Enable GitHub Actions

release-engineering · Apr 27, 2022 · d55b73a · d55b73a
1 parent 4e1994f
commit d55b73a
Show file tree

Hide file tree

Showing 7 changed files with 140 additions and 8 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,9 @@
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"
diff --git a/.github/workflows/gating.yaml b/.github/workflows/gating.yaml
@@ -0,0 +1,114 @@
+name: Gating
+
+on:
+  pull_request:
+  push:
+  workflow_dispatch:
+    inputs: {}
+
+jobs:
+  tests:
+    name: Unit tests
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.9"]
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v2
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install system dependencies
+        uses: nick-invision/retry@v2
+        with:
+          timeout_minutes: 10
+          retry_wait_seconds: 30
+          max_attempts: 3
+          command: >-
+            sudo apt-get update
+            && sudo apt-get install
+            libkrb5-dev
+            libldap2-dev
+            libsasl2-dev
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install tox tox-gh-actions
+
+      - name: Test with tox
+        run: tox -e py
+
+      - name: Run coveralls-python
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COVERALLS_FLAG_NAME: python-${{ matrix.python-version }}
+          COVERALLS_PARALLEL: true
+        run: |
+          pip3 install --upgrade pip
+          pip3 install --upgrade setuptools
+          pip3 install --upgrade coveralls==3.2.0
+          coveralls --service=github
+
+  coveralls-finish:
+    name: Finish coveralls-python
+    needs: tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Finished
+        run: |
+          pip3 install --upgrade pip
+          pip3 install --upgrade setuptools
+          pip3 install --upgrade coveralls
+          coveralls --finish --service=github
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  linters:
+    name: Linters
+    strategy:
+      matrix:
+        tox_env:
+          - bandit
+          - lint
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: "3.9"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install tox
+
+      - name: Test '${{ matrix.tox_env }}' with tox
+        run: tox -e ${{ matrix.tox_env }}
+
+  hadolint:
+    name: Hadolint
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        dockerfile:
+          - Dockerfile
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: hadolint/hadolint-action@v1.5.0
+        with:
+          dockerfile: ${{ matrix.dockerfile }}
+          # Ignore list:
+          # * DL3041 - Specify version with dnf install -y <package>-<version>
+          ignore: DL3041
+          failure-threshold: warning
diff --git a/requirements.txt b/requirements.txt
@@ -6,7 +6,7 @@ Flask
 Flask-RESTful!=0.3.6
 Flask-SQLAlchemy
 flask-cors
-SQLAlchemy
+SQLAlchemy==1.3.22
 gssapi
 Flask-Migrate
 

diff --git a/tox.ini b/tox.ini
@@ -1,5 +1,5 @@
 [tox]
-envlist = lint,py39,docs
+envlist = bandit,lint,py39,docs
 
 # If the user is missing an interpreter, don't fail
 skip_missing_interpreters = True
@@ -15,8 +15,14 @@ commands =
     find -name *.pyc -delete
     py.test {posargs}
 
-[pytest]
-testpaths = tests/
+[testenv:bandit]
+skip_install = true
+deps =
+    bandit
+commands =
+    bandit \
+        --exclude functional-tests,tests \
+        --recursive waiverdb
 
 [testenv:docs]
 changedir = docs
@@ -36,6 +42,9 @@ deps =
 commands =
     python -m flake8 {posargs}
 
+[pytest]
+testpaths = tests/
+
 [flake8]
 show-source = True
 max-line-length = 100

diff --git a/waiverdb/app.py b/waiverdb/app.py
@@ -95,7 +95,7 @@ def create_app(config_obj=None):
         app.config.from_object(config_obj)
     else:
         load_config(app)
-    if app.config['PRODUCTION'] and app.secret_key == 'replace-me-with-something-random':
+    if app.config['PRODUCTION'] and app.secret_key == 'replace-me-with-something-random':  # nosec
         raise Warning("You need to change the app.secret_key value for production")
 
     # register error handlers

diff --git a/waiverdb/auth.py b/waiverdb/auth.py
@@ -17,7 +17,7 @@ def process_gssapi_request(token):
         sc = gssapi.SecurityContext(usage="accept")
 
         stage = "step context"
-        token = sc.step(token if token != "" else None)
+        token = sc.step(token if token != "" else None)  # nosec
         token = token if token is not None else ""
 
         # The current architecture cannot support continuation here

diff --git a/waiverdb/config.py b/waiverdb/config.py
@@ -11,11 +11,11 @@ class Config(object):
     DATABASE_URI = 'postgresql+psycopg2:///waiverdb'
     # We configure logging explicitly, turn off the Flask-supplied log handler.
     LOGGER_HANDLER_POLICY = 'never'
-    HOST = '0.0.0.0'
+    HOST = '127.0.0.1'
     PORT = 5004
     PRODUCTION = False
     SHOW_DB_URI = False
-    SECRET_KEY = 'replace-me-with-something-random'
+    SECRET_KEY = 'replace-me-with-something-random'  # nosec
 
     RESULTSDB_API_URL = 'https://taskotron.fedoraproject.org/resultsdb_api/api/v2.0'
     # need to explicitly turn this off