Skip to content

Set basic project config correctly #3

Set basic project config correctly

Set basic project config correctly #3

Workflow file for this run

name: CI
on:
push:
branches:
- main
tags:
- 'v*'
pull_request:
branches:
- 'main'
env:
REGISTRY: ghcr.io
POETRY_CACHE_DIR: ~/.cache/pypoetry
IMAGE_NAME: ${{ github.repository }}
PYTHON_VERSION: "3.11"
jobs:
lint:
runs-on: ubuntu-latest
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v4
- name: Set up Python ${{ env.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: "poetry"
- name: Install poetry
run: pipx install poetry
- name: Install dependencies
run: poetry install
- name: run ruff
run: poetry run ruff check --output-format=github
- name: run format
run: poetry run ruff format --check
- name: run pyright
run: poetry run pyright
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: "poetry"
- name: Install poetry
run: pipx install poetry
- name: Install dependencies
run: poetry install
- name: Generate SBOM
run: poetry run cyclonedx-py poetry > sbom.json
- name: Generace licenses file
run: |
poetry run pip-licenses --order=license --format=json --with-description > licenses.txt
- name: Upload SBOM and licenses
uses: actions/upload-artifact@v4
with:
name: "sbom-licenses-${{ github.GITHUB_SHA }}.json"
path: |
sbom.json
licenses.txt
if-no-files-found: error
overwrite: true
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
trivy-config: trivy.yaml
test:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.10", "3.11", "3.12"]
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
cache: "poetry"
- name: Install poetry
run: pipx install poetry
- name: Install dependencies
run: poetry install
- name: run pytest
run: poetry run coverage run -m pytest
- name: run coverage
run: poetry run coverage report
- name: run coverage
run: poetry run coverage html
- name: Upload code coverage report
uses: actions/upload-artifact@v4
with:
name: "codecoverage-${{ github.GITHUB_SHA }}"
path: htmlcov/
if-no-files-found: error
overwrite: true
build:
needs: test
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Extract metadata for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64,darwin/amd64
- name: Check image for vulnerabilities
uses: docker/scout-action@v3
with:
command: quickview,cves