Workflows/SharedWorkflows
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Compare commits

base: Workflows:9cba668088f944065fcad32788adf48afe87c7ed
Branches Tags
Workflows:main
Workflows:v1.5.2 Workflows:v1.5.1 Workflows:v1.5.0 Workflows:v1.4.1 Workflows:v1.4.0 Workflows:v1.2.0 Workflows:v1.1.3 Workflows:v1.1.2 Workflows:v1.1.1 Workflows:v1.1.0 Workflows:v1.0.0
...
compare: Workflows:v1.5.0
Branches Tags
Workflows:main
Workflows:v1.5.2 Workflows:v1.5.1 Workflows:v1.5.0 Workflows:v1.4.1 Workflows:v1.4.0 Workflows:v1.2.0 Workflows:v1.1.3 Workflows:v1.1.2 Workflows:v1.1.1 Workflows:v1.1.0 Workflows:v1.0.0

2 Commits
9cba668088 ... v1.5.0

Author SHA1 Message Date
dresber
2be1150eec feat: add python-security-checks reusable workflow 
Dedicated security-only workflow using python:VERSION-slim.
Runs Bandit (or any security tool) without pytest or coverage.
Supports python_version, install_command, security_command,
and working_directory inputs with sensible defaults.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-28 20:43:00 +02:00
dresber
1434f75112 fix: fetch commit subject via Gitea API instead of git log 
Notification job had no checkout step so git log always failed,
producing "Commit info unavailable". Now uses the existing
API_GITEA_TOKEN and gitea.sha context to fetch the commit message
from the Gitea API directly.

Also raises default coverage threshold in python-checks to 80%.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-27 22:01:55 +02:00
3 changed files with 41 additions and 2 deletions
Expand all files Collapse all files

6
.gitea/workflows/notifications.yml
View File

@@ -147,7 +147,11 @@ jobs:
exit 0 exit 0
fi fi
COMMIT_SUBJECT="$(git log -1 --pretty=%s 2>/dev/null || echo 'Commit info unavailable')" COMMIT_SUBJECT="$(curl -fsS \
-H "Authorization: Bearer ${{ secrets.API_GITEA_TOKEN }}" \
"${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/git/commits/${{ gitea.sha }}" \
| python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('RepoCommit',{}).get('message','').split('\n')[0])" \
2>/dev/null || echo 'Commit info unavailable')"
RUN_URL="${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_number }}" RUN_URL="${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_number }}"
cat <<EOF >/tmp/ntfy-payload.json cat <<EOF >/tmp/ntfy-payload.json

2
.gitea/workflows/python-checks.yml
View File

@@ -17,7 +17,7 @@ on:
default: "coverage run -m pytest" default: "coverage run -m pytest"
coverage_fail_under: coverage_fail_under:
type: string type: string
default: "60" default: "80"
run_security_scan: run_security_scan:
type: boolean type: boolean
default: true default: true

35
.gitea/workflows/python-security-checks.yml Normal file
View File

@@ -0,0 +1,35 @@
name: Reusable Python Security Checks
on:
workflow_call:
inputs:
python_version:
type: string
default: "3.14"
install_command:
type: string
default: 'python -m pip install "bandit[toml]"'
security_command:
type: string
default: "python -m bandit -r app -c pyproject.toml"
working_directory:
type: string
default: "."
jobs:
security:
runs-on: docker
container:
image: python:${{ inputs.python_version }}-slim
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install security tools
working-directory: ${{ inputs.working_directory }}
run: ${{ inputs.install_command }}
- name: Run security scan
working-directory: ${{ inputs.working_directory }}
run: ${{ inputs.security_command }}