python - <<'PY' | ||
| import json | ||
| import re | ||
| import tomllib | ||
| from pathlib import Path | ||
|
pablo-schmeiser marked this conversation as resolved.
|
||
|
|
||
| pyproject = Path('pyproject.toml') | ||
| if not pyproject.exists(): | ||
| raise SystemExit('pyproject.toml not found') | ||
|
|
||
| data = tomllib.loads(pyproject.read_text(encoding='utf-8')) | ||
| classifiers = data.get('project', {}).get('classifiers', []) | ||
|
|
||
| pattern = re.compile(r'^Programming Language :: Python :: (\d+\.\d+)$') | ||
| versions = sorted( | ||
| { | ||
| match.group(1) | ||
| for classifier in classifiers | ||
| if (match := pattern.match(classifier)) | ||
| }, | ||
|
pablo-schmeiser marked this conversation as resolved.
|
||
| key=lambda version: tuple(map(int, version.split('.'))), | ||
| ) | ||
|
|
||
| if not versions: | ||
| raise SystemExit( | ||
| 'No Python version classifiers found in pyproject.toml under project.classifiers' | ||
| ) | ||
|
|
||
| output = Path(__import__('os').environ['GITHUB_OUTPUT']) | ||
| output.write_text(f"versions={json.dumps(versions)}\n", encoding='utf-8') | ||
| print(f'Extracted versions: {", ".join(versions)}') | ||
| PY | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| --- | ||
| name: OWASP Noir Security Analysis | ||
|
|
||
| on: [push, pull_request, workflow_dispatch, workflow_call] | ||
|
|
||
| jobs: | ||
| noir-analysis: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| issues: write | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v6 | ||
|
|
||
| - name: Run OWASP Noir | ||
| id: noir | ||
| uses: owasp-noir/noir@main | ||
|
pablo-schmeiser marked this conversation as resolved.
|
||
| with: | ||
| base_path: '.' | ||
| techs: 'django' | ||
| passive_scan: 'true' | ||
| passive_scan_severity: 'medium' | ||
| use_all_taggers: 'true' | ||
| include_path: 'true' | ||
| format: 'markdown-table' | ||
| output_file: 'noir_results.md' | ||
|
|
||
| # Optional: Higher concurrency can speed up the analysis but may increase resource usage | ||
| # and could lead to OOM errors on larger codebases. | ||
| # Adjust as needed. 20 is reasonable for default GitHub runners. | ||
| concurrency: '20' | ||
|
|
||
| - name: Upload Noir Reports | ||
| uses: actions/upload-artifact@v7 | ||
| if: always() # Always upload results even if vulnerabilities are found | ||
| with: | ||
| name: noir-results | ||
| path: noir_results.md | ||
|
|
||
| - name: Comment Noir Report on PR | ||
| if: github.event_name == 'pull_request' && steps.noir.outputs.report != '' | ||
| uses: peter-evans/create-or-update-comment@v3 | ||
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| issue-number: ${{ github.event.pull_request.number }} | ||
| body: | | ||
| ## OWASP Noir Security Analysis Report | ||
| ${{ steps.noir.outputs.report }} | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| --- | ||
| # This runs classic linters on the codebase, but also uses some more advanced tools. | ||
| # Also uses: Trivy, GitLeaks, codespell, pre-commit, spectral, jscpd and more. | ||
| # See https://github.com/marketplace/actions/super-linter for more details. | ||
| name: Super-Linter | ||
|
|
||
| on: [push, pull_request, workflow_dispatch] | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Super-Linter | ||
| runs-on: ubuntu-latest | ||
|
|
||
| permissions: | ||
| # contents permission to clone the repository | ||
| contents: read | ||
| packages: read | ||
| # issues and pull-requests permissions to write results as pull | ||
| # request comments. Omit them if you don't need summary comments | ||
| issues: write | ||
| pull-requests: write | ||
|
pablo-schmeiser marked this conversation as resolved.
|
||
| # To report GitHub Actions status checks. Omit if you don't need | ||
| # to update commit status | ||
| statuses: write | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| # super-linter needs the full git history to get the | ||
| # list of files that changed across commits | ||
| fetch-depth: 0 | ||
| persist-credentials: false | ||
|
|
||
| - name: Super-linter | ||
| uses: super-linter/super-linter/slim@v8.5.0 # x-release-please-version | ||
| env: | ||
| # To report GitHub Actions status checks | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| # To only check files that changed across commits | ||
| VALIDATE_ALL_CODEBASE: false | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| import json | ||
| import os | ||
| import sys | ||
| from pathlib import Path | ||
|
|
||
| readme = Path('README.md') | ||
| start_marker = '<!-- Start Integrity Badges -->' | ||
| end_marker = '<!-- End Integrity Badges -->' | ||
|
|
||
| content = readme.read_text(encoding='utf-8') | ||
| if start_marker not in content or end_marker not in content: | ||
| print('README markers were not found.', file=sys.stderr) | ||
| sys.exit(1) | ||
|
pablo-schmeiser marked this conversation as resolved.
|
||
|
|
||
| raw_versions = os.environ.get('PYTHON_VERSIONS', '') | ||
|
|
||
| try: | ||
| parsed_versions = json.loads(raw_versions) | ||
| except json.JSONDecodeError as exc: | ||
| print(f'PYTHON_VERSIONS must be a JSON array of strings: {exc}', file=sys.stderr) | ||
| sys.exit(1) | ||
|
|
||
| if not isinstance(parsed_versions, list) or not all( | ||
| isinstance(version, str) for version in parsed_versions | ||
| ): | ||
| print('PYTHON_VERSIONS must be a JSON array of strings.', file=sys.stderr) | ||
| sys.exit(1) | ||
|
|
||
| versions = [version.strip() for version in parsed_versions if version.strip()] | ||
| if not versions: | ||
| print('PYTHON_VERSIONS JSON array is empty.', file=sys.stderr) | ||
| sys.exit(1) | ||
|
|
||
| repository = os.environ['GITHUB_REPOSITORY'] | ||
| workflow = 'check_integrity.yml' | ||
|
|
||
| badges = [ | ||
| f'[![Python {version}]' | ||
| f'(https://img.shields.io/badge/Python-{version}-3776AB?logo=python&logoColor=white)]' | ||
| f'(https://github.com/{repository}/actions/workflows/{workflow})' | ||
| for version in versions | ||
| ] | ||
|
|
||
| start_index = content.index(start_marker) + len(start_marker) | ||
| end_index = content.index(end_marker) | ||
| replacement = '\n' + '\n'.join(badges) + '\n' | ||
| updated = content[:start_index] + replacement + content[end_index:] | ||
| readme.write_text(updated, encoding='utf-8') | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -16,4 +16,5 @@ | |
| gunicorn.py | ||
| /build/ | ||
| /src/shiftings/templates/local/ | ||
| ruff.toml | ||
| ruff.toml | ||
| .coverage | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.