chore: test code cov

.github/workflows/ci.yml

@@ -39,6 +39,12 @@ jobs:
 
       - name: Run checks
         run: make lint
+
+      - name: Run bandit
+        run: make security-check
+
+      - name: Check dependencies
+        run: make dep-cve-check
 
   test:
     runs-on: ubuntu-latest
@@ -57,3 +63,4 @@ jobs:
 
       - name: Run tests
         run: make test
+

.github/workflows/codecov.yml

@@ -0,0 +1,28 @@
+---
+name: Code Coverage Check
+
+on:
+  pull_request:
+    branches: main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out
+        uses: actions/checkout@v3
+
+      - name: Set up poetry and install
+        uses: ./.github/actions/setup-poetry
+        with:
+          python-version: "3.9"
+
+      - name: Run tests
+        run: make test-code-cov
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: coverage
+          path: coverage.xml
+

Makefile

@@ -27,6 +27,20 @@ test:
 	@poetry run pytest --cov --cov-config=pyproject.toml --cov-report=xml
 .PHONY: test
 
+test-code-cov:
+	@poetry run pytest --cov=trestlebot --exitfirst --cov-config=pyproject.toml --cov-report=xml --cov-fail-under=80
+.PHONY: test-code-cov
+
+# https://github.com/python-poetry/poetry/issues/994#issuecomment-831598242
+# Check for CVEs locally. For automated/scheduled checks, use dependabot. 
+dep-cve-check:
+	@poetry export -f requirements.txt --without-hashes | poetry run safety check --stdin
+.PHONY: dep-cve-check
+
+security-check:
+	@poetry run bandit -r $(PYMODULE)
+.PHONY: security-check
+
 build: clean-build
 	@poetry build
 .PHONY: build

pyproject.toml

@@ -29,6 +29,8 @@ flake8 = "^6.0.0"
 black = "^23.3.0"
 mypy = "^1.3.0"
 isort = "^5.12.0"
+safety = "^2.3.5"
+bandit = "^1.7.5"
 
 [tool.poetry.group.tests.dependencies]
 pytest = "^7.3.2"