Skip to content

Commit

Permalink
feat: [schubergphilis#1][schubergphilis#2] Install python and run pytest
Browse files Browse the repository at this point in the history
  • Loading branch information
030 committed Oct 14, 2024
1 parent 37ab1c8 commit d1b9005
Show file tree
Hide file tree
Showing 4 changed files with 187 additions and 1 deletion.
7 changes: 7 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
version: 2
updates:
- package-ecosystem: 'github-actions'
directory: '/'
schedule:
interval: 'daily'
19 changes: 19 additions & 0 deletions .github/workflows/mcvs-pr-validation.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
---
name: MCVS-PR-validation-action
'on':
pull_request:
types:
- edited
- opened
- reopened
- synchronize
workflow_call:
permissions:
contents: read
pull-requests: read
jobs:
MCVS-PR-validation-action:
runs-on: ubuntu-22.04
steps:
- uses: actions/[email protected]
- uses: schubergphilis/[email protected]
37 changes: 36 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,2 +1,37 @@
# mcvs-python-action
# MCVS-python-action

Mission Critical Vulnerability Scanner (MCVS) Python Action. Create Python code without high and critical vulnerabilities.

## Usage

Create a `.github/workflows/python.yml` file with the following content:

```yaml
---
name: Python
"on": push
permissions:
contents: read # write if pyinstaller-binary-name is non-empty
jobs:
MCVS-python-action:
runs-on: ubuntu-20.04
steps:
- uses: actions/[email protected]
- uses: schubergphilis/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
```
<!-- markdownlint-disable MD013 -->
| Option | Default | Required | Description |
| :---------------------- | :----------------------------------- | -------- | :---------------------------------------------------------------------------------------------------------------- |
| pyinstaller-binary-name | | | If populated, then a binary will be created using pyinstaller and attached to a release |
| token | ' ' | x | GitHub token that is required to push a package to the registry of the project and to pull cached Trivy DB images |
| trivy-action-db | ghcr.io/aquasecurity/trivy-db:2 | | Replace this with a cached image to prevent bump into pull rate limiting issues |
| trivy-action-java-db | ghcr.io/aquasecurity/trivy-java-db:1 | | Replace this with a cached image to prevent bump into pull rate limiting issues |
<!-- markdownlint-enable MD013 -->
Define the Python version of the project by adding it to a `.python-version`
file.
125 changes: 125 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
---
name: mcvs-python-action
description: |
The Mission Critical Vulnerability Scanner (MCVS) Python action.
inputs:
pyinstaller-binary-name:
description: The name of the binary that is created using pyinstaller.
trivy-action-db:
default: 'ghcr.io/aquasecurity/trivy-db:2'
description: |
OCI repository to retrieve trivy-db from.
trivy-action-java-db:
description: |
OCI repository to retrieve trivy-java-db from.
default: 'ghcr.io/aquasecurity/trivy-java-db:1'
token:
description: |
A token is required to allow the mcvs-python-action to push the
package that it has been built, to the packages repository of the GitHub
repository where the action has been run and to pull the cached trivy DBs
to prevent bump into pull rate limits.
required: true
runs:
using: 'composite'
steps:
#
# YAML linting.
#
- run: |
pip install --user yamllint==1.35.1
yamllint .
shell: bash
#
# Install the python version that has been defined in the .python-version
# file.
#
- uses: actions/[email protected]
with:
cache: 'pip'
#
# Code security scanning.
#
- uses: anchore/[email protected]
with:
only-fixed: false
output-format: table
path: '.'
severity-cutoff: high
- uses: 030/[email protected]
- name: Log in to GitHub Packages Docker registry
shell: bash
run: |
echo "${{ inputs.token }}" |\
docker login ghcr.io -u ${{ github.actor }} --password-stdin
- uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: ${{ inputs.trivy-action-db }}
TRIVY_JAVA_DB_REPOSITORY: ${{ inputs.trivy-action-java-db }}
TRIVY_PASSWORD: ${{ inputs.token }}
TRIVY_USERNAME: ${{ github.actor }}
with:
scan-type: 'fs'
scan-ref: '.'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
trivyignores: .trivyignore
#
# If a requirements file exists in the project, then install the packages.
#
- name: Install PIP packages defined in requirements.txt
shell: bash
run: |
requirements_file=requirements.txt
if [ -f ${requirements_file} ]; then
pip install \
-r ${requirements_file}
fi
#
# Run pytest if 'import pytest' is found.
#
- name: Run tests
shell: bash
run: |
if grep -r 'import pytest' *.py; then
pytest \
--capture=no \
--cov=main test.py \
--cov-report term-missing \
--verbose
fi
#
# Build binary using pyinstaller and attach it to a release once a tag has
# been created.
#
- name: Check Conditions
id: condition_check
run: echo "Checking conditions..."
shell: bash
if: |
${{ github.event_name == 'push' &&
contains(github.ref, 'refs/tags/') &&
inputs.pyinstaller-binary-name != '' }}
# if: |
# github.event_name == 'push' &&
# contains(github.ref, 'refs/tags/') &&
# ${{ inputs.pyinstaller-binary-name != '' }}
# if: |
# github.event_name == 'push' &&
# contains(github.ref, 'refs/tags/') &&
# ${{ inputs.pyinstaller-binary-name != '' }}
- name: Build binary using pyinstaller
if: ${{ steps.condition_check.outcome == 'success' }}
shell: bash
run: |
pip install pyinstaller==v6.10.0
pyinstaller --onefile main.py --name gomod-go-version-updater
- name: Attach a binary to a release
if: ${{ steps.condition_check.outcome == 'success' }}
uses: svenstaro/[email protected]
with:
repo_token: ${{ inputs.token }}
file: dist/${{ inputs.pyinstaller-binary-name }}
asset_name: ${{ inputs.pyinstaller-binary-name }}
tag: ${{ github.ref }}

0 comments on commit d1b9005

Please sign in to comment.