Workflows/SharedWorkflows
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Compare commits

base: Workflows:v1.4.0
Branches Tags
Workflows:main
Workflows:v1.5.2 Workflows:v1.5.1 Workflows:v1.5.0 Workflows:v1.4.1 Workflows:v1.4.0 Workflows:v1.2.0 Workflows:v1.1.3 Workflows:v1.1.2 Workflows:v1.1.1 Workflows:v1.1.0 Workflows:v1.0.0
..
compare: Workflows:v1.5.2
Branches Tags
Workflows:main
Workflows:v1.5.2 Workflows:v1.5.1 Workflows:v1.5.0 Workflows:v1.4.1 Workflows:v1.4.0 Workflows:v1.2.0 Workflows:v1.1.3 Workflows:v1.1.2 Workflows:v1.1.1 Workflows:v1.1.0 Workflows:v1.0.0

3 Commits
v1.4.0 ... v1.5.2

Author SHA1 Message Date
dresber
364171ebca fix(python-security-checks): use custom runner image instead of python slim 
python:3.14-slim has no Node.js so actions/checkout@v4 fails with
'node: executable file not found in PATH'. Switch to the same
gitea_runner_python314 custom image used by python-checks.yml which
has both Python 3.14 and Node.js. Drop the python_version input as it
no longer drives the container selection.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-30 14:43:38 +02:00
dresber
2be1150eec feat: add python-security-checks reusable workflow 
Dedicated security-only workflow using python:VERSION-slim.
Runs Bandit (or any security tool) without pytest or coverage.
Supports python_version, install_command, security_command,
and working_directory inputs with sensible defaults.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-28 20:43:00 +02:00
dresber
1434f75112 fix: fetch commit subject via Gitea API instead of git log 
Notification job had no checkout step so git log always failed,
producing "Commit info unavailable". Now uses the existing
API_GITEA_TOKEN and gitea.sha context to fetch the commit message
from the Gitea API directly.

Also raises default coverage threshold in python-checks to 80%.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-27 22:01:55 +02:00
3 changed files with 44 additions and 2 deletions
Expand all files Collapse all files

6
.gitea/workflows/notifications.yml
View File

@@ -147,7 +147,11 @@ jobs:
exit 0 exit 0
fi fi
COMMIT_SUBJECT="$(git log -1 --pretty=%s 2>/dev/null || echo 'Commit info unavailable')" COMMIT_SUBJECT="$(curl -fsS \
-H "Authorization: Bearer ${{ secrets.API_GITEA_TOKEN }}" \
"${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/git/commits/${{ gitea.sha }}" \
| python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('RepoCommit',{}).get('message','').split('\n')[0])" \
2>/dev/null || echo 'Commit info unavailable')"
RUN_URL="${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_number }}" RUN_URL="${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_number }}"
cat <<EOF >/tmp/ntfy-payload.json cat <<EOF >/tmp/ntfy-payload.json

2
.gitea/workflows/python-checks.yml
View File

@@ -17,7 +17,7 @@ on:
default: "coverage run -m pytest" default: "coverage run -m pytest"
coverage_fail_under: coverage_fail_under:
type: string type: string
default: "60" default: "80"
run_security_scan: run_security_scan:
type: boolean type: boolean
default: true default: true

38
.gitea/workflows/python-security-checks.yml Normal file
View File

@@ -0,0 +1,38 @@
name: Reusable Python Security Checks
on:
workflow_call:
inputs:
install_command:
type: string
default: 'python -m pip install "bandit[toml]"'
security_command:
type: string
default: "python -m bandit -r app -c pyproject.toml"
working_directory:
type: string
default: "."
secrets:
REGISTRY_USERNAME: { required: true }
REGISTRY_PASSWORD: { required: true }
jobs:
security:
runs-on: docker
container:
image: gitea.tech-buddy.at/bitbuddydev/gitea_runner_python314:dev-bda315b82bb23d83065b77d91fedf0e20d9accf1
credentials:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install security tools
working-directory: ${{ inputs.working_directory }}
run: ${{ inputs.install_command }}
- name: Run security scan
working-directory: ${{ inputs.working_directory }}
run: ${{ inputs.security_command }}