Skip to content
Lint & Security

Initial Opensource release #6

Sign in to view logs

Initial Opensource release

Initial Opensource release #6

Workflow file for this run

.github/workflows/lint.yml at 847d734
name: Lint & Security
on:
push:
branches: ["main", "master"]
pull_request:
branches: ["main", "master"]
jobs:
ruff:
name: Ruff (lint + format)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install ruff
run: pip install ruff
- name: Lint
run: ruff check src/
- name: Format check
run: ruff format --check src/
bandit:
name: Bandit (security)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install bandit
run: pip install "bandit[toml]"
- name: Run bandit
run: bandit -r src/ -c pyproject.toml --format json -o bandit-report.json --exit-zero
- name: Print bandit report
if: always()
run: |
if [ -f bandit-report.json ]; then
python - <<'EOF'
import json, sys
with open("bandit-report.json") as f:
r = json.load(f)
issues = r.get("results", [])
if not issues:
print("No security issues found.")
sys.exit(0)
for i in issues:
sev = i["issue_severity"]
conf = i["issue_confidence"]
text = i["issue_text"]
loc = f"{i['filename']}:{i['line_number']}"
print(f"[{sev}/{conf}] {loc}: {text}")
high = [i for i in issues if i["issue_severity"] == "HIGH"]
if high:
print(f"\n{len(high)} HIGH severity issue(s) found - failing.")
sys.exit(1)
EOF
fi
- name: Upload bandit report
if: always()
uses: actions/upload-artifact@v4
with:
name: bandit-report
path: bandit-report.json
if-no-files-found: ignore