actinia-python-client/.github/workflows/python-code-quality.yml at de0e435b1b13b4383bd6fe70c1e86b63b87b30a0 · actinia-org/actinia-python-client · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
---
name: Python Code Quality

on:
  push:
    branches:
      - main
      - pre_commit_ruff
  pull_request:

jobs:
  python-checks:
    name: Python Code Quality Checks

    concurrency:
      group: ${{ github.workflow }}-${{ github.job }}-${{
        github.event_name == 'pull_request' &&
        github.head_ref || github.sha }}
      cancel-in-progress: true

    strategy:
      matrix:
        include:
          - os: ubuntu-22.04

    env:
      # renovate: datasource=python-version depName=python
      PYTHON_VERSION: "3.10"
      MIN_PYTHON_VERSION: "3.8"
      # renovate: datasource=pypi depName=black
      BLACK_VERSION: "24.10.0"
      # renovate: datasource=pypi depName=flake8
      FLAKE8_VERSION: "7.1.1"
      # renovate: datasource=pypi depName=pylint
      PYLINT_VERSION: "2.12.2"
      # renovate: datasource=pypi depName=bandit
      BANDIT_VERSION: "1.7.10"
      # renovate: datasource=pypi depName=ruff
      RUFF_VERSION: "0.7.4"

    runs-on: ${{ matrix.os }}
    permissions:
      security-events: write

    steps:
      - name: Versions
        run: |
          echo OS: ${{ matrix.os }}
          echo Python: ${{ env.PYTHON_VERSION }}
          echo Minimal Python version: ${{ env.MIN_PYTHON_VERSION }}
          echo Black: ${{ env.BLACK_VERSION }}
          echo Flake8: ${{ env.FLAKE8_VERSION }}
          echo Pylint: ${{ env.PYLINT_VERSION }}
          echo Bandit: ${{ env.BANDIT_VERSION }}
          echo Ruff: ${{ env.RUFF_VERSION }}

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

      - name: Set up Python
        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5.3.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: pip
      - name: Upgrade pip
        run: python -m pip install --upgrade pip

      - name: Install Ruff
        run: pip install ruff==${{ env.RUFF_VERSION }}
      - name: Run Ruff (output annotations on fixable errors)
        run: ruff check --output-format=github . --preview --unsafe-fixes
        continue-on-error: true
      - name: Run Ruff (apply fixes for suggestions)
        run: ruff check . --preview --fix --unsafe-fixes
      - name: Create and uploads code suggestions to apply for Ruff
        # Will fail fast here if there are changes required
        id: diff-ruff
        # To run after ruff step exits with failure when rules don't have fixes available
        if: ${{ !cancelled() }}
        uses: ./.github/actions/create-upload-suggestions
        with:
          tool-name: ruff
          # To keep repo's file structure in formatted changes artifact
          extra-upload-changes: pyproject.toml

      - name: Install Black only
        run: pip install black[jupyter]==${{ env.BLACK_VERSION }}

      - name: Run Black
        run: black .

      - name: Create and uploads code suggestions to apply for Black
        # Will fail fast here if there are changes required
        id: diff-black
        uses: ./.github/actions/create-upload-suggestions
        with:
          tool-name: black
          # To keep repo's file structure in formatted changes artifact
          extra-upload-changes: .clang-format

      - name: Install Python dependencies
        run: |
          pip install --user pipx
          pipx ensurepath
          pipx install flake8==${{ env.FLAKE8_VERSION }}
          pipx install pylint==${{ env.PYLINT_VERSION }}
          # The extra toml is only needed before Python 3.11
          pipx install bandit[sarif,toml]==${{ env.BANDIT_VERSION }}

      - name: Run Flake8
        run: |
          flake8 --count --statistics --show-source --jobs=$(nproc) .

      - name: Bandit Vulnerability Scan
        run: |
          bandit -c pyproject.toml -iii -r . -f sarif -o bandit.sarif --exit-zero

      - name: Upload Bandit Scan Results
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882  # v4.4.3
        with:
          name: bandit.sarif
          path: bandit.sarif

      - name: Upload SARIF File into Security Tab
        uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f  # v3.27.4
        with:
          sarif_file: bandit.sarif

  python-success:
    name: Python Code Quality Result
    needs:
      - python-checks
    if: ${{ always() }}
    uses: ./.github/workflows/verify-success.yml
    with:
      needs_context: ${{ toJson(needs) }}