Skip to content

merge: rebuild the poetry.lock files #6180

merge: rebuild the poetry.lock files

merge: rebuild the poetry.lock files #6180

# Copyright 2024 CS Group
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Check code quality
on:
push:
pull_request:
types: [opened, synchronize, reopened]
# run this worflow only for code/test related changes (avoid it for documentation)
paths: ['**.json', '**.lock', '**.py', '**.raw', '**.toml', '**.yaml', '**.yml']
workflow_dispatch:
env:
PYTHON_VERSION: 3.11.7
SONAR_PROJECT_KEY: RS-PYTHON_rs-server_AYw0m7ixvQv-JMsowILQ
jobs:
changes:
runs-on: ubuntu-latest
permissions:
pull-requests: read
outputs:
code: ${{ steps.filter.outputs.code }}
conf: ${{ steps.filter.outputs.conf }}
steps:
- uses: actions/checkout@v4
- uses: dorny/paths-filter@v3
id: filter
with:
filters: |
code: ['**.py']
conf: ['**.lock', '**.json', '**.raw', '**.toml', '**.yaml', '**.yml']
check-format:
runs-on: ubuntu-latest
name: Check format (pre-commit, black, isort)
needs: changes
if: ${{ needs.changes.outputs.code == 'true' }}
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/install-python
- run: >
echo
":information_source: This job checks that you have run \`pre-commit run --all-files\` in
your local git repository before committing."
>> $GITHUB_STEP_SUMMARY
- uses: pre-commit/[email protected]
check-license:
runs-on: ubuntu-latest
name: Check copyright license headers
needs: changes
if: ${{ needs.changes.outputs.code == 'true' }}
steps:
- uses: actions/checkout@v4
- run: |
docker run -v ${{ github.workspace }}:/src ghcr.io/google/addlicense -check .
check-linting:
runs-on: ubuntu-latest
name: Check linting (pylint, flake8)
needs: changes
if: ${{ needs.changes.outputs.code == 'true' }}
# continue-on-error: true # run other jobs, resolve issues later
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/poetry-install
- name: Run pylint
if: always() # even if previous steps returned a non-zero exit code
run: |
set -x
poetry run pylint "**/*.py" --output-format=colorized,parseable:./pylint-report.txt
- name: Run flake8
if: always()
run: |
set -x
poetry run flake8 . || true # run next line even if fails
poetry run flake8 . --output-file ./flake8-report.txt
- name: Save reports
uses: actions/upload-artifact@v4
if: always()
with:
name: check-linting
path: |
./flake8-report.txt
./pylint-report.txt
retention-days: 1
check-typing:
runs-on: ubuntu-latest
name: Check typing (mypy)
needs: changes
if: ${{ needs.changes.outputs.code == 'true' }}
# continue-on-error: true # run other jobs, resolve issues later
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/poetry-install
- name: Run mypy
run: poetry run mypy --install-types --non-interactive --explicit-package-bases .
shell: bash
check-security:
runs-on: ubuntu-latest
name: Check security (bandit, safety, trivy)
# continue-on-error: true # run other jobs, resolve issues later
permissions: write-all
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/poetry-install
- id: bandit
name: Run bandit
if: always() # even if previous steps returned a non-zero exit code
run: |
set -x
poetry run bandit -c pyproject.toml -r . || true # run next line even if fails
poetry run bandit -c pyproject.toml -r . -f json -o ./bandit-report.json
shell: bash
- id: safety
name: Run safety
if: always()
run: poetry run safety check --full-report
shell: bash
- name: Run Trivy vulnerability scanner
if: always()
uses: aquasecurity/trivy-action@master
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
with:
scan-type: fs
ignore-unfixed: true
format: sarif
output: trivy-results-fs.sarif
exit-code: 1
#severity: 'CRITICAL'
- name: Save reports as artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: check-security
path: |
./bandit-report.json
./trivy-results-fs.sarif
retention-days: 1
- name: Upload Trivy scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results-fs.sarif
category: git repository
- name: "Display link to Trivy results"
if: always()
run: |
set -x
# If this is not a pull request, the query is "is:open+branch:branch_name"
if [[ "${{ github.ref_name }}" != *merge* ]]; then
query="is:open+branch:${{ github.ref_name }}"
# Else the ref_name is e.g. '13/merge'. Change it into 'pr:13'
else
query=$(sed "s|\(.*\)/merge|pr:\1|g" <<< "${{ github.ref_name }}")
fi
echo "Trivy scan results:" \
"https://github.com/${{ github.repository }}/security/code-scanning?query=${query}" \
>> $GITHUB_STEP_SUMMARY
shell: bash
run-all-pytests:
runs-on: ubuntu-latest
name: Run pytest # pytest unit and integration tests
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/poetry-install
- name: Run pytest
run: ./resources/all_pytests.sh
shell: bash
- name: Display code coverage summary in this console
uses: irongut/[email protected]
with: # see https://github.com/marketplace/actions/code-coverage-summary#inputs
filename: ./cov-report.xml
- name: Save reports
uses: actions/upload-artifact@v4
with:
name: run-all-pytests
path: |
.coverage
./cov-report.xml
./junit-xml-report.xml
retention-days: 1
generate-quality-report:
runs-on: ubuntu-latest
name: Quality report (sonarqube)
needs: [changes, check-linting, check-security, run-all-pytests] # see actions/download-artifact below
if: ${{ needs.changes.outputs.code == 'true' }}
permissions: write-all # write pull request comments
# Mark the job as OK even if the sonarqube quality gate doesn't pass.
# We will resolve these issues later.
# continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Download linting reports
uses: actions/download-artifact@v4
with:
name:
check-linting
- name: Download vulnerability reports
uses: actions/download-artifact@v4
with:
name:
check-security
- name: Download pytest reports
uses: actions/download-artifact@v4
with:
name:
run-all-pytests
- name: Get directory names
id: dir_names
run: |
echo sources=$(find . -type d -name "rs_server*" | paste -sd ",") >> $GITHUB_OUTPUT
echo tests=$(find . -type d -name "tests" | paste -sd ",") >> $GITHUB_OUTPUT
shell: bash
- name: Run sonarqube
uses: sonarsource/sonarqube-scan-action@master
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
with:
# See doc:
# https://docs.sonarsource.com/sonarqube/9.9/analyzing-source-code/languages/python/
# https://docs.sonarsource.com/sonarqube/9.9/analyzing-source-code/importing-external-issues/importing-third-party-issues/
# https://docs.sonarsource.com/sonarqube/9.9/analyzing-source-code/test-coverage/test-execution-parameters/
# https://docs.sonarsource.com/sonarqube/9.9/analyzing-source-code/test-coverage/test-coverage-parameters/
projectBaseDir: .
args: >
-Dsonar.projectKey=${{ env.SONAR_PROJECT_KEY }}
-Dsonar.branch.name=${{ github.ref_name }}
-Dsonar.sources=${{ steps.dir_names.outputs.sources }}
-Dsonar.tests=${{ steps.dir_names.outputs.tests }}
-Dsonar.exclusions=
-Dsonar.sourceEncoding=UTF-8
-Dsonar.language=py
-Dsonar.python.version=${{ env.PYTHON_VERSION }}
-Dsonar.python.pylint.reportPaths="./pylint-report.txt"
-Dsonar.python.flake8.reportPaths="./flake8-report.txt"
-Dsonar.python.bandit.reportPaths="./bandit-report.json"
-Dsonar.python.coverage.reportPaths="./cov-report.xml"
-Dsonar.python.xunit.reportPath="./junit-xml-report.xml"
- name: Wait for quality gate result
run: sleep 5
- name: Report quality gate result in the pull request comment
uses: phwt/sonarqube-quality-gate-action@v1
id: quality-gate-result
with:
sonar-project-key: ${{ env.SONAR_PROJECT_KEY }}
sonar-host-url: ${{ secrets.SONAR_HOST_URL }}
sonar-token: ${{ secrets.SONAR_TOKEN }}
github-token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ github.ref_name }}
- name: Output result
run: |
echo "${{ steps.quality-gate-result.outputs.project-status }}"
echo "${{ steps.quality-gate-result.outputs.quality-gate-result }}"
- id: check-gate
name: Check quality gate status
uses: sonarsource/sonarqube-quality-gate-action@master
timeout-minutes: 5
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# http instead of https or the url appears as *** in github, I don't know why,
# it may be configurable. But http works as well.
- if: always()
run: >
echo "SonarQube report:
http://sonarqube.ops-csc.com/dashboard?branch=${{ github.ref_name }}&id=${{ env.SONAR_PROJECT_KEY }}"
>> $GITHUB_STEP_SUMMARY