pylint updates, worklflows added, HANA RHEL attrs updated

Add astroid dependency to requirements.txt

Update py dependency versions and add new dependencies to requirements.txt

Update Python version to 3.10 in GitHub Actions workflows

Update GitHub Actions workflows to use latest actions and remove pull request trigger from OSSF scoreboard

Update GitHub Actions workflows to use specific versions of actions and streamline permissions

Author: devanshjainms

.github/workflows/codeql.yml

@@ -0,0 +1,59 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main", "development"]
+  pull_request:
+    branches: ["main", "development"]
+  schedule:
+    - cron: "0 0 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript", "python"]
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0

.github/workflows/github-actions-ansible-lint.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 #v5.4.0
         with:
-          python-version: '3.x'
+          python-version: '3.10'
 
       - name: Install dependencies
         run: |

.github/workflows/github-actions-code-coverage.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 #v5.4.0
         with:
-          python-version: '3.x'
+          python-version: '3.10'
 
       - name: Install dependencies
         run: |
@@ -30,6 +30,10 @@ jobs:
         run: |
           pytest --cov=src/ --cov-fail-under=85 --cov-report=xml tests/
 
+      - name: Run pylint
+        run: |
+          pylint --load-plugins=pylint.extensions.docparams --fail-under=9 --disable=R $(git ls-files '*.py') --rcfile=./pyproject.toml
+
       - name: Check code formatting with black
         run: |
           black --check src/ tests/ --config pyproject.toml

.github/workflows/ossf-scoreboard.yml

@@ -0,0 +1,51 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '32 4 * * 5'
+  push:
+    branches: [ "main" ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        with:
+          sarif_file: results.sarif

.github/workflows/trivy.yml

@@ -0,0 +1,43 @@
+---
+  name: trivy
+
+  on:
+    pull_request:
+      types: [ 'opened', 'reopened', 'synchronize' ]
+    merge_group:
+    workflow_dispatch:
+
+
+  permissions:
+    actions: read
+    contents: read
+    security-events: write
+
+  jobs:
+    build:
+      name: 'trivy scan'
+      runs-on: ubuntu-latest
+      steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Run Trivy vulnerability scanner (file system)
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          scan-ref: .
+          format: 'sarif'
+          scanners: 'vuln,secret,config'
+          output: report-fs.sarif
+
+      - name: Upload Trivy report (fs) GitHub Security
+        uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        with:
+          sarif_file: report-fs.sarif
+          category: 'fs'

pyproject.toml

@@ -7,43 +7,62 @@ load-plugins = ["pylint.extensions.docparams"]
 [tool.pylint.basic]
 argument-naming-style = "snake_case"
 attr-naming-style = "snake_case"
-bad-names = ["foo", "bar", "baz", "toto", "tutu", "tata"]
 class-naming-style = "PascalCase"
-docstring-min-length = 10
 function-naming-style = "snake_case"
 variable-naming-style = "snake_case"
-
+module-naming-style = "snake_case"
+bad-names = ["foo", "bar", "baz", "toto", "tutu", "tata"]
+docstring-min-length = 10
 
 [tool.pylint.format]
 max-line-length = 100
 max-module-lines = 1000
 
+[tool.pylint.docs]
+docstring-style = "sphinx"
+default-docstring-type = "sphinx"
+accept-no-param-doc = false
+accept-no-raise-doc = false
+accept-no-return-doc = false
+accept-no-yields-doc = false
+
 [tool.pylint."messages control"]
 enable = [
-    "C0116",
-    "C0115",
-    "C0114",
-    "C0301",
-    "E1101",
-    "W0611",
+    "missing-module-docstring",
+    "missing-class-docstring",
+    "wrong-exception-operation",
+    "wrong-spelling-in-comment",
+    "wrong-spelling-in-docstring",
+    "missing-any-param-doc",
+    "missing-format-attribute",
+    "missing-kwoa",
+    "missing-param-doc",
+    "missing-parentheses-for-call-in-test",
+    "missing-raises-doc",
+    "missing-return-doc",
+    "missing-return-type-doc",
+    "missing-timeout",
+    "missing-type-doc",
+    "missing-yield-doc",
+    "missing-yield-type-doc",
+    "trailing-newlines",
+    "trailing-whitespace",
 ]
 disable = [
+    "C0199",  # empty-first-line-docstring
     "W0702",  # bare-except
     "W0703",  # broad-except
     "W4901",  # global-statement
-    "R0902",  # too-many-instance-attributes
-    "R0903",  # too-few-public-methods
-    "R1702",
-    "R0801",
-    "W0108"
+    "W0108",  # lambda
+    "W0622",  # redefined-builtin id
+    "E0015",
+    "E0401",  # import-error
+    "E0611",  # no-name-in-module
 ]
 
 [tool.pylint.design]
 max-args = 5
 
-[tool.pylint.docs]
-docstring-min-length = 10
-
 [tool.pylint.variables]
 init-import = false
 dummy-variables-rgx = "_.*|dummy"
@@ -56,3 +75,20 @@ enable = [
     "E1101",
     "W0611",
 ]
+
+[tool.pylint.tests]
+disable = [
+    "W0702",  # bare-except
+    "W0703",  # broad-except
+    "W4901",  # global-statement
+    "R0902",  # too-many-instance-attributes
+    "R0903",  # too-few-public-methods
+    "R1702",  # too-many-nested-blocks
+    "R0801",  # duplicate-code
+    "W0108",  # lambda
+    "E0401",  # import-error
+    "W0613",  # unused-argument
+    "W0212",  # protected-access
+    "W0107",  # unnecessary-pass
+    "C0103"  # invalid-name
+]

requirements.txt

@@ -2,6 +2,7 @@ ansible-compat==24.6.1
 ansible-core==2.17.7
 ansible-lint==24.6.1
 ansible-runner==2.4.0
+astroid==2.9.0
 attrs==25.1.0
 azure-common==1.1.28
 azure-core==1.32.0
@@ -27,13 +28,17 @@ ijson==3.3.0
 importlib_metadata==8.6.1
 iniconfig==2.0.0
 isodate==0.7.2
+isort==5.13.2
 Jinja2==3.1.6
 jsonschema==4.23.0
 jsonschema-specifications==2024.10.1
+lazy-object-proxy==1.10.0
 lockfile==0.12.2
 markdown-it-py==3.0.0
 MarkupSafe==3.0.2
+mccabe==0.6.1
 mdurl==0.1.2
+mock==5.1.0
 msal==1.31.1
 msal-extensions==1.2.0
 mypy-extensions==1.0.0
@@ -49,6 +54,7 @@ ptyprocess==0.7.0
 pycparser==2.22
 Pygments==2.19.1
 PyJWT==2.10.1
+pylint==2.12.2
 pytest==8.3.4
 pytest-cov==6.0.0
 pytest-mock==3.14.0
@@ -66,10 +72,12 @@ ruamel.yaml.clib==0.2.12
 six==1.17.0
 subprocess-tee==0.4.2
 tenacity==9.0.0
+toml==0.10.2
 tomli==2.2.1
 typing_extensions==4.12.2
 tzdata==2025.1
 urllib3==2.2.2
 wcmatch==10.0
+wrapt==1.13.3
 yamllint==1.35.1
 zipp==3.21.0

src/module_utils/get_cluster_status.py

@@ -117,8 +117,8 @@ def run(self) -> Dict[str, str]:
                 self.result["message"] = "Pacemaker cluster isn't stable"
                 self.log(logging.WARNING, self.result["message"])
 
-        except Exception as e:
-            self.handle_error(e)
+        except Exception as ex:
+            self.handle_error(ex)
 
         self.result["end"] = datetime.now()
         self.result["status"] = TestStatus.SUCCESS.value

src/module_utils/sap_automation_qa.py

@@ -3,7 +3,6 @@
 and setup base variables for the test case running in the sap-automation-qa
 """
 
-import os
 from abc import ABC
 from enum import Enum
 import sys
@@ -153,12 +152,12 @@ def execute_command_subprocess(self, command: str, shell_command: bool = False)
             stdout = command_output.stdout.decode("utf-8")
             stderr = command_output.stderr.decode("utf-8")
             return stdout if not stderr else stderr
-        except subprocess.TimeoutExpired as e:
-            self.handle_error(e, "Command timed out")
-        except subprocess.CalledProcessError as e:
-            self.handle_error(e, e.stderr.decode("utf-8").strip())
-        except Exception as e:
-            self.handle_error(e, "")
+        except subprocess.TimeoutExpired as ex:
+            self.handle_error(ex, "Command timed out")
+        except subprocess.CalledProcessError as ex:
+            self.handle_error(ex, ex.stderr.decode("utf-8").strip())
+        except Exception as ex:
+            self.handle_error(ex, "")
         return ""
 
     def parse_xml_output(self, xml_output: str) -> Optional[ET.Element]: