Merge pull request #61 from pahrohfit/dev

dropped support for python 3.8, keeping current, linting and testing cleanups
pahrohfit · Mar 19, 2024 · bfdeffe · bfdeffe
2 parents d87d760 + 7350528
commit bfdeffe
Show file tree

Hide file tree

Showing 54 changed files with 1,339 additions and 771 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -11,7 +11,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -9,12 +9,12 @@ jobs:
     name: Build using Poetry and Publish to PyPI
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - name: Install poetry
-      run: pipx install poetry
-    - uses: actions/setup-python@v4
+    - uses: actions/checkout@v4
+    - uses: actions/setup-python@v5
       with:
-        python-version: 3.8
+        python-version: 3.9
+    - name: Install Poetry
+      uses: snok/install-poetry@v1
     - name: login
       run: poetry config http-basic.pypi __token__ ${{ secrets.PYPI_PASSWORD }}
     - name: build

diff --git a/.github/workflows/deploy_pre_release.disabled b/.github/workflows/deploy_pre_release.disabled
diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml
@@ -23,7 +23,7 @@ jobs:
       security-events: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run DevSkim scanner
         uses: microsoft/DevSkim-Action@v1

diff --git a/.github/workflows/mayham.yml.disabled b/.github/workflows/mayham.yml.disabled
diff --git a/.github/workflows/pyre.yml.disabled b/.github/workflows/pyre.yml.disabled
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,74 @@
+name: Security Testing
+
+on:
+  push:
+    branches: [ master, dev ]
+  pull_request:
+    branches: [ master, dev ]
+
+permissions:
+  contents: read
+  id-token: write
+  actions: read
+  security-events: write   # To upload sarif files
+
+jobs:
+  security_checks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        id: setup-python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.9
+          #cache: 'poetry'
+
+      - name: Install Poetry
+        uses: snok/install-poetry@v1
+
+      - name: Load cached dotvenv
+        id: cached-poetry-dotvenv
+        uses: actions/cache@v3
+        with:
+          path: .venv
+          key: venv-${{ runner.os }}-${{ hashFiles('**/poetry.lock') }}-${{ hashFiles('.github/workflows/main.yml') }}
+
+      - name: Load cached dotlocal
+        id: cached-poetry-dotlocal
+        uses: actions/cache@v3
+        with:
+          path: ~/.local
+          key: dotlocal-${{ runner.os }}-${{ hashFiles('.github/workflows/main.yml') }}
+
+        #----------------------------------------------
+        # install your root project, if required
+        #----------------------------------------------
+      - name: Install library
+        run: poetry install --no-interaction --sync
+
+        #----------------------------------------------
+        #              run security test suite
+        #----------------------------------------------
+      - name: bandit security testing
+        run: |
+          poetry run bandit -r sanic_beskar/
+      - name: safety security testing
+        run: |
+          poetry run safety check
+      - name: PyCharm Python Security Scanner
+        uses: tonybaloney/pycharm-security@master
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/tox.yml b/.github/workflows/tox.yml
@@ -0,0 +1,57 @@
+name: tox validators
+
+on:
+  push:
+    branches: [ master, dev ]
+  pull_request:
+    branches: [ master, dev ]
+
+permissions:
+  contents: read
+
+jobs:
+  tox_pre_commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        id: setup-python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.9
+      - name: Install Poetry
+        uses: snok/install-poetry@v1
+
+      - name: Load cached dotvenv
+        id: cached-poetry-dotvenv
+        uses: actions/cache@v3
+        with:
+          path: .venv
+          key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock')}}-${{ hashFiles('.github/workflows/main.yml') }}
+
+      - name: Load cached dotlocal
+        id: cached-poetry-dotlocal
+        uses: actions/cache@v3
+        with:
+          path: ~/.local
+          key: dotlocal-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('.github/workflows/main.yml') }}
+
+        #----------------------------------------------
+        # install your root project, if required
+        #----------------------------------------------
+      - name: Show python
+        run: python -V
+      - name: Show poetry python
+        run: poetry run python -V
+      - name: Install library
+        run: poetry install --no-interaction --sync
+
+        #----------------------------------------------
+        #              run test suite
+        #----------------------------------------------
+
+      #- name: pre-commit checks
+      #  run: poetry run tox -e pre-commit -- -- --all-files -v
+
+      - name: pre-commit
+        uses: pre-commit/action@v3.0.1