py-ocsf-models/.github/workflows/pull-request.yml at ca166594afd1d5b6de89da886995da3229c3c497 · prowler-cloud/py-ocsf-models · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
name: PR - Lint and Test

permissions:
  contents: read
  pull-requests: write

on:
  push:
    branches:
      - "main"
  pull_request:
    branches:
      - "main"

jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            auth.safetycli.com:443
            cli.codecov.io:443
            data.safetycli.com:443
            files.pythonhosted.org:443
            github.com:443
            ingest.codecov.io:443
            keybase.io:443
            o26192.ingest.us.sentry.io:443
            pypi.org:443
            pyup.io:443
            release-assets.githubusercontent.com:443
            schema.ocsf.io:443
            storage.googleapis.com:443

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install poetry
        run: |
          python -m pip install --upgrade pip
          pipx install poetry

      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: ${{ matrix.python-version }}
          cache: "poetry"

      - name: Install dependencies
        run: |
          poetry install
          poetry run pip install --upgrade pip
          poetry run pip list

      - name: Poetry check
        run: |
          poetry check --lock

      - name: Lint with flake8
        run: |
          poetry run flake8 . --ignore=E501,W503

      - name: Lint with ruff
        uses: astral-sh/ruff-action@4919ec5cf1f49eff0871dbcea0da843445b837e6 # v3.6.1

      - name: Checking format with black
        run: |
          poetry run black --check .

      - name: Lint with pylint
        run: |
          poetry run pylint --disable=W,C,R,E -j 0 -rn -sn py_ocsf_models/

      - name: Check types with mypy
        run: |
          poetry run mypy --strict py_ocsf_models/

      - name: Bandit
        run: |
          poetry run bandit -q -lll -x './tests' -r .

      - name: Safety
        run: |
          # 82754: filelock TOCTOU symlink (CVE-2025-68146), fix requires Python >=3.10
          # 84183: filelock lock mechanism (PVE-2026-84183), fix requires Python >=3.10
          # 83159: marshmallow data conversion (CVE-2025-68480), fix requires Python >=3.10
          # 84415: filelock TOCTOU race condition (CVE-2026-22701), fix requires Python >=3.10
          poetry run safety check \
            --ignore 82754 \
            --ignore 84183 \
            --ignore 83159 \
            --ignore 84415

      - name: Vulture
        run: |
          poetry run vulture --min-confidence 100 .

      - name: Test with pytest
        run: |
          poetry run pytest -n auto --cov=./py_ocsf_models --cov-report=xml tests

      - name: Upload coverage reports to Codecov
        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
        with:
          token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env]
          slug: prowler-cloud/py-ocsf-models