grabowski/Northern-Thailand-Ping-River-Monitor
5
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases 15 Wiki Activity

Complete workflow token migration and pip fixes

Browse Source 
Token Migration (GITHUB_TOKEN  GH_TOKEN):
- Update CI workflow to use GH_TOKEN secret
- Update Release workflow to use GH_TOKEN secret
- Update Security workflow to use GH_TOKEN secret
- Maintain environment variable compatibility
- Update token validation messages

 Pip Installation Improvements:
- Add --root-user-action=ignore to all pip commands
- Eliminates 'Running pip as root user' warnings
- Applied across all workflow jobs consistently
- Improves workflow reliability and log cleanliness

 Affected Workflows:
- CI: Fixed token references + pip warnings
- Release: Fixed token references + pip warnings
- Security: Fixed token references + pip warnings + validation messages

 Changes Summary:
- 3 workflow files updated
- 37 insertions, 37 deletions (clean replacements)
- Consistent token naming across all workflows
- All pip commands now use --root-user-action=ignore flag

 Benefits:
- Gitea-compatible secret naming (GH_TOKEN)
- Cleaner workflow logs without pip warnings
- Better error handling and validation
- Consistent token usage across all pipelines
This commit is contained in:
Alexander Grabowski
2025-08-12 16:50:09 +07:00
parent b13a4fe400
commit 505c65f614
3 changed files with 37 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
.gitea/workflows/ci.yml
View File

@@ -14,7 +14,7 @@ env:
REGISTRY: git.b4l.co.th REGISTRY: git.b4l.co.th
IMAGE_NAME: b4l/northern-thailand-ping-river-monitor IMAGE_NAME: b4l/northern-thailand-ping-river-monitor
# GitHub token for better rate limits and authentication # GitHub token for better rate limits and authentication
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GH_TOKEN }}
jobs: jobs:
# Test job # Test job
@@ -44,9 +44,9 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: | run: |
python -m pip install --upgrade pip python -m pip install --upgrade pip --root-user-action=ignore
pip install -r requirements.txt pip install --root-user-action=ignore -r requirements.txt
pip install -r requirements-dev.txt pip install --root-user-action=ignore -r requirements-dev.txt
- name: Lint with flake8 - name: Lint with flake8
run: | run: |
@@ -106,8 +106,8 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: | run: |
python -m pip install --upgrade pip python -m pip install --upgrade pip --root-user-action=ignore
pip install -r requirements-dev.txt pip install --root-user-action=ignore -r requirements-dev.txt
- name: Run safety check - name: Run safety check
run: | run: |
@@ -167,7 +167,7 @@ jobs:
cache-from: type=gha cache-from: type=gha
cache-to: type=gha,mode=max cache-to: type=gha,mode=max
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
- name: Test Docker image - name: Test Docker image
run: | run: |
@@ -205,8 +205,8 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: | run: |
python -m pip install --upgrade pip python -m pip install --upgrade pip --root-user-action=ignore
pip install -r requirements.txt pip install --root-user-action=ignore -r requirements.txt
- name: Test with VictoriaMetrics - name: Test with VictoriaMetrics
env: env:

14
.gitea/workflows/release.yml
View File

@@ -16,7 +16,7 @@ env:
REGISTRY: git.b4l.co.th REGISTRY: git.b4l.co.th
IMAGE_NAME: b4l/northern-thailand-ping-river-monitor IMAGE_NAME: b4l/northern-thailand-ping-river-monitor
# GitHub token for better rate limits and authentication # GitHub token for better rate limits and authentication
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GH_TOKEN }}
jobs: jobs:
# Create release # Create release
@@ -83,9 +83,9 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: | run: |
python -m pip install --upgrade pip python -m pip install --upgrade pip --root-user-action=ignore
pip install -r requirements.txt pip install --root-user-action=ignore -r requirements.txt
pip install -r requirements-dev.txt pip install --root-user-action=ignore -r requirements-dev.txt
- name: Run full test suite - name: Run full test suite
run: | run: |
@@ -95,7 +95,7 @@ jobs:
- name: Build Python package - name: Build Python package
run: | run: |
pip install build pip install --root-user-action=ignore build
python -m build python -m build
- name: Upload Python package - name: Upload Python package
@@ -160,9 +160,9 @@ jobs:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.create-release.outputs.version }} image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.create-release.outputs.version }}
format: 'sarif' format: 'sarif'
output: 'trivy-results.sarif' output: 'trivy-results.sarif'
github-token: ${{ secrets.GITHUB_TOKEN }} github-token: ${{ secrets.GH_TOKEN }}
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
- name: Upload Trivy scan results - name: Upload Trivy scan results
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3

42
.gitea/workflows/security.yml
View File

@@ -14,7 +14,7 @@ on:
env: env:
PYTHON_VERSION: "3.11" PYTHON_VERSION: "3.11"
# GitHub token for better rate limits and authentication # GitHub token for better rate limits and authentication
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GH_TOKEN }}
jobs: jobs:
# Dependency vulnerability scan # Dependency vulnerability scan
@@ -33,8 +33,8 @@ jobs:
- name: Install dependencies - name: Install dependencies
run: | run: |
python -m pip install --upgrade pip python -m pip install --upgrade pip --root-user-action=ignore
pip install safety bandit semgrep pip install --root-user-action=ignore safety bandit semgrep
- name: Run Safety check - name: Run Safety check
run: | run: |
@@ -95,18 +95,18 @@ jobs:
- name: Check GitHub token availability - name: Check GitHub token availability
run: | run: |
if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then if [ -z "${{ secrets.GH_TOKEN }}" ]; then
echo "⚠️ GITHUB_TOKEN not configured. Trivy scans may fail due to rate limits." echo "⚠️ GH_TOKEN not configured. Trivy scans may fail due to rate limits."
echo "💡 To fix: Add GITHUB_TOKEN secret in repository settings" echo "💡 To fix: Add GH_TOKEN secret in repository settings"
else else
echo "✅ GITHUB_TOKEN is configured" echo "✅ GH_TOKEN is configured"
fi fi
- name: Build Docker image for scanning - name: Build Docker image for scanning
run: | run: |
docker build -t ping-river-monitor:scan . docker build -t ping-river-monitor:scan .
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
@@ -114,9 +114,9 @@ jobs:
image-ref: "ping-river-monitor:scan" image-ref: "ping-river-monitor:scan"
format: "json" format: "json"
output: "trivy-report.json" output: "trivy-report.json"
github-token: ${{ secrets.GITHUB_TOKEN }} github-token: ${{ secrets.GH_TOKEN }}
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
continue-on-error: true continue-on-error: true
- name: Run Trivy filesystem scan - name: Run Trivy filesystem scan
@@ -126,9 +126,9 @@ jobs:
scan-ref: "." scan-ref: "."
format: "json" format: "json"
output: "trivy-fs-report.json" output: "trivy-fs-report.json"
github-token: ${{ secrets.GITHUB_TOKEN }} github-token: ${{ secrets.GH_TOKEN }}
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
continue-on-error: true continue-on-error: true
- name: Upload Trivy reports - name: Upload Trivy reports
@@ -177,9 +177,9 @@ jobs:
- name: Install pip-licenses - name: Install pip-licenses
run: | run: |
python -m pip install --upgrade pip python -m pip install --upgrade pip --root-user-action=ignore
pip install pip-licenses pip install --root-user-action=ignore pip-licenses
pip install -r requirements.txt pip install --root-user-action=ignore -r requirements.txt
- name: Check licenses - name: Check licenses
run: | run: |
@@ -222,13 +222,13 @@ jobs:
- name: Install pip-check-updates equivalent - name: Install pip-check-updates equivalent
run: | run: |
python -m pip install --upgrade pip python -m pip install --upgrade pip --root-user-action=ignore
pip install pip-review pip install --root-user-action=ignore pip-review
- name: Check for outdated packages - name: Check for outdated packages
run: | run: |
echo "📦 Checking for outdated packages..." echo "📦 Checking for outdated packages..."
pip install -r requirements.txt pip install --root-user-action=ignore -r requirements.txt
pip list --outdated --format=json > outdated-packages.json || true pip list --outdated --format=json > outdated-packages.json || true
if [ -s outdated-packages.json ]; then if [ -s outdated-packages.json ]; then
@@ -303,9 +303,9 @@ jobs:
- name: Install quality tools - name: Install quality tools
run: | run: |
python -m pip install --upgrade pip python -m pip install --upgrade pip --root-user-action=ignore
pip install radon xenon vulture pip install --root-user-action=ignore radon xenon vulture
pip install -r requirements.txt pip install --root-user-action=ignore -r requirements.txt
- name: Calculate code complexity - name: Calculate code complexity
run: | run: |