Run linting outside Docker (#479)

mozilla-it · Dec 2, 2022 · df7c904 · df7c904
1 parent aa8121d
commit df7c904
Show file tree

Hide file tree

Showing 7 changed files with 77 additions and 49 deletions.
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -0,0 +1,18 @@
+name: Run lint
+
+on: pull_request
+
+jobs:
+  run_test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install poetry
+        run: pipx install poetry
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.10"
+          cache: "poetry"
+      - name: Install dependencies
+        run: poetry install
+      - run: bin/lint.sh
diff --git a/.github/workflows/test-build.yaml b/.github/workflows/test-build.yaml
@@ -34,13 +34,7 @@ jobs:
           push: false
           target: "development"
           tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
-
-      - name: Run linting
-        run: |-
-          docker run --rm \
-          ghcr.io/${{ github.repository }}:${{ github.sha }} \
-          ./docker/lint.sh
-      
+
       - name: Run tests
         run: |-
           docker run --rm \

diff --git a/.gitignore b/.gitignore
@@ -1,14 +1,16 @@
+.bash_history
+.cache
+.coverage
+.env
 .idea/
-.tox/
 .mypy_cache/
-*pyc
+.tox/
+.venv
 *.egg-info
-Pipfile.lock
+*pyc
 auto_docs/steps/*
 build
-.venv
-reports/
-.coverage
-htmlcov/
 docs/_build
-.env
+htmlcov/
+Pipfile.lock
+reports/
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -75,6 +75,10 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -127,32 +131,32 @@
         "filename": ".github/workflows/test-build.yaml",
         "hashed_secret": "afc848c316af1a89d49826c5ae9d00ed769415f3",
         "is_verified": false,
-        "line_number": 52
+        "line_number": 46
       },
       {
         "type": "Secret Keyword",
         "filename": ".github/workflows/test-build.yaml",
         "hashed_secret": "a2490b1a07aa4a72606afe91f2de20f8c524d779",
         "is_verified": false,
-        "line_number": 53
+        "line_number": 47
       }
     ],
-    "docker/config/local_dev.env": [
+    "bin/lint.sh": [
       {
         "type": "Secret Keyword",
-        "filename": "docker/config/local_dev.env",
-        "hashed_secret": "9f33da7ed96322c0564596c334a5d7b3cc440621",
+        "filename": "bin/lint.sh",
+        "hashed_secret": "fd336c21216d202878615f06d5fd8528d187f37e",
         "is_verified": false,
-        "line_number": 7
+        "line_number": 16
       }
     ],
-    "docker/lint.sh": [
+    "docker/config/local_dev.env": [
       {
         "type": "Secret Keyword",
-        "filename": "docker/lint.sh",
-        "hashed_secret": "fd336c21216d202878615f06d5fd8528d187f37e",
+        "filename": "docker/config/local_dev.env",
+        "hashed_secret": "9f33da7ed96322c0564596c334a5d7b3cc440621",
         "is_verified": false,
-        "line_number": 14
+        "line_number": 7
       }
     ],
     "docs/developer_setup.md": [
@@ -199,5 +203,5 @@
       }
     ]
   },
-  "generated_at": "2022-11-29T14:01:53Z"
+  "generated_at": "2022-11-29T20:27:29Z"
 }
diff --git a/Makefile b/Makefile
@@ -8,6 +8,9 @@ export
 CTMS_UID ?= 10001
 CTMS_GID ?= 10001
 
+VENV := $(shell echo $${VIRTUAL_ENV-.venv})
+INSTALL_STAMP = $(VENV)/.install.stamp
+
 .PHONY: help
 help:
 	@echo "Usage: make RULE"
@@ -33,14 +36,19 @@ help:
 	cp docker/config/env.dist .env; \
 	fi
 
+install: $(INSTALL_STAMP)
+$(INSTALL_STAMP): poetry.lock
+	@if [ -z $(shell command -v poetry 2> /dev/null) ]; then echo "Poetry could not be found. See https://python-poetry.org/docs/"; exit 2; fi
+	POETRY_VIRTUALENVS_IN_PROJECT=1 poetry install --no-root
+	touch $(INSTALL_STAMP)
 
 .PHONY: build
 build: .env
 	docker-compose build --build-arg userid=${CTMS_UID} --build-arg groupid=${CTMS_GID}
 
 .PHONY: lint
-lint: .env
-	docker-compose run --rm --no-deps web bash ./docker/lint.sh
+lint: .env $(INSTALL_STAMP)
+	bin/lint.sh
 
 .PHONY: db-only
 db-only: .env

diff --git a/bin/lint.sh b/bin/lint.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -euo pipefail
+
+POETRY_RUN="poetry run"
+
+CURRENT_DIR=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
+BASE_DIR="$(dirname "$CURRENT_DIR")"
+HAS_GIT="$(command -v git || echo '')"
+echo $HAS_GIT
+
+$POETRY_RUN bandit -lll --recursive "${BASE_DIR}" --exclude "${BASE_DIR}/poetry.lock,${BASE_DIR}/.venv,${BASE_DIR}/.mypy,${BASE_DIR}/build"
+
+if [ -n "$HAS_GIT" ]; then
+    # Scan only files checked into the repo, omit poetry.lock
+    SECRETS_TO_SCAN=`git ls-tree --full-tree -r --name-only HEAD | grep -v poetry.lock`
+    $POETRY_RUN detect-secrets-hook $SECRETS_TO_SCAN --baseline .secrets.baseline
+fi
+
+$POETRY_RUN isort --check-only "${BASE_DIR}"
+$POETRY_RUN black --check "${BASE_DIR}"
+$POETRY_RUN mypy "${BASE_DIR}/ctms"
+$POETRY_RUN pylint "${BASE_DIR}/ctms" "${BASE_DIR}/tests/unit"
diff --git a/docker/lint.sh b/docker/lint.sh