diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 00000000..f996ed72 --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,18 @@ +name: Run lint + +on: pull_request + +jobs: + run_test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Install poetry + run: pipx install poetry + - uses: actions/setup-python@v4 + with: + python-version: "3.10" + cache: "poetry" + - name: Install dependencies + run: poetry install + - run: bin/lint.sh diff --git a/.github/workflows/test-build.yaml b/.github/workflows/test-build.yaml index efb79c9a..61d432ee 100644 --- a/.github/workflows/test-build.yaml +++ b/.github/workflows/test-build.yaml @@ -34,13 +34,7 @@ jobs: push: false target: "development" tags: ghcr.io/${{ github.repository }}:${{ github.sha }} - - - name: Run linting - run: |- - docker run --rm \ - ghcr.io/${{ github.repository }}:${{ github.sha }} \ - ./docker/lint.sh - + - name: Run tests run: |- docker run --rm \ diff --git a/.gitignore b/.gitignore index af6319f8..1adddb7f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,14 +1,16 @@ +.bash_history +.cache +.coverage +.env .idea/ -.tox/ .mypy_cache/ -*pyc +.tox/ +.venv *.egg-info -Pipfile.lock +*pyc auto_docs/steps/* build -.venv -reports/ -.coverage -htmlcov/ docs/_build -.env +htmlcov/ +Pipfile.lock +reports/ diff --git a/.secrets.baseline b/.secrets.baseline index 652cbeb3..00b7a3d9 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -75,6 +75,10 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".secrets.baseline" + }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -127,32 +131,32 @@ "filename": ".github/workflows/test-build.yaml", "hashed_secret": "afc848c316af1a89d49826c5ae9d00ed769415f3", "is_verified": false, - "line_number": 52 + "line_number": 46 }, { "type": "Secret Keyword", "filename": ".github/workflows/test-build.yaml", "hashed_secret": "a2490b1a07aa4a72606afe91f2de20f8c524d779", "is_verified": false, - "line_number": 53 + "line_number": 47 } ], - "docker/config/local_dev.env": [ + "bin/lint.sh": [ { "type": "Secret Keyword", - "filename": "docker/config/local_dev.env", - "hashed_secret": "9f33da7ed96322c0564596c334a5d7b3cc440621", + "filename": "bin/lint.sh", + "hashed_secret": "fd336c21216d202878615f06d5fd8528d187f37e", "is_verified": false, - "line_number": 7 + "line_number": 16 } ], - "docker/lint.sh": [ + "docker/config/local_dev.env": [ { "type": "Secret Keyword", - "filename": "docker/lint.sh", - "hashed_secret": "fd336c21216d202878615f06d5fd8528d187f37e", + "filename": "docker/config/local_dev.env", + "hashed_secret": "9f33da7ed96322c0564596c334a5d7b3cc440621", "is_verified": false, - "line_number": 14 + "line_number": 7 } ], "docs/developer_setup.md": [ @@ -199,5 +203,5 @@ } ] }, - "generated_at": "2022-11-29T14:01:53Z" + "generated_at": "2022-11-29T20:27:29Z" } diff --git a/Makefile b/Makefile index d0073604..ff3b34fa 100644 --- a/Makefile +++ b/Makefile @@ -8,6 +8,9 @@ export CTMS_UID ?= 10001 CTMS_GID ?= 10001 +VENV := $(shell echo $${VIRTUAL_ENV-.venv}) +INSTALL_STAMP = $(VENV)/.install.stamp + .PHONY: help help: @echo "Usage: make RULE" @@ -33,14 +36,19 @@ help: cp docker/config/env.dist .env; \ fi +install: $(INSTALL_STAMP) +$(INSTALL_STAMP): poetry.lock + @if [ -z $(shell command -v poetry 2> /dev/null) ]; then echo "Poetry could not be found. See https://python-poetry.org/docs/"; exit 2; fi + POETRY_VIRTUALENVS_IN_PROJECT=1 poetry install --no-root + touch $(INSTALL_STAMP) .PHONY: build build: .env docker-compose build --build-arg userid=${CTMS_UID} --build-arg groupid=${CTMS_GID} .PHONY: lint -lint: .env - docker-compose run --rm --no-deps web bash ./docker/lint.sh +lint: .env $(INSTALL_STAMP) + bin/lint.sh .PHONY: db-only db-only: .env diff --git a/bin/lint.sh b/bin/lint.sh new file mode 100755 index 00000000..3880a718 --- /dev/null +++ b/bin/lint.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +set -euo pipefail + +POETRY_RUN="poetry run" + +CURRENT_DIR=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd) +BASE_DIR="$(dirname "$CURRENT_DIR")" +HAS_GIT="$(command -v git || echo '')" +echo $HAS_GIT + +$POETRY_RUN bandit -lll --recursive "${BASE_DIR}" --exclude "${BASE_DIR}/poetry.lock,${BASE_DIR}/.venv,${BASE_DIR}/.mypy,${BASE_DIR}/build" + +if [ -n "$HAS_GIT" ]; then + # Scan only files checked into the repo, omit poetry.lock + SECRETS_TO_SCAN=`git ls-tree --full-tree -r --name-only HEAD | grep -v poetry.lock` + $POETRY_RUN detect-secrets-hook $SECRETS_TO_SCAN --baseline .secrets.baseline +fi + +$POETRY_RUN isort --check-only "${BASE_DIR}" +$POETRY_RUN black --check "${BASE_DIR}" +$POETRY_RUN mypy "${BASE_DIR}/ctms" +$POETRY_RUN pylint "${BASE_DIR}/ctms" "${BASE_DIR}/tests/unit" diff --git a/docker/lint.sh b/docker/lint.sh deleted file mode 100755 index 19e83115..00000000 --- a/docker/lint.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -CURRENT_DIR=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd) -BASE_DIR="$(dirname "$CURRENT_DIR")" -HAS_GIT="$(command -v git || echo '')" -echo $HAS_GIT - -bandit -lll --recursive "${BASE_DIR}" --exclude "${BASE_DIR}/poetry.lock,${BASE_DIR}/.venv,${BASE_DIR}/.mypy,${BASE_DIR}/build" - -if [ -n "$HAS_GIT" ]; then - # Scan only files checked into the repo, omit poetry.lock - SECRETS_TO_SCAN=`git ls-tree --full-tree -r --name-only HEAD | grep -v poetry.lock` - detect-secrets-hook $SECRETS_TO_SCAN --baseline .secrets.baseline -fi - -isort --check-only "${BASE_DIR}" -black --check "${BASE_DIR}" -mypy "${BASE_DIR}/ctms" -pylint "${BASE_DIR}/ctms" "${BASE_DIR}/tests/unit"