ci: update linting and security checks

- Fix bandit suppressions (use # nosec B608 for bandit) - Add # noqa: S608 for ruff compatibility - CI workflow: add coverage reporting (informational) - CI workflow: track mypy error baseline - CI workflow: improve documentation
2025-12-21 13:39:30 +01:00
parent 0c7bf6b587
commit 2ccbfcbfaa
2 changed files with 34 additions and 22 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -29,10 +29,10 @@ jobs:
          git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
            "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .

-      - name: Install tools
+      - name: Install dev tools
        run: pip install -q ruff mypy

-      - name: Syntax check
+      - name: Python syntax check
        run: python -m py_compile run.py wsgi.py app/*.py app/**/*.py

      - name: Ruff lint
@@ -41,8 +41,14 @@ jobs:
      - name: Ruff format
        run: ruff format --check app/ tests/ fpaste

-      - name: Type check
-        run: mypy app/ --ignore-missing-imports --no-error-summary || echo "::warning::mypy found issues"
+      - name: Type check (informational)
+        run: |
+          # mypy strict mode - track progress, don't fail CI yet
+          errors=$(mypy app/ --ignore-missing-imports 2>&1 | grep -c "error:" || true)
+          echo "mypy found $errors type errors"
+          if [ "$errors" -gt 20 ]; then
+            echo "::warning::mypy errors increased to $errors (baseline: 20)"
+          fi
        continue-on-error: true

  security:
@@ -58,17 +64,23 @@ jobs:
          git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
            "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .

-      - name: Upgrade pip and install dependencies
+      - name: Install dependencies
        run: |
          pip install -q --upgrade pip
          pip install -q -r requirements.txt
          pip install -q bandit pip-audit

-      - name: Bandit scan
-        run: bandit -r app/ -ll -q
+      - name: Bandit security scan
+        run: |
+          # -ll = medium and high severity only
+          # -q = quiet, only show issues
+          bandit -r app/ -ll -q

-      - name: Dependency audit
-        run: pip-audit --progress-spinner=off || echo "::warning::pip-audit found issues"
+      - name: Dependency audit (informational)
+        run: |
+          # Check for known vulnerabilities in dependencies
+          # Warnings only - container base packages often have issues
+          pip-audit --progress-spinner=off || echo "::warning::pip-audit found vulnerabilities"
        continue-on-error: true

  test:
@@ -88,7 +100,13 @@ jobs:
      - name: Install dependencies
        run: |
          pip install -q -r requirements.txt
-          pip install -q pytest
+          pip install -q pytest pytest-cov

      - name: Run tests
        run: pytest tests/ -v --tb=short
+
+      - name: Run tests with coverage
+        run: |
+          pytest tests/ --cov=app --cov-report=term-missing --cov-fail-under=70 || \
+            echo "::warning::Coverage below 70%"
+        continue-on-error: true