Master

.dockerignore

@@ -0,0 +1,2 @@
+codenames/static/img/codes/**/*.jpg
+codenames/static/img/cards/**/*.jpg

.github/workflows/build.yaml

@@ -0,0 +1,62 @@
+name: Build Image
+
+on:
+  push:
+    branches:
+      - "main"
+  pull_request:
+    branches:
+      - "main"
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          platforms: linux/amd64
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            # set latest tag for default branch
+            type=raw,value={{date 'YYYYMMDD-hhmmss' tz='Europe/Berlin'}}
+            type=ref,event=pr
+            type=sha
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and Push Image
+        uses: docker/build-push-action@v6
+        with:
+          push: ${{ github.ref_name == 'main' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/lint-docker.yaml

@@ -0,0 +1,32 @@
+name: Linting Dockerfile
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - 'Dockerfile'
+  pull_request:
+    paths:
+      - 'Dockerfile'
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  linting:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Hadolint Dockerfile Linter
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: Dockerfile

.github/workflows/lint-python.yaml

@@ -0,0 +1,60 @@
+name: Linting Python
+# https://medium.com/swlh/enhancing-code-quality-with-github-actions-67561c6f7063
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - '**.py'
+      - src/requirements.txt
+  pull_request:
+    paths:
+      - '**.py'
+      - src/requirements.txt
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+permissions:
+  checks: write
+  contents: write
+
+jobs:
+  linting:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.13
+
+      - name: Install Python dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Install Python linters
+        run: pip install flake8 pylint
+
+      - name: Run linters
+        uses: wearerequired/lint-action@v2
+        with:
+          flake8: true
+          flake8_args: |
+            --ignore=E501
+          continue_on_error: false
+          pylint: true
+          # https://github.com/pylint-dev/pylint/issues/8138
+          pylint_args: |
+            --disable=missing-module-docstring \
+            --disable=missing-class-docstring \
+            --disable=missing-function-docstring \
+            --disable=line-too-long \
+            --disable=too-few-public-methods \
+            --disable=cyclic-import

.github/workflows/lint-yaml.yaml

@@ -0,0 +1,48 @@
+name: Linting YAML
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - '**.yaml'
+      - '**.yml'
+  pull_request:
+    paths:
+      - '**.yaml'
+      - '**.yml'
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  linting:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: yaml-lint
+        uses: ibiqlik/action-yamllint@v3
+        with:
+          config_data: |
+            extends: default
+            rules:
+              comments:
+                level: error
+              comments-indentation:
+                level: error
+              document-end: disable
+              document-start: disable
+              line-length: disable
+              truthy:
+                allowed-values:
+                  - 'true'
+                  - 'false'
+                  - 'on'

.github/workflows/sast.yaml

@@ -0,0 +1,45 @@
+name: Static Application Security Testing (SAST)
+
+on:
+  push:
+    branches:
+      - "main"
+  pull_request:
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+permissions:
+  contents: read
+
+jobs:
+  sast:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Dependency Scanning (SCA)
+        uses: anchore/scan-action@v6.3.0
+        with:
+          path: "."
+          fail-build: true
+          output-format: table
+
+
+      - name: Create empty ".truffleignore" in case it doesn't exist
+        run: touch .truffleignore
+
+      - name: "Secret Scanning"
+        id: trufflehog
+        uses: trufflesecurity/trufflehog@v3.89.2
+        continue-on-error: false
+        with:
+          path: ./
+          base: ${{ github.head_ref }}
+          extra_args: --exclude-paths=.truffleignore

.gitignore

@@ -1,7 +1,5 @@
-codenames/static/img/**/*.jpg
-codenames/static/img/**/*.jpeg
-config.py
-*~
 *.pyc
-__pycache__
+*~
 .idea
+__pycache__
+codenames/static/img/codes/classic/**/*.webp

.hadolint.yaml

@@ -0,0 +1,2 @@
+ignored:
+  - DL3013  # Pin versions in pip. Instead of `pip install <package>` use `pip install <package>==<version>` or `pip install --requirement <requirements file>`

Dockerfile

@@ -0,0 +1,17 @@
+FROM python:3.13-alpine
+LABEL authors="Schluggi"
+
+WORKDIR /app
+
+COPY codenames /app/codenames
+COPY tools /app/tools
+COPY requirements.txt /app/requirements.txt
+
+RUN pip install --no-cache-dir --upgrade --root-user-action pip gunicorn eventlet
+RUN pip install --no-cache-dir --upgrade --root-user-action -r /app/requirements.txt \
+    && rm -f /app/requirements.txt
+
+RUN python tools/words_to_image.py
+
+EXPOSE 5000
+ENTRYPOINT ["gunicorn", "--worker-class", "eventlet", "-w", "2", "-b", "0.0.0.0:5000", "codenames:app"]