[PATCH] improvements for CI and Bandit GHA workflows (- WIP PR #118 -)

Changes in file .github/workflows/Tests.yml:
 - tweaked optional extra installs for TOX

Changes in file .github/workflows/bandit.yml:
 - lowered alert threshold to tighten security

Author: reactive-firewall

.github/workflows/Tests.yml

@@ -702,6 +702,9 @@ jobs:
       OS: 'ubuntu-latest'
       PYTHON_VERSION: '3.12'
       LANG: 'en_US.utf-8'
+      CODECLIMATE_REPO_TOKEN: ${{ secrets.CODECLIMATE_TOKEN }}
+      CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
     steps:
     - uses: actions/checkout@v4
@@ -712,7 +715,7 @@ jobs:
     - name: Prep Testing Tox
       id: prep-tox
       run: |
-        if [ "$OS" == "ubuntu-latest" ] ; then { apt-get update || true ;} && { apt-get install --assume-yes python python3.6 python3.7 python3.8 python3.9 python3.10 python3.11 || echo "::warning file=.github/workflows/Tests.yml,line=558,endLine=560,title=SKIPPED::SKIP Enhanced TOX Tests." ;} ; fi
+        if [ "$OS" == "ubuntu-latest" ] ; then { apt-get update || true ;} ; wait ; { apt-get install --assume-yes python python3.6 python3.7 python3.8 python3.9 python3.10 python3.11 || echo "::warning file=.github/workflows/Tests.yml,line=715,endLine=718,title=SKIPPED::SKIP Enhanced TOX Tests." ;} ; wait ; fi
     - name: Install dependencies for Tox
       run: |
         pip install --upgrade "pip>=21.0" "setuptools>=45.0" "wheel>=0.37" "build>=1.0.1";

.github/workflows/bandit.yml

@@ -16,7 +16,7 @@ on:
     branches: [ "master", "stable", feature-*, HOTFIX-* ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "master" ]
+    branches: [ "master", "stable" ]
 
 permissions: {}
 
@@ -25,7 +25,6 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-    
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -39,7 +38,7 @@ jobs:
           # File or directory to run bandit on
           path: "." # optional, default is .
           # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
-          level: high # optional, default is UNDEFINED
+          level: medium # optional, default is UNDEFINED
           # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
           confidence: high # optional, default is UNDEFINED
           # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)