Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
364171ebca | ||
|
|
2be1150eec | ||
|
|
1434f75112 | ||
|
|
9cba668088 | ||
|
|
53e4b246a4 | ||
|
|
87c64c424f | ||
|
|
8266220f12 | ||
|
|
eb9b390724 | ||
|
|
da2851e704 |
42
.gitea/workflows/node-checks.yml
Normal file
42
.gitea/workflows/node-checks.yml
Normal file
@@ -0,0 +1,42 @@
|
||||
name: Reusable Node Checks
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
node_version:
|
||||
type: string
|
||||
default: "22"
|
||||
install_command:
|
||||
type: string
|
||||
default: "npm ci"
|
||||
typecheck_command:
|
||||
type: string
|
||||
default: "npm run typecheck"
|
||||
test_command:
|
||||
type: string
|
||||
default: "npm test"
|
||||
build_command:
|
||||
type: string
|
||||
default: "npm run build"
|
||||
|
||||
jobs:
|
||||
check:
|
||||
runs-on: docker
|
||||
container:
|
||||
image: node:${{ inputs.node_version }}-alpine
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install dependencies
|
||||
run: ${{ inputs.install_command }}
|
||||
|
||||
- name: Typecheck
|
||||
run: ${{ inputs.typecheck_command }}
|
||||
|
||||
- name: Run tests
|
||||
run: ${{ inputs.test_command }}
|
||||
|
||||
- name: Build
|
||||
run: ${{ inputs.build_command }}
|
||||
@@ -9,35 +9,156 @@ on:
|
||||
job_name:
|
||||
required: true
|
||||
type: string
|
||||
notify_on_release:
|
||||
required: false
|
||||
type: boolean
|
||||
default: true
|
||||
secrets:
|
||||
NTFY_TOPIC: { required: true }
|
||||
NTFY_TOKEN: { required: true }
|
||||
NTFY_SERVER: { required: true }
|
||||
API_GITEA_TOKEN: { required: true }
|
||||
|
||||
jobs:
|
||||
notify:
|
||||
runs-on: docker
|
||||
steps:
|
||||
- name: Detect previous workflow state
|
||||
id: previous
|
||||
shell: bash
|
||||
env:
|
||||
API_GITEA_TOKEN: ${{ secrets.API_GITEA_TOKEN }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
|
||||
python3 <<'PY'
|
||||
import json
|
||||
import os
|
||||
import urllib.request
|
||||
|
||||
server = "${{ gitea.server_url }}"
|
||||
repo = "${{ gitea.repository }}"
|
||||
current_run_number = int("${{ gitea.run_number }}")
|
||||
current_branch = "${{ gitea.ref_name }}"
|
||||
current_event = "${{ gitea.event_name }}"
|
||||
token = os.environ["API_GITEA_TOKEN"]
|
||||
|
||||
url = (
|
||||
f"{server}/api/v1/repos/{repo}/actions/runs"
|
||||
f"?page=1&limit=5"
|
||||
)
|
||||
|
||||
print(f"Fetching workflow runs from: {url}")
|
||||
print(f"Current run number: {current_run_number}")
|
||||
print(f"Current branch: {current_branch}")
|
||||
print(f"Current event: {current_event}")
|
||||
|
||||
req = urllib.request.Request(
|
||||
url,
|
||||
headers={
|
||||
"Authorization": f"token {token}",
|
||||
"Accept": "application/json",
|
||||
},
|
||||
)
|
||||
|
||||
with urllib.request.urlopen(req) as response:
|
||||
data = json.loads(response.read().decode("utf-8"))
|
||||
|
||||
runs = data.get("workflow_runs", [])
|
||||
|
||||
print(f"Received {len(runs)} workflow runs")
|
||||
|
||||
previous = "unknown"
|
||||
|
||||
for run in runs:
|
||||
run_number = run.get("run_number")
|
||||
status = run.get("status")
|
||||
conclusion = run.get("conclusion")
|
||||
branch = run.get("head_branch")
|
||||
event = run.get("event")
|
||||
|
||||
print(
|
||||
f"Inspecting run #{run_number}: "
|
||||
f"status={status}, "
|
||||
f"conclusion={conclusion}, "
|
||||
f"branch={branch}, "
|
||||
f"event={event}"
|
||||
)
|
||||
|
||||
# aktuellen Run überspringen
|
||||
if int(run_number) == current_run_number:
|
||||
print(" -> skipping current run")
|
||||
continue
|
||||
|
||||
# nur abgeschlossene Runs
|
||||
if status != "completed":
|
||||
print(" -> skipping non-completed run")
|
||||
continue
|
||||
|
||||
# nur gleicher Branch
|
||||
if branch != current_branch:
|
||||
print(" -> skipping different branch")
|
||||
continue
|
||||
|
||||
# nur gleiches Event
|
||||
if event != current_event:
|
||||
print(" -> skipping different event")
|
||||
continue
|
||||
|
||||
previous = conclusion or "unknown"
|
||||
|
||||
print(f" -> selected previous conclusion: {previous}")
|
||||
break
|
||||
|
||||
print(f"Previous conclusion final: {previous}")
|
||||
|
||||
with open(os.environ["GITEA_OUTPUT"], "a", encoding="utf-8") as f:
|
||||
f.write(f"previous_conclusion={previous}\n")
|
||||
PY
|
||||
|
||||
- name: Send Notification
|
||||
shell: bash
|
||||
run: |
|
||||
# Icon und Titel basierend auf Status
|
||||
if [ "${{ inputs.job_status }}" == "success" ]; then
|
||||
ICON="✅"
|
||||
TITLE="Fixed: ${{ inputs.job_name }} for ${{ gitea.repository }}"
|
||||
else
|
||||
ICON="❌"
|
||||
TITLE="Failed: ${{ inputs.job_name }} for ${{ gitea.repository }}"
|
||||
set -euo pipefail
|
||||
|
||||
CURRENT_STATUS="${{ inputs.job_status }}"
|
||||
PREVIOUS_STATUS="${{ steps.previous.outputs.previous_conclusion }}"
|
||||
IS_RELEASE="false"
|
||||
|
||||
if [[ "${{ gitea.ref }}" == refs/tags/v* ]]; then
|
||||
IS_RELEASE="true"
|
||||
fi
|
||||
|
||||
COMMIT_SUBJECT="$(git log -1 --pretty=%s || echo 'Commit info unavailable')"
|
||||
echo "Current status: ${CURRENT_STATUS}"
|
||||
echo "Previous status: ${PREVIOUS_STATUS}"
|
||||
echo "Is release: ${IS_RELEASE}"
|
||||
|
||||
if [[ "$IS_RELEASE" == "true" && "$CURRENT_STATUS" == "success" ]]; then
|
||||
ICON="🚀"
|
||||
TITLE="New release available: ${{ gitea.ref_name }} for ${{ gitea.repository }}"
|
||||
elif [[ "$CURRENT_STATUS" == "failure" ]]; then
|
||||
ICON="❌"
|
||||
TITLE="Failed: ${{ inputs.job_name }} for ${{ gitea.repository }}"
|
||||
elif [[ "$CURRENT_STATUS" == "success" && "$PREVIOUS_STATUS" == "failure" ]]; then
|
||||
ICON="✅"
|
||||
TITLE="Healed: ${{ inputs.job_name }} for ${{ gitea.repository }}"
|
||||
else
|
||||
echo "No notification needed."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
COMMIT_SUBJECT="$(curl -fsS \
|
||||
-H "Authorization: Bearer ${{ secrets.API_GITEA_TOKEN }}" \
|
||||
"${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/git/commits/${{ gitea.sha }}" \
|
||||
| python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('RepoCommit',{}).get('message','').split('\n')[0])" \
|
||||
2>/dev/null || echo 'Commit info unavailable')"
|
||||
RUN_URL="${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_number }}"
|
||||
|
||||
cat <<EOF >/tmp/ntfy-payload.json
|
||||
{
|
||||
"topic": "${{ secrets.NTFY_TOPIC }}",
|
||||
"title": "${ICON} ${TITLE}",
|
||||
"message": "Ref: ${{ gitea.ref_name }}\nCommit: ${COMMIT_SUBJECT}\n\nRun URL: ${RUN_URL}",
|
||||
"message": "Ref: ${{ gitea.ref_name }}\nStatus: ${CURRENT_STATUS}\nPrevious: ${PREVIOUS_STATUS}\nCommit: ${COMMIT_SUBJECT}\n\nRun URL: ${RUN_URL}",
|
||||
"click": "${RUN_URL}",
|
||||
"actions": [
|
||||
{ "action": "view", "label": "Open Run", "url": "${RUN_URL}" }
|
||||
|
||||
@@ -6,9 +6,21 @@ on:
|
||||
python_version:
|
||||
type: string
|
||||
default: "3.14"
|
||||
source_path:
|
||||
type: string
|
||||
default: "app"
|
||||
tests_path:
|
||||
type: string
|
||||
default: "tests"
|
||||
test_command:
|
||||
type: string
|
||||
default: "coverage run -m pytest"
|
||||
coverage_fail_under:
|
||||
type: string
|
||||
default: "80"
|
||||
run_security_scan:
|
||||
type: boolean
|
||||
default: true
|
||||
|
||||
jobs:
|
||||
check:
|
||||
@@ -26,30 +38,38 @@ jobs:
|
||||
- name: Install Tools & Deps
|
||||
run: |
|
||||
python -m pip install --upgrade pip setuptools wheel
|
||||
pip install -e .[dev] || pip install -e .[test] || pip install -e .
|
||||
pip install -e ".[dev]" || pip install -e ".[test]" || pip install -e .
|
||||
pip install ruff coverage pip-audit bandit
|
||||
|
||||
- name: Linting
|
||||
run: ruff check app tests
|
||||
run: ruff check ${{ inputs.source_path }} ${{ inputs.tests_path }}
|
||||
|
||||
- name: Tests
|
||||
run: |
|
||||
${{ inputs.test_command }}
|
||||
coverage report --fail-under=60
|
||||
coverage report --fail-under=${{ inputs.coverage_fail_under }}
|
||||
coverage xml
|
||||
coverage html
|
||||
|
||||
- name: Security Scan
|
||||
if: ${{ inputs.run_security_scan }}
|
||||
run: |
|
||||
pip freeze | grep -v "git+" > req.txt
|
||||
pip-audit -r req.txt
|
||||
bandit -r app/
|
||||
bandit -r ${{ inputs.source_path }}
|
||||
|
||||
- name: Upload Coverage
|
||||
- name: Upload Coverage HTML
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: coverage-report
|
||||
path: |
|
||||
htmlcov/
|
||||
coverage.xml
|
||||
name: coverage-html
|
||||
path: htmlcov/
|
||||
if-no-files-found: warn
|
||||
|
||||
- name: Upload Coverage XML
|
||||
if: always()
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: coverage-xml
|
||||
path: coverage.xml
|
||||
if-no-files-found: warn
|
||||
38
.gitea/workflows/python-security-checks.yml
Normal file
38
.gitea/workflows/python-security-checks.yml
Normal file
@@ -0,0 +1,38 @@
|
||||
name: Reusable Python Security Checks
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
install_command:
|
||||
type: string
|
||||
default: 'python -m pip install "bandit[toml]"'
|
||||
security_command:
|
||||
type: string
|
||||
default: "python -m bandit -r app -c pyproject.toml"
|
||||
working_directory:
|
||||
type: string
|
||||
default: "."
|
||||
secrets:
|
||||
REGISTRY_USERNAME: { required: true }
|
||||
REGISTRY_PASSWORD: { required: true }
|
||||
|
||||
jobs:
|
||||
security:
|
||||
runs-on: docker
|
||||
container:
|
||||
image: gitea.tech-buddy.at/bitbuddydev/gitea_runner_python314:dev-bda315b82bb23d83065b77d91fedf0e20d9accf1
|
||||
credentials:
|
||||
username: ${{ secrets.REGISTRY_USERNAME }}
|
||||
password: ${{ secrets.REGISTRY_PASSWORD }}
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install security tools
|
||||
working-directory: ${{ inputs.working_directory }}
|
||||
run: ${{ inputs.install_command }}
|
||||
|
||||
- name: Run security scan
|
||||
working-directory: ${{ inputs.working_directory }}
|
||||
run: ${{ inputs.security_command }}
|
||||
Reference in New Issue
Block a user