Workflows/SharedWorkflows
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Compare commits

base: Workflows:v1.1.0
Branches Tags
Workflows:main
Workflows:v1.5.2 Workflows:v1.5.1 Workflows:v1.5.0 Workflows:v1.4.1 Workflows:v1.4.0 Workflows:v1.2.0 Workflows:v1.1.3 Workflows:v1.1.2 Workflows:v1.1.1 Workflows:v1.1.0 Workflows:v1.0.0
...
compare: Workflows:v1.5.2
Branches Tags
Workflows:main
Workflows:v1.5.2 Workflows:v1.5.1 Workflows:v1.5.0 Workflows:v1.4.1 Workflows:v1.4.0 Workflows:v1.2.0 Workflows:v1.1.3 Workflows:v1.1.2 Workflows:v1.1.1 Workflows:v1.1.0 Workflows:v1.0.0

8 Commits
v1.1.0 ... v1.5.2

Author SHA1 Message Date
dresber
364171ebca fix(python-security-checks): use custom runner image instead of python slim 
python:3.14-slim has no Node.js so actions/checkout@v4 fails with
'node: executable file not found in PATH'. Switch to the same
gitea_runner_python314 custom image used by python-checks.yml which
has both Python 3.14 and Node.js. Drop the python_version input as it
no longer drives the container selection.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-30 14:43:38 +02:00
dresber
2be1150eec feat: add python-security-checks reusable workflow 
Dedicated security-only workflow using python:VERSION-slim.
Runs Bandit (or any security tool) without pytest or coverage.
Supports python_version, install_command, security_command,
and working_directory inputs with sensible defaults.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-28 20:43:00 +02:00
dresber
1434f75112 fix: fetch commit subject via Gitea API instead of git log 
Notification job had no checkout step so git log always failed,
producing "Commit info unavailable". Now uses the existing
API_GITEA_TOKEN and gitea.sha context to fetch the commit message
from the Gitea API directly.

Also raises default coverage threshold in python-checks to 80%.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-27 22:01:55 +02:00
dresber
9cba668088 support other project structure for app folders 2026-05-18 22:06:51 +02:00
dresber
53e4b246a4 add node checks as workflow 2026-05-10 20:38:24 +02:00
dresber
87c64c424f correct env variable name 2026-05-10 20:22:57 +02:00
dresber
8266220f12 adopt coverage upload to avoid problems 2026-05-10 19:54:45 +02:00
dresber
eb9b390724 correct secret name as it is not allowed to start with GITEA in the runer 2026-05-10 19:16:25 +02:00
4 changed files with 117 additions and 13 deletions
Expand all files Collapse all files

42
.gitea/workflows/node-checks.yml Normal file
View File

@@ -0,0 +1,42 @@
name: Reusable Node Checks
on:
workflow_call:
inputs:
node_version:
type: string
default: "22"
install_command:
type: string
default: "npm ci"
typecheck_command:
type: string
default: "npm run typecheck"
test_command:
type: string
default: "npm test"
build_command:
type: string
default: "npm run build"
jobs:
check:
runs-on: docker
container:
image: node:${{ inputs.node_version }}-alpine
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install dependencies
run: ${{ inputs.install_command }}
- name: Typecheck
run: ${{ inputs.typecheck_command }}
- name: Run tests
run: ${{ inputs.test_command }}
- name: Build
run: ${{ inputs.build_command }}

12
.gitea/workflows/notifications.yml
View File

@@ -17,7 +17,7 @@ on:
NTFY_TOPIC: { required: true } NTFY_TOPIC: { required: true }
NTFY_TOKEN: { required: true } NTFY_TOKEN: { required: true }
NTFY_SERVER: { required: true } NTFY_SERVER: { required: true }
GITEA_TOKEN: { required: true } API_GITEA_TOKEN: { required: true }
jobs: jobs:
notify: notify:
@@ -27,7 +27,7 @@ jobs:
id: previous id: previous
shell: bash shell: bash
env: env:
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} API_GITEA_TOKEN: ${{ secrets.API_GITEA_TOKEN }}
run: | run: |
set -euo pipefail set -euo pipefail
@@ -41,7 +41,7 @@ jobs:
current_run_number = int("${{ gitea.run_number }}") current_run_number = int("${{ gitea.run_number }}")
current_branch = "${{ gitea.ref_name }}" current_branch = "${{ gitea.ref_name }}"
current_event = "${{ gitea.event_name }}" current_event = "${{ gitea.event_name }}"
token = os.environ["GITEA_TOKEN"] token = os.environ["API_GITEA_TOKEN"]
url = ( url = (
f"{server}/api/v1/repos/{repo}/actions/runs" f"{server}/api/v1/repos/{repo}/actions/runs"
@@ -147,7 +147,11 @@ jobs:
exit 0 exit 0
fi fi
COMMIT_SUBJECT="$(git log -1 --pretty=%s 2>/dev/null || echo 'Commit info unavailable')" COMMIT_SUBJECT="$(curl -fsS \
-H "Authorization: Bearer ${{ secrets.API_GITEA_TOKEN }}" \
"${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/git/commits/${{ gitea.sha }}" \
| python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('RepoCommit',{}).get('message','').split('\n')[0])" \
2>/dev/null || echo 'Commit info unavailable')"
RUN_URL="${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_number }}" RUN_URL="${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_number }}"
cat <<EOF >/tmp/ntfy-payload.json cat <<EOF >/tmp/ntfy-payload.json

38
.gitea/workflows/python-checks.yml
View File

@@ -6,9 +6,21 @@ on:
python_version: python_version:
type: string type: string
default: "3.14" default: "3.14"
source_path:
type: string
default: "app"
tests_path:
type: string
default: "tests"
test_command: test_command:
type: string type: string
default: "coverage run -m pytest" default: "coverage run -m pytest"
coverage_fail_under:
type: string
default: "80"
run_security_scan:
type: boolean
default: true
jobs: jobs:
check: check:
@@ -26,30 +38,38 @@ jobs:
- name: Install Tools & Deps - name: Install Tools & Deps
run: | run: |
python -m pip install --upgrade pip setuptools wheel python -m pip install --upgrade pip setuptools wheel
pip install -e .[dev] || pip install -e .[test] || pip install -e . pip install -e ".[dev]" || pip install -e ".[test]" || pip install -e .
pip install ruff coverage pip-audit bandit pip install ruff coverage pip-audit bandit
- name: Linting - name: Linting
run: ruff check app tests run: ruff check ${{ inputs.source_path }} ${{ inputs.tests_path }}
- name: Tests - name: Tests
run: | run: |
${{ inputs.test_command }} ${{ inputs.test_command }}
coverage report --fail-under=60 coverage report --fail-under=${{ inputs.coverage_fail_under }}
coverage xml coverage xml
coverage html coverage html
- name: Security Scan - name: Security Scan
if: ${{ inputs.run_security_scan }}
run: | run: |
pip freeze | grep -v "git+" > req.txt pip freeze | grep -v "git+" > req.txt
pip-audit -r req.txt pip-audit -r req.txt
bandit -r app/ bandit -r ${{ inputs.source_path }}
- name: Upload Coverage - name: Upload Coverage HTML
if: always() if: always()
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: coverage-report name: coverage-html
path: | path: htmlcov/
htmlcov/ if-no-files-found: warn
coverage.xml
- name: Upload Coverage XML
if: always()
uses: actions/upload-artifact@v3
with:
name: coverage-xml
path: coverage.xml
if-no-files-found: warn

38
.gitea/workflows/python-security-checks.yml Normal file
View File

@@ -0,0 +1,38 @@
name: Reusable Python Security Checks
on:
workflow_call:
inputs:
install_command:
type: string
default: 'python -m pip install "bandit[toml]"'
security_command:
type: string
default: "python -m bandit -r app -c pyproject.toml"
working_directory:
type: string
default: "."
secrets:
REGISTRY_USERNAME: { required: true }
REGISTRY_PASSWORD: { required: true }
jobs:
security:
runs-on: docker
container:
image: gitea.tech-buddy.at/bitbuddydev/gitea_runner_python314:dev-bda315b82bb23d83065b77d91fedf0e20d9accf1
credentials:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install security tools
working-directory: ${{ inputs.working_directory }}
run: ${{ inputs.install_command }}
- name: Run security scan
working-directory: ${{ inputs.working_directory }}
run: ${{ inputs.security_command }}