Skip to content
Python backend

chore: 💚 ci(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 #326

Sign in to view logs

chore: 💚 ci(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0

chore: 💚 ci(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 #326

Workflow file for this run

.github/workflows/python-backend.yaml at 7ebf63d
name : Python backend
on:
pull_request:
branches: [main]
paths:
- 'popupsim/backend/**'
- '.github/workflows/python-backend.yaml'
- '.github/actions/setup-python-**/**'
- 'pyproject.toml'
- 'uv.lock'
push:
branches: [main]
paths:
- 'popupsim/backend/**'
- '.github/actions/setup-python-**/**'
- 'pyproject.toml'
- 'uv.lock'
jobs:
format:
name: Code Formatting
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.1
- name: Setup Python development environment
uses: ./.github/actions/setup-python-dev
- name: Check code formatting with ruff
run: uv run ruff format --check --diff .
- name: Summary
run: echo "✅ Code formatting check completed" >> $GITHUB_STEP_SUMMARY
if: success()
- name: Summary
run: echo "❌ Code formatting issues found" >> $GITHUB_STEP_SUMMARY
if: failure()
ruff:
name: Ruff Linting
needs: format
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.1
- name: Setup Python development environment
uses: ./.github/actions/setup-python-dev
- name: Lint with ruff (annotations)
run: uv run ruff check --output-format=github .
- name: Generate SARIF report
run: uv run ruff check --output-format=sarif --exit-zero -o ruff-results.sarif .
if: always()
- name: Upload SARIF results
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
sarif_file: ruff-results.sarif
if: always()
- name: Summary
run: echo "✅ Ruff linting completed successfully" >> $GITHUB_STEP_SUMMARY
if: success()
- name: Summary
run: echo "⚠️ Ruff found linting issues" >> $GITHUB_STEP_SUMMARY
if: failure()
pylint:
name: Pylint Analysis
needs: format
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.1
- name: Setup Python development environment
uses: ./.github/actions/setup-python-dev
- name: Lint with pylint (src only)
run: uv run pylint popupsim/backend/src/ --output-format=github,json:pylint-report.json
- name: Upload pylint report
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: pylint-report
path: pylint-report.json
if: always()
- name: Summary
run: echo "✅ Pylint analysis completed successfully" >> $GITHUB_STEP_SUMMARY
if: success()
- name: Summary
run: echo "⚠️ Pylint found code quality issues" >> $GITHUB_STEP_SUMMARY
if: failure()
mypy:
name: Type Checking
needs: format
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.1
- name: Setup Python development environment
uses: ./.github/actions/setup-python-dev
- name: Add mypy problem matcher
run: echo "::add-matcher::.github/problem-matchers/mypy.json"
- name: Type check with mypy
run: uv run mypy --show-error-codes --no-error-summary --show-column-numbers
- name: Remove mypy problem matcher
run: echo "::remove-matcher owner=mypy::"
if: always()
- name: Generate mypy JSON report
run: uv run mypy --show-error-codes --no-error-summary --output json > mypy-report.json || true
if: always()
- name: Upload mypy report
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: mypy-report
path: mypy-report.json
if: always()
- name: Summary
run: echo "✅ Type checking completed successfully" >> $GITHUB_STEP_SUMMARY
if: success()
- name: Summary
run: echo "⚠️ MyPy found type issues" >> $GITHUB_STEP_SUMMARY
if: failure()
# to be enabled later
# security:
# name: Security Scan
# needs: format
# runs-on: ubuntu-latest
# permissions:
# security-events: write
# steps:
# - name: Harden the runner (Audit all outbound calls)
# uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
# with:
# egress-policy: audit
# - name: Checkout code
# uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.1
# - name: Check if dependencies exist
# id: check-deps
# run: |
# if grep -q '^dependencies = \[\]$' popupsim/backend/pyproject.toml; then
# echo "has_deps=false" >> $GITHUB_OUTPUT
# else
# echo "has_deps=true" >> $GITHUB_OUTPUT
# fi
# - name: Generate SBOM with Syft
# uses: anchore/sbom-action@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
# if: steps.check-deps.outputs.has_deps == 'true'
# with:
# path: popupsim/backend/src
# format: spdx-json
# artifact-name: sbom.spdx.json
# - name: Scan vulnerabilities with Grype
# uses: anchore/scan-action@f6601287cdb1efc985d6b765bbf99cb4c0ac29d8 # v7.0.0
# id: scan
# if: steps.check-deps.outputs.has_deps == 'true'
# with:
# path: sbom.spdx.json
# fail-build: false
# output-format: sarif
# - name: Upload SARIF results
# uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
# with:
# sarif_file: ${{ steps.scan.outputs.sarif }}
# if: steps.check-deps.outputs.has_deps == 'true' && always()
# - name: Upload security reports
# uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
# with:
# name: security-reports
# path: |
# sbom.json
# grype-report.json
# if: steps.check-deps.outputs.has_deps == 'true' && always()
# - name: Summary
# run: |
# if [ "${{ steps.check-deps.outputs.has_deps }}" = "true" ]; then
# echo "✅ No security vulnerabilities found" >> $GITHUB_STEP_SUMMARY
# else
# echo "ℹ️ Security scan skipped - no dependencies to scan" >> $GITHUB_STEP_SUMMARY
# fi
# if: success()
# - name: Summary
# run: echo "⚠️ Security vulnerabilities detected" >> $GITHUB_STEP_SUMMARY
# if: failure()
test:
name: Tests & Coverage
needs: format
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v6.0.1
- name: Setup Python development environment
uses: ./.github/actions/setup-python-dev
- name: Test with pytest
run: |
if [ -d "popupsim/backend/tests" ] && [ "$(find popupsim/backend/tests -name '*.py' -type f | wc -l)" -gt 0 ]; then
echo "Running tests with expected failures marked as xfail..."
uv run pytest --tb=short -v
else
echo "No tests found, skipping pytest"
exit 0
fi
shell: bash
- name: Upload coverage reports
uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
if: hashFiles('coverage.xml') != ''
with:
files: coverage.xml
fail_ci_if_error: false
flags: backend
name: backend-coverage
- name: Summary
run: echo "✅ Tests completed successfully" >> $GITHUB_STEP_SUMMARY
if: success()
- name: Summary
run: echo "❌ Some tests failed" >> $GITHUB_STEP_SUMMARY
if: failure()