mirror of
https://github.com/MODSetter/SurfSense.git
synced 2026-04-25 00:36:31 +02:00
216 lines
No EOL
8 KiB
YAML
216 lines
No EOL
8 KiB
YAML
name: Code Quality Checks
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [main, dev]
|
|
types: [opened, synchronize, reopened, ready_for_review]
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
file-quality:
|
|
name: File Quality Checks
|
|
runs-on: ubuntu-latest
|
|
if: github.event.pull_request.draft == false
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Fetch base branch
|
|
run: |
|
|
# Ensure we have the base branch reference for comparison
|
|
git fetch origin ${{ github.base_ref }}:${{ github.base_ref }} 2>/dev/null || git fetch origin ${{ github.base_ref }} 2>/dev/null || true
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: '3.12'
|
|
|
|
- name: Install pre-commit
|
|
run: pip install pre-commit
|
|
|
|
- name: Cache pre-commit hooks
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: ~/.cache/pre-commit
|
|
key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
|
|
restore-keys: |
|
|
pre-commit-
|
|
|
|
- name: Install hook environments (cache)
|
|
run: pre-commit install-hooks
|
|
|
|
- name: Run file quality checks on changed files
|
|
run: |
|
|
# Use pre-commit's native diff detection to run only on changed files
|
|
if git show-ref --verify --quiet refs/heads/${{ github.base_ref }}; then
|
|
echo "Running pre-commit with native diff detection against ${{ github.base_ref }} branch"
|
|
pre-commit run --from-ref ${{ github.base_ref }} --to-ref HEAD \
|
|
check-yaml check-json check-toml check-merge-conflict \
|
|
check-added-large-files debug-statements check-case-conflict
|
|
elif git show-ref --verify --quiet refs/remotes/origin/${{ github.base_ref }}; then
|
|
echo "Running pre-commit with native diff detection against origin/${{ github.base_ref }}"
|
|
pre-commit run --from-ref origin/${{ github.base_ref }} --to-ref HEAD \
|
|
check-yaml check-json check-toml check-merge-conflict \
|
|
check-added-large-files debug-statements check-case-conflict
|
|
else
|
|
echo "Base branch reference not found, running pre-commit on all files"
|
|
echo "⚠️ This may take longer and show more issues than normal"
|
|
pre-commit run --all-files \
|
|
check-yaml check-json check-toml check-merge-conflict \
|
|
check-added-large-files debug-statements check-case-conflict
|
|
fi
|
|
|
|
security-scan:
|
|
name: Security Scan
|
|
runs-on: ubuntu-latest
|
|
if: github.event.pull_request.draft == false
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Fetch base branch
|
|
run: |
|
|
git fetch origin ${{ github.base_ref }}:${{ github.base_ref }} 2>/dev/null || git fetch origin ${{ github.base_ref }} 2>/dev/null || true
|
|
|
|
- name: Get changed files
|
|
id: changed-files
|
|
run: |
|
|
if git show-ref --verify --quiet refs/heads/${{ github.base_ref }}; then
|
|
BASE_REF="${{ github.base_ref }}"
|
|
elif git show-ref --verify --quiet refs/remotes/origin/${{ github.base_ref }}; then
|
|
BASE_REF="origin/${{ github.base_ref }}"
|
|
else
|
|
echo "changed_files=all" >> $GITHUB_OUTPUT
|
|
exit 0
|
|
fi
|
|
|
|
# Get list of changed files, excluding the patterns we don't want to scan
|
|
CHANGED_FILES=$(git diff --name-only --diff-filter=ACMRT $BASE_REF...HEAD | \
|
|
grep -v -E '\.(env\.example|env\.template)$|/tests/|test.*\.py$|^test_.*\.py$|\.github/workflows/.*\.ya?ml$|pnpm-lock\.yaml$|alembic\.ini$|alembic/versions/.*\.py$|\.mdx$' || true)
|
|
|
|
if [ -z "$CHANGED_FILES" ]; then
|
|
echo "No relevant files changed for security scan"
|
|
echo "changed_files=none" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "Changed files for security scan:"
|
|
echo "$CHANGED_FILES"
|
|
# Convert to space-separated string for detect-secrets
|
|
CHANGED_FILES_STR=$(echo "$CHANGED_FILES" | tr '\n' ' ')
|
|
echo "changed_files=$CHANGED_FILES_STR" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
- name: Set up Python
|
|
if: steps.changed-files.outputs.changed_files != 'none'
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: '3.12'
|
|
|
|
- name: Install detect-secrets
|
|
if: steps.changed-files.outputs.changed_files != 'none'
|
|
run: pip install detect-secrets
|
|
|
|
- name: Run detect-secrets scan on changed files
|
|
if: steps.changed-files.outputs.changed_files != 'none' && steps.changed-files.outputs.changed_files != 'all'
|
|
run: |
|
|
CHANGED_FILES="${{ steps.changed-files.outputs.changed_files }}"
|
|
if [ -n "$CHANGED_FILES" ]; then
|
|
detect-secrets scan --baseline .secrets.baseline $CHANGED_FILES
|
|
fi
|
|
|
|
- name: Run detect-secrets scan on all files
|
|
if: steps.changed-files.outputs.changed_files == 'all'
|
|
run: |
|
|
detect-secrets scan --baseline .secrets.baseline --exclude-files '.*\.env\.example|.*\.env\.template|.*/tests/.*|.*test.*\.py|test_.*\.py|.github/workflows/.*\.yml|.github/workflows/.*\.yaml|.*pnpm-lock\.yaml|.*alembic\.ini|.*alembic/versions/.*\.py|.*\.mdx$'
|
|
|
|
python-backend:
|
|
name: Python Backend Quality
|
|
runs-on: ubuntu-latest
|
|
if: github.event.pull_request.draft == false
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: '3.12'
|
|
|
|
- name: Install UV
|
|
uses: astral-sh/setup-uv@v3
|
|
|
|
- name: Check if backend files changed
|
|
id: backend-changes
|
|
uses: dorny/paths-filter@v3
|
|
with:
|
|
filters: |
|
|
backend:
|
|
- 'surfsense_backend/**'
|
|
|
|
- name: Cache dependencies
|
|
if: steps.backend-changes.outputs.backend == 'true'
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.cache/uv
|
|
surfsense_backend/.venv
|
|
key: python-deps-${{ hashFiles('surfsense_backend/uv.lock') }}
|
|
|
|
- name: Install dependencies
|
|
if: steps.backend-changes.outputs.backend == 'true'
|
|
working-directory: surfsense_backend
|
|
run: uv sync
|
|
|
|
- name: Run Ruff linting
|
|
if: steps.backend-changes.outputs.backend == 'true'
|
|
working-directory: surfsense_backend
|
|
run: |
|
|
# Ruff will automatically use pyproject.toml configuration
|
|
uv run ruff check . --output-format=github
|
|
|
|
- name: Run Ruff formatting check
|
|
if: steps.backend-changes.outputs.backend == 'true'
|
|
working-directory: surfsense_backend
|
|
run: |
|
|
# Ruff will automatically use pyproject.toml configuration
|
|
uv run ruff format --check . --diff
|
|
|
|
- name: Install Bandit
|
|
if: steps.backend-changes.outputs.backend == 'true'
|
|
run: pip install bandit
|
|
|
|
- name: Run Bandit security scan
|
|
if: steps.backend-changes.outputs.backend == 'true'
|
|
working-directory: surfsense_backend
|
|
run: |
|
|
bandit -r . -f json --severity-level high --confidence-level high --exclude ./tests/,./test_*.py,./*test*.py,./alembic/
|
|
|
|
quality-gate:
|
|
name: Quality Gate
|
|
runs-on: ubuntu-latest
|
|
needs: [file-quality, security-scan, python-backend, frontend-quality]
|
|
if: always()
|
|
|
|
steps:
|
|
- name: Check all jobs status
|
|
run: |
|
|
if [[ "${{ needs.file-quality.result }}" == "failure" ||
|
|
"${{ needs.security-scan.result }}" == "failure" ||
|
|
"${{ needs.python-backend.result }}" == "failure" ||
|
|
"${{ needs.frontend-quality.result }}" == "failure" ]]; then
|
|
echo "❌ Code quality checks failed"
|
|
exit 1
|
|
else
|
|
echo "✅ All code quality checks passed"
|
|
fi |