Pylint updates, CI workflows, attrs updates

.github/workflows/codeql.yml

@@ -0,0 +1,59 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main", "development"]
+  pull_request:
+    branches: ["main", "development"]
+  schedule:
+    - cron: "0 0 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript", "python"]
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0

.github/workflows/github-actions-ansible-lint.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 #v5.4.0
         with:
-          python-version: '3.x'
+          python-version: '3.10'
 
       - name: Install dependencies
         run: |

.github/workflows/github-actions-code-coverage.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 #v5.4.0
         with:
-          python-version: '3.x'
+          python-version: '3.10'
 
       - name: Install dependencies
         run: |
@@ -30,6 +30,10 @@ jobs:
         run: |
           pytest --cov=src/ --cov-fail-under=85 --cov-report=xml tests/
 
+      - name: Run pylint
+        run: |
+          pylint --load-plugins=pylint.extensions.docparams --fail-under=9 --disable=R $(git ls-files '*.py') --rcfile=./pyproject.toml
+
       - name: Check code formatting with black
         run: |
           black --check src/ tests/ --config pyproject.toml

.github/workflows/ossf-scoreboard.yml

@@ -0,0 +1,76 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '32 4 * * 5'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: readhttps://github.com/hdamecharla/sap-automation-kimforss/tree/main
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        with:
+          sarif_file: results.sarif

.github/workflows/trivy.yml

@@ -0,0 +1,43 @@
+---
+  name: trivy
+
+  on:
+    pull_request:
+      types: [ 'opened', 'reopened', 'synchronize' ]
+    merge_group:
+    workflow_dispatch:
+
+
+  permissions:
+    actions: read
+    contents: read
+    security-events: write
+
+  jobs:
+    build:
+      name: 'trivy scan'
+      runs-on: ubuntu-latest
+      steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Run Trivy vulnerability scanner (file system)
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          scan-ref: .
+          format: 'sarif'
+          scanners: 'vuln,secret,config'
+          output: report-fs.sarif
+
+      - name: Upload Trivy report (fs) GitHub Security
+        uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        with:
+          sarif_file: report-fs.sarif
+          category: 'fs'

pyproject.toml

@@ -7,43 +7,62 @@ load-plugins = ["pylint.extensions.docparams"]
 [tool.pylint.basic]
 argument-naming-style = "snake_case"
 attr-naming-style = "snake_case"
-bad-names = ["foo", "bar", "baz", "toto", "tutu", "tata"]
 class-naming-style = "PascalCase"
-docstring-min-length = 10
 function-naming-style = "snake_case"
 variable-naming-style = "snake_case"
-
+module-naming-style = "snake_case"
+bad-names = ["foo", "bar", "baz", "toto", "tutu", "tata"]
+docstring-min-length = 10
 
 [tool.pylint.format]
 max-line-length = 100
 max-module-lines = 1000
 
+[tool.pylint.docs]
+docstring-style = "sphinx"
+default-docstring-type = "sphinx"
+accept-no-param-doc = false
+accept-no-raise-doc = false
+accept-no-return-doc = false
+accept-no-yields-doc = false
+
 [tool.pylint."messages control"]
 enable = [
-    "C0116",
-    "C0115",
-    "C0114",
-    "C0301",
-    "E1101",
-    "W0611",
+    "missing-module-docstring",
+    "missing-class-docstring",
+    "wrong-exception-operation",
+    "wrong-spelling-in-comment",
+    "wrong-spelling-in-docstring",
+    "missing-any-param-doc",
+    "missing-format-attribute",
+    "missing-kwoa",
+    "missing-param-doc",
+    "missing-parentheses-for-call-in-test",
+    "missing-raises-doc",
+    "missing-return-doc",
+    "missing-return-type-doc",
+    "missing-timeout",
+    "missing-type-doc",
+    "missing-yield-doc",
+    "missing-yield-type-doc",
+    "trailing-newlines",
+    "trailing-whitespace",
 ]
 disable = [
+    "C0199",  # empty-first-line-docstring
     "W0702",  # bare-except
     "W0703",  # broad-except
     "W4901",  # global-statement
-    "R0902",  # too-many-instance-attributes
-    "R0903",  # too-few-public-methods
-    "R1702",
-    "R0801",
-    "W0108"
+    "W0108",  # lambda
+    "W0622",  # redefined-builtin id
+    "E0015",
+    "E0401",  # import-error
+    "E0611",  # no-name-in-module
 ]
 
 [tool.pylint.design]
 max-args = 5
 
-[tool.pylint.docs]
-docstring-min-length = 10
-
 [tool.pylint.variables]
 init-import = false
 dummy-variables-rgx = "_.*|dummy"
@@ -56,3 +75,20 @@ enable = [
     "E1101",
     "W0611",
 ]
+
+[tool.pylint.tests]
+disable = [
+    "W0702",  # bare-except
+    "W0703",  # broad-except
+    "W4901",  # global-statement
+    "R0902",  # too-many-instance-attributes
+    "R0903",  # too-few-public-methods
+    "R1702",  # too-many-nested-blocks
+    "R0801",  # duplicate-code
+    "W0108",  # lambda
+    "E0401",  # import-error
+    "W0613",  # unused-argument
+    "W0212",  # protected-access
+    "W0107",  # unnecessary-pass
+    "C0103"  # invalid-name
+]

requirements.txt

@@ -2,6 +2,7 @@ ansible-compat==24.6.1
 ansible-core==2.17.7
 ansible-lint==24.6.1
 ansible-runner==2.4.0
+astroid==2.9.0
 attrs==25.1.0
 azure-common==1.1.28
 azure-core==1.32.0
@@ -27,13 +28,17 @@ ijson==3.3.0
 importlib_metadata==8.6.1
 iniconfig==2.0.0
 isodate==0.7.2
+isort==5.13.2
 Jinja2==3.1.6
 jsonschema==4.23.0
 jsonschema-specifications==2024.10.1
+lazy-object-proxy==1.10.0
 lockfile==0.12.2
 markdown-it-py==3.0.0
 MarkupSafe==3.0.2
+mccabe==0.6.1
 mdurl==0.1.2
+mock==5.1.0
 msal==1.31.1
 msal-extensions==1.2.0
 mypy-extensions==1.0.0
@@ -49,6 +54,7 @@ ptyprocess==0.7.0
 pycparser==2.22
 Pygments==2.19.1
 PyJWT==2.10.1
+pylint==2.12.2
 pytest==8.3.4
 pytest-cov==6.0.0
 pytest-mock==3.14.0
@@ -66,10 +72,12 @@ ruamel.yaml.clib==0.2.12
 six==1.17.0
 subprocess-tee==0.4.2
 tenacity==9.0.0
+toml==0.10.2
 tomli==2.2.1
 typing_extensions==4.12.2
 tzdata==2025.1
 urllib3==2.2.2
 wcmatch==10.0
+wrapt==1.13.3
 yamllint==1.35.1
 zipp==3.21.0

src/module_utils/get_cluster_status.py

@@ -117,8 +117,8 @@ def run(self) -> Dict[str, str]:
                 self.result["message"] = "Pacemaker cluster isn't stable"
                 self.log(logging.WARNING, self.result["message"])
 
-        except Exception as e:
-            self.handle_error(e)
+        except Exception as ex:
+            self.handle_error(ex)
 
         self.result["end"] = datetime.now()
         self.result["status"] = TestStatus.SUCCESS.value