grabowski/Northern-Thailand-Ping-River-Monitor
5
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases 15 Wiki Activity

Update .gitea/workflows/security.yml

Browse Source
This commit is contained in:
Alexander Grabowski
2025-08-12 17:26:51 +07:00
parent 123ec13896
commit 4ed5f2ccad
1 changed files with 173 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

174
.gitea/workflows/security.yml
View File

@@ -218,4 +218,176 @@ jobs:
The following packages have updates available: The following packages have updates available:
EOF EOF
jq -r '.[] | "- **\(.name)**: \(.version) → jq -r '.[] | "- **\(.name)**: \(.version) → \(.latest_version)"' outdated-packages.json >> issue-body.md
cat >> issue-body.md << 'EOF'
## 🔍 Security Impact
Please review each update for:
- Security fixes
- Breaking changes
- Compatibility issues
## ✅ Action Items
- [ ] Review changelog for each package
- [ ] Test updates in development environment
- [ ] Update requirements.txt
- [ ] Run full test suite
- [ ] Deploy to staging for validation
---
*This issue was automatically created by the security workflow.*
EOF
echo "Issue body created. In a real implementation, you would create a Gitea issue here."
cat issue-body.md
fi
- name: Upload dependency reports
uses: actions/upload-artifact@v3
with:
name: dependency-reports-${{ github.run_number }}
path: |
outdated-packages.json
issue-body.md
# Code quality metrics
code-quality:
name: Code Quality Metrics
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install quality tools
run: |
python -m pip install --upgrade pip --root-user-action=ignore
pip install --root-user-action=ignore radon xenon vulture
if [ -f requirements.txt ]; then
pip install --root-user-action=ignore -r requirements.txt
fi
- name: Calculate code complexity
run: |
echo "📊 Calculating code complexity..."
if [ -d src ]; then
radon cc src/ --json > complexity-report.json
radon mi src/ --json > maintainability-report.json
echo "🔍 Complexity Summary:"
radon cc src/ --average
echo "🔧 Maintainability Summary:"
radon mi src/
else
echo "{}" > complexity-report.json
echo "{}" > maintainability-report.json
echo "No src/ directory found; skipping detailed radon output."
fi
- name: Find dead code
run: |
echo "🧹 Checking for dead code..."
if [ -d src ]; then
vulture src/ --json > dead-code-report.json || true
else
echo "[]" > dead-code-report.json
fi
- name: Check for code smells
run: |
echo "👃 Checking for code smells..."
if [ -d src ]; then
xenon --max-absolute B --max-modules A --max-average A src/ || true
else
echo "No src/ directory found; skipping xenon."
fi
- name: Upload quality reports
uses: actions/upload-artifact@v3
with:
name: code-quality-reports-${{ github.run_number }}
path: |
complexity-report.json
maintainability-report.json
dead-code-report.json
# Security summary
security-summary:
name: Security Summary
runs-on: ubuntu-latest
needs: [dependency-scan, license-check, code-quality]
if: always()
steps:
- name: Install jq (for parsing JSON)
run: sudo apt-get update && sudo apt-get install -y jq
- name: Download all artifacts
uses: actions/download-artifact@v3
- name: Generate security summary
run: |
echo "# 🔒 Security Scan Summary" > security-summary.md
echo "" >> security-summary.md
echo "**Scan Date:** $(date -u)" >> security-summary.md
echo "**Repository:** ${{ github.repository }}" >> security-summary.md
echo "**Commit:** ${{ github.sha }}" >> security-summary.md
echo "" >> security-summary.md
echo "## 📊 Results" >> security-summary.md
echo "" >> security-summary.md
# Dependency scan results (support array/object formats)
if ls security-reports-*/safety-report.json >/dev/null 2>&1; then
vuln_count=$(jq -s '
def countfile:
if type=="array" then length
else ((.vulnerabilities // []) | length)
end;
add | (if type=="number" then . else 0 end)
' security-reports-*/safety-report.json 2>/dev/null || echo "0")
if [ "${vuln_count:-0}" -eq 0 ]; then
echo "- ✅ **Dependency Scan**: No vulnerabilities found" >> security-summary.md
else
echo "- ⚠️ **Dependency Scan**: ${vuln_count} vulnerabilities found" >> security-summary.md
fi
else
echo "- ❓ **Dependency Scan**: Results not available" >> security-summary.md
fi
# Docker scan results (Trivy removed)
echo "- ⏭️ **Docker Scan**: Skipped (Trivy removed)" >> security-summary.md
# License check results
if ls license-report-*/licenses.json >/dev/null 2>&1; then
echo "- ✅ **License Check**: Completed" >> security-summary.md
else
echo "- ❓ **License Check**: Results not available" >> security-summary.md
fi
# Code quality results
if ls code-quality-reports-*/complexity-report.json >/dev/null 2>&1; then
echo "- ✅ **Code Quality**: Analyzed" >> security-summary.md
else
echo "- ❓ **Code Quality**: Results not available" >> security-summary.md
fi
echo "" >> security-summary.md
echo "## 🔗 Detailed Reports" >> security-summary.md
echo "" >> security-summary.md
echo "Detailed reports are available in the workflow artifacts." >> security-summary.md
cat security-summary.md
- name: Upload security summary
uses: actions/upload-artifact@v3
with:
name: security-summary-${{ github.run_number }}
path: security-summary.md