Workflows/SharedWorkflows
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Compare commits

base: Workflows:v1.1.3
Branches Tags
Workflows:main
Workflows:v1.5.2 Workflows:v1.5.1 Workflows:v1.5.0 Workflows:v1.4.1 Workflows:v1.4.0 Workflows:v1.2.0 Workflows:v1.1.3 Workflows:v1.1.2 Workflows:v1.1.1 Workflows:v1.1.0 Workflows:v1.0.0
...
compare: Workflows:v1.5.2
Branches Tags
Workflows:main
Workflows:v1.5.2 Workflows:v1.5.1 Workflows:v1.5.0 Workflows:v1.4.1 Workflows:v1.4.0 Workflows:v1.2.0 Workflows:v1.1.3 Workflows:v1.1.2 Workflows:v1.1.1 Workflows:v1.1.0 Workflows:v1.0.0

5 Commits
v1.1.3 ... v1.5.2

Author SHA1 Message Date
dresber
364171ebca fix(python-security-checks): use custom runner image instead of python slim 
python:3.14-slim has no Node.js so actions/checkout@v4 fails with
'node: executable file not found in PATH'. Switch to the same
gitea_runner_python314 custom image used by python-checks.yml which
has both Python 3.14 and Node.js. Drop the python_version input as it
no longer drives the container selection.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-30 14:43:38 +02:00
dresber
2be1150eec feat: add python-security-checks reusable workflow 
Dedicated security-only workflow using python:VERSION-slim.
Runs Bandit (or any security tool) without pytest or coverage.
Supports python_version, install_command, security_command,
and working_directory inputs with sensible defaults.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-28 20:43:00 +02:00
dresber
1434f75112 fix: fetch commit subject via Gitea API instead of git log 
Notification job had no checkout step so git log always failed,
producing "Commit info unavailable". Now uses the existing
API_GITEA_TOKEN and gitea.sha context to fetch the commit message
from the Gitea API directly.

Also raises default coverage threshold in python-checks to 80%.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-27 22:01:55 +02:00
dresber
9cba668088 support other project structure for app folders 2026-05-18 22:06:51 +02:00
dresber
53e4b246a4 add node checks as workflow 2026-05-10 20:38:24 +02:00
4 changed files with 102 additions and 5 deletions
Expand all files Collapse all files

42
.gitea/workflows/node-checks.yml Normal file
View File

@@ -0,0 +1,42 @@
name: Reusable Node Checks
on:
workflow_call:
inputs:
node_version:
type: string
default: "22"
install_command:
type: string
default: "npm ci"
typecheck_command:
type: string
default: "npm run typecheck"
test_command:
type: string
default: "npm test"
build_command:
type: string
default: "npm run build"
jobs:
check:
runs-on: docker
container:
image: node:${{ inputs.node_version }}-alpine
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install dependencies
run: ${{ inputs.install_command }}
- name: Typecheck
run: ${{ inputs.typecheck_command }}
- name: Run tests
run: ${{ inputs.test_command }}
- name: Build
run: ${{ inputs.build_command }}

6
.gitea/workflows/notifications.yml
View File

@@ -147,7 +147,11 @@ jobs:
exit 0
fi
COMMIT_SUBJECT="$(git log -1 --pretty=%s 2>/dev/null || echo 'Commit info unavailable')"
COMMIT_SUBJECT="$(curl -fsS \
-H "Authorization: Bearer ${{ secrets.API_GITEA_TOKEN }}" \
"${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/git/commits/${{ gitea.sha }}" \
| python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('RepoCommit',{}).get('message','').split('\n')[0])" \
2>/dev/null || echo 'Commit info unavailable')"
RUN_URL="${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_number }}"
cat <<EOF >/tmp/ntfy-payload.json

21
.gitea/workflows/python-checks.yml
View File

@@ -6,9 +6,21 @@ on:
python_version:
type: string
default: "3.14"
source_path:
type: string
default: "app"
tests_path:
type: string
default: "tests"
test_command:
type: string
default: "coverage run -m pytest"
coverage_fail_under:
type: string
default: "80"
run_security_scan:
type: boolean
default: true
jobs:
check:
@@ -26,24 +38,25 @@ jobs:
- name: Install Tools & Deps
run: |
python -m pip install --upgrade pip setuptools wheel
pip install -e .[dev] || pip install -e .[test] || pip install -e .
pip install -e ".[dev]" || pip install -e ".[test]" || pip install -e .
pip install ruff coverage pip-audit bandit
- name: Linting
run: ruff check app tests
run: ruff check ${{ inputs.source_path }} ${{ inputs.tests_path }}
- name: Tests
run: |
${{ inputs.test_command }}
coverage report --fail-under=60
coverage report --fail-under=${{ inputs.coverage_fail_under }}
coverage xml
coverage html
- name: Security Scan
if: ${{ inputs.run_security_scan }}
run: |
pip freeze | grep -v "git+" > req.txt
pip-audit -r req.txt
bandit -r app/
bandit -r ${{ inputs.source_path }}
- name: Upload Coverage HTML
if: always()

38
.gitea/workflows/python-security-checks.yml Normal file
View File

@@ -0,0 +1,38 @@
name: Reusable Python Security Checks
on:
workflow_call:
inputs:
install_command:
type: string
default: 'python -m pip install "bandit[toml]"'
security_command:
type: string
default: "python -m bandit -r app -c pyproject.toml"
working_directory:
type: string
default: "."
secrets:
REGISTRY_USERNAME: { required: true }
REGISTRY_PASSWORD: { required: true }
jobs:
security:
runs-on: docker
container:
image: gitea.tech-buddy.at/bitbuddydev/gitea_runner_python314:dev-bda315b82bb23d83065b77d91fedf0e20d9accf1
credentials:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install security tools
working-directory: ${{ inputs.working_directory }}
run: ${{ inputs.install_command }}
- name: Run security scan
working-directory: ${{ inputs.working_directory }}
run: ${{ inputs.security_command }}