Skip to content

Commit

Permalink
chore: adds additional project checks for security and code coverage
Browse files Browse the repository at this point in the history
Adds a workflow to check code coverage and fail if below the threshold
Adds dependency checks with safety
Adds security checks with bandit

Signed-off-by: Jennifer Power <[email protected]>
  • Loading branch information
jpower432 committed Jul 26, 2023
1 parent 12834f9 commit b646ca9
Show file tree
Hide file tree
Showing 5 changed files with 252 additions and 4 deletions.
7 changes: 7 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,12 @@ jobs:

- name: Run checks
run: make lint

- name: Run bandit
run: make security-check

- name: Check dependencies
run: make dep-check-cve

test:
runs-on: ubuntu-latest
Expand All @@ -57,3 +63,4 @@ jobs:

- name: Run tests
run: make test

28 changes: 28 additions & 0 deletions .github/workflows/codecov.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
name: Code Coverage Check

on:
pull_request:
branches: main

jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Check out
uses: actions/checkout@v3

- name: Set up poetry and install
uses: ./.github/actions/setup-poetry
with:
python-version: "3.8"

- name: Run tests
run: make test-code-cov

- name: Upload artifact
uses: actions/upload-artifact@v2
with:
name: coverage
path: coverage.xml

14 changes: 14 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,20 @@ test:
@poetry run pytest --cov --cov-config=pyproject.toml --cov-report=xml
.PHONY: test

test-code-cov:
@poetry run pytest --cov=trestlebot --exitfirst --cov-config=pyproject.toml --cov-report=xml --cov-fail-under=85
.PHONY: test-code-cov

# https://github.com/python-poetry/poetry/issues/994#issuecomment-831598242
# Check for CVEs locally. For automated/scheduled checks, use dependabot.
dep-cve-check:
@poetry export -f requirements.txt --without-hashes | poetry run safety check --stdin
.PHONY: dep-cve-check

security-check:
@poetry run bandit
.PHONY: security-check

build: clean-build
@poetry build
.PHONY: build
Expand Down
205 changes: 201 additions & 4 deletions poetry.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ flake8 = "^6.0.0"
black = "^23.3.0"
mypy = "^1.3.0"
isort = "^5.12.0"
safety = "^2.3.5"
bandit = "^1.7.5"

[tool.poetry.group.tests.dependencies]
pytest = "^7.3.2"
Expand Down

0 comments on commit b646ca9

Please sign in to comment.