AbsaOSS · tmikula-dev · Nov 4, 2025 · Oct 17, 2025 · Oct 17, 2025 · Oct 17, 2025
@@ -0,0 +1,93 @@
+name: Static Docker Check
+
+on:
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+  push:
+    branches: [ master ]
+  workflow_dispatch:
+
+concurrency:
+  group: static-docker-check-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  detect:
+    name: Docker changes detection
+    runs-on: ubuntu-latest
+    outputs:
+      docker_changed: ${{ steps.changes.outputs.docker_changed }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Check if docker file changed
+        id: changes
+        shell: bash
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            RANGE="${{ github.event.pull_request.base.sha }}...${{ github.sha }}"
+          else
+            RANGE="${{ github.sha }}~1...${{ github.sha }}"
+          fi
+          if git diff --name-only "$RANGE" | grep -qE '^Dockerfile$'; then
+            echo "docker_changed=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "docker_changed=false" >> "$GITHUB_OUTPUT"
+          fi
+
+  trivy-docker:
+    name: Trivy Security Scan for Docker
+    needs: detect
+    if: needs.detect.outputs.docker_changed == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Setup Trivy
+        uses: aquasecurity/setup-trivy@v0.2.4
+
+      - name: Build image
+        run: docker build -t local-docker-scan .
+
+      - name: Trivy config scan (Dockerfile)
+        run: |
+          trivy config Dockerfile \
+            --format sarif \
+            --output $GITHUB_WORKSPACE/trivy_dockerfile.sarif
+
+      - name: Upload Dockerfile SARIF
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: ${{ github.workspace }}/trivy_dockerfile.sarif
+
+      - name: Trivy image scan
+        run: |
+          trivy image local-docker-scan \
+            --format sarif \
+            --scanners vuln,secret,license \
+            --output $GITHUB_WORKSPACE/trivy_image.sarif
+
+      - name: Upload Image SARIF
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: ${{ github.workspace }}/trivy_image.sarif
+
+  noop:
+    name: No Operation
+    needs: detect
+    if: needs.detect.outputs.docker_changed != 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "No changes in the Dockerfile — passing."
@@ -0,0 +1,188 @@
+name: Static Python Check
+
+on:
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+  push:
+    branches: [ master ]
+  workflow_dispatch:
+
+concurrency:
+  group: static-python-check-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  detect:
+    name: Python Changes Detection
+    runs-on: ubuntu-latest
+    outputs:
+      python_changed: ${{ steps.changes.outputs.python_changed }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Check if Python files changed
+        id: changes
+        shell: bash
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            RANGE="${{ github.event.pull_request.base.sha }}...${{ github.sha }}"
+          else
+            RANGE="${{ github.sha }}~1...${{ github.sha }}"
+          fi
+          if git diff --name-only "$RANGE" | grep -qE '^(src|tests)/'; then
+            echo "python_changed=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "python_changed=false" >> "$GITHUB_OUTPUT"
+          fi
+
+  pylint-analysis:
+    name: Pylint Static Code Analysis
+    needs: detect
+    if: needs.detect.outputs.python_changed == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.13'
+          cache: 'pip'
+
+      - name: Install dependencies
+        run: pip install -r requirements.txt
+
+      - name: Analyze code with Pylint
+        id: analyze-code
+        run: |
+          pylint_score=$(pylint $(git ls-files '*.py')| grep 'rated at' | awk '{print $7}' | cut -d'/' -f1)
+          echo "PYLINT_SCORE=$pylint_score" >> $GITHUB_ENV
+
+      - name: Check Pylint score
+        run: |
+          if (( $(echo "$PYLINT_SCORE < 9.5" | bc -l) )); then
+            echo "Failure: Pylint score is below 9.5 (project score: $PYLINT_SCORE)."
+            exit 1
+          else
+            echo "Success: Pylint score is above 9.5 (project score: $PYLINT_SCORE)."
+          fi
+
+  black-check:
+    name: Black Format Check
+    needs: detect
+    if: needs.detect.outputs.python_changed == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.13'
+          cache: 'pip'
+
+      - name: Install dependencies
+        run: pip install -r requirements.txt
+
+      - name: Check code format with Black
+        id: check-format
+        run: black --check $(git ls-files '*.py')
+
+  pytest-test:
+    name: Pytest Unit Tests with Coverage
+    needs: detect
+    if: needs.detect.outputs.python_changed == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.13'
+          cache: 'pip'
+
+      - name: Install Python dependencies
+        run: pip install -r requirements.txt
+
+      - name: Check code coverage with Pytest
+        run: pytest --cov=. -v tests/ --cov-fail-under=80
+
+  mypy-check:
+    name: Mypy Type Check
+    needs: detect
+    if: needs.detect.outputs.python_changed == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.13'
+          cache: 'pip'
+
+      - name: Install dependencies
+        run: pip install -r requirements.txt
+
+      - name: Check types with Mypy
+        id: check-types
+        run: mypy .
+
+  trivy-python:
+    name: Trivy Security Scan for Python
+    needs: detect
+    if: needs.detect.outputs.python_changed == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Setup Trivy
+        uses: aquasecurity/setup-trivy@v0.2.4
+
+      - name: Trivy security scan
+        run: |
+          trivy fs src tests \
+            --format sarif \
+            --scanners vuln,secret,misconfig,license \
+            --output $GITHUB_WORKSPACE/trivy_python.sarif
+
+      - name: Upload Trivy SARIF file
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: ${{ github.workspace }}/trivy_python.sarif
+
+  noop:
+    name: No Operation
+    needs: detect
+    if: needs.detect.outputs.python_changed != 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "No changes under src/ nor tests/ — passing."