From d7d5ba1ec52c43b9c804b01f0de57c6f919ec5b6 Mon Sep 17 00:00:00 2001 From: Roberto Polli Date: Tue, 5 Mar 2024 16:02:29 +0100 Subject: [PATCH] Base repository without python files. --- .bandit.yaml | 20 ----- .gitignore | 4 + .gitlab-ci.yaml | 8 ++ .gitlab/workflows/lint.yml | 32 -------- .gitlab/workflows/security-bandit.yml | 54 ------------- .gitlab/workflows/test.yml | 77 ------------------ .isort.cfg | 5 -- .pre-commit-config.yaml | 66 ++++------------ .pylintrc | 8 -- README.md | 22 +++++- docker-compose.yaml | 5 +- ...erfile.pre-commit => pre-commit.dockerfile | 0 requirements-dev.txt | 2 - requirements.txt | 0 tests/test_noop.py | 2 - tox.ini | 79 ------------------- 16 files changed, 48 insertions(+), 336 deletions(-) delete mode 100644 .bandit.yaml create mode 100644 .gitlab-ci.yaml delete mode 100644 .gitlab/workflows/lint.yml delete mode 100644 .gitlab/workflows/security-bandit.yml delete mode 100644 .gitlab/workflows/test.yml delete mode 100644 .isort.cfg delete mode 100644 .pylintrc rename tests/Dockerfile.pre-commit => pre-commit.dockerfile (100%) delete mode 100644 requirements-dev.txt delete mode 100644 requirements.txt delete mode 100644 tests/test_noop.py delete mode 100644 tox.ini diff --git a/.bandit.yaml b/.bandit.yaml deleted file mode 100644 index 544f267..0000000 --- a/.bandit.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -# Bandit config file. -# BEWARE: Bandit does not use any configuration file by default -# so you need to specify it using -c. -# If you have lines in your code triggering vulnerability errors -# and you are certain that this is acceptable, they can be individually -# silenced by appending # nosec to the line: -exclude_dirs: - - .tox - - .git - - .mypy_cache - - .pytest_cache - - .github - - venv - - tests - -# Skip assert inside test files. -assert_used: - skips: - - "*/test_*.py" diff --git a/.gitignore b/.gitignore index f872e93..676889a 100644 --- a/.gitignore +++ b/.gitignore @@ -130,3 +130,7 @@ dmypy.json # IDE .vscode/ +.idea/ + +# CI +.gitlab-ci-local/ diff --git a/.gitlab-ci.yaml b/.gitlab-ci.yaml new file mode 100644 index 0000000..b398b1b --- /dev/null +++ b/.gitlab-ci.yaml @@ -0,0 +1,8 @@ +super-linter: + stage: build + image: + name: github/super-linter:v3.15.5 + script: + - "true" + variables: + RUN_LOCAL: "true" diff --git a/.gitlab/workflows/lint.yml b/.gitlab/workflows/lint.yml deleted file mode 100644 index a135621..0000000 --- a/.gitlab/workflows/lint.yml +++ /dev/null @@ -1,32 +0,0 @@ -# Run the SuperLinter action with some custom setup. - -name: Lint - -on: - push: - branches: ["main"] - pull_request: - branches: [ "main" ] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -jobs: - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 - - - name: Super-Linter - uses: github/super-linter@v3.15.5 - env: - VALIDATE_MARKDOWN: false - # Disabled for conflicts with the isort version used in pre-commit - # you can re-enable it if you align your local isort with - # the one in the super-linter image. - VALIDATE_PYTHON_ISORT: false - VALIDATE_XML: false - VALIDATE_NATURAL_LANGUAGE: false diff --git a/.gitlab/workflows/security-bandit.yml b/.gitlab/workflows/security-bandit.yml deleted file mode 100644 index e357e36..0000000 --- a/.gitlab/workflows/security-bandit.yml +++ /dev/null @@ -1,54 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: "security-bandit" - -# Controls when the action will run. Triggers the workflow on push or pull request -# events but only for the master branch -on: - push: - branches: [ "main" ] - paths-ignore: - - "ISSUE_TEMPLATE/**" - pull_request: - branches: [ "main" ] - paths-ignore: - - "ISSUE_TEMPLATE/**" - -permissions: read-all - -jobs: - build: - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 - - # Runs a single command using the runners shell - - name: Python security check using Bandit - uses: ioggstream/bandit-report-artifacts@v1.7.4 - with: - project_path: . - config_file: .bandit.yaml - - super-sast: - runs-on: ubuntu-latest - timeout-minutes: 10 - steps: - - uses: actions/checkout@v3 - - name: Test - run: | - echo UID=$(id -u) >> .env - docker run --rm --user=$(id -u) \ - -v $PWD:/code \ - -w /code \ - -e MAVEN_OPTS=" -ntp " \ - -e RUN_OWASP_DEPENDENCY_CHECK=false \ - -e RUN_SPOTBUGS_CHECK=false \ - -e RUN_SPOTLESS_CHECK=false \ - -e RUN_SPOTLESS_APPLY=true \ - -e HOME=/tmp \ - -e USER=nobody \ - -e BANDIT_CONFIG_FILE=/code/.bandit.yaml \ - ghcr.io/par-tec/super-sast:latest diff --git a/.gitlab/workflows/test.yml b/.gitlab/workflows/test.yml deleted file mode 100644 index f19c9fb..0000000 --- a/.gitlab/workflows/test.yml +++ /dev/null @@ -1,77 +0,0 @@ -# This workflow template runs: -# - a tox container with tests -# - a service container (eg. a database) to be used by tox tests. - -name: Test - -# Controls when the action will run. -on: - # Triggers the workflow on push or pull request events but only for the main branch - push: - branches: [ main ] - pull_request: - branches: [ main ] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - - test-tox-job: - # The type of runner that the job will run on - runs-on: ubuntu-latest - container: python:3.9-slim - - # This stanza deploys a service container with - # the "rabbit" hostname. This is commented - # to save build time. Uncomment it if you need - # it! - # services: - # rabbit: - # image: rabbitmq:3-management - # ports: - # - 5672:5672 - - # ...then run the tox jobs referencing - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - # IMPORTANT!! By default `actions/checkout` just checkouts HEAD, so if you want - # to checkout tags and branches too (eg. to auto-version your deployments) - # you need to pass the `fetch-depth: 0` option. eg - # - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - - uses: actions/checkout@v2 - - - name: Run tests. - run: | - pip3 install tox - tox - test-pre-commit: - # The type of runner that the job will run on - runs-on: ubuntu-latest - container: python:3.9 - steps: - - uses: actions/checkout@v2 - - - name: Run commit hooks. - run: | - pip3 --no-cache-dir install pre-commit - git --version - pwd - ls -la - id - git config --global --add safe.directory $PWD - pre-commit install - pre-commit run -a - - # Store (expiring) logs on failure. - # Retrieve artifacts via `gh run download`. - - uses: actions/upload-artifact@v3 - if: failure() - with: - name: pre-commit.log - path: /github/home/.cache/pre-commit/pre-commit.log - retention-days: 5 diff --git a/.isort.cfg b/.isort.cfg deleted file mode 100644 index d82f21e..0000000 --- a/.isort.cfg +++ /dev/null @@ -1,5 +0,0 @@ -# -# Align isort profile with black. -# -[tool.isort] -profile = "black" diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 49de7b4..76c95fe 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,55 +10,19 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.5.0 hooks: - - id: trailing-whitespace - - id: end-of-file-fixer - - id: check-xml - - id: detect-private-key - - id: check-yaml - args: [--allow-multiple-documents] - - id: check-added-large-files -- repo: https://github.com/myint/autoflake - rev: v2.2.1 - hooks: - - id: autoflake + # Manage spaces. + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-added-large-files + - id: check-symlinks + # Check file syntax/format + - id: check-xml + - id: check-json + - id: check-yaml + args: [--allow-multiple-documents] + # Security checks. + - id: detect-private-key + - id: detect-aws-credentials args: - - --in-place - - --remove-unused-variables - - --remove-all-unused-imports -- repo: https://github.com/psf/black - rev: 24.1.1 - hooks: - - id: black -- repo: https://github.com/pycqa/isort - rev: 5.13.2 - hooks: - - id: isort - name: isort (python) - # Use black profile for isort to avoid conflicts - # see https://github.com/PyCQA/isort/issues/1518 - args: ["--profile", "black"] - - id: isort - name: isort (cython) - types: [cython] - - id: isort - name: isort (pyi) - types: [pyi] -- repo: https://github.com/PyCQA/flake8 - rev: 7.0.0 - hooks: - - id: flake8 -- repo: https://github.com/PyCQA/bandit - rev: 1.7.7 - hooks: - - id: bandit - name: bandit - args: ["-c", ".bandit.yaml"] - description: 'Bandit is a tool for finding common security issues in Python code' - entry: bandit - language: python - language_version: python3 - types: [python] -- repo: https://github.com/Lucas-C/pre-commit-hooks-safety - rev: v1.3.3 - hooks: - - id: python-safety-dependencies-check + # See https://github.com/pre-commit/pre-commit-hooks/issues/174 + - --allow-missing-credentials diff --git a/.pylintrc b/.pylintrc deleted file mode 100644 index d18d77b..0000000 --- a/.pylintrc +++ /dev/null @@ -1,8 +0,0 @@ -# .pylintr - -[TYPECHECK] -# -# Click mutates function signatures: -# see https://click.palletsprojects.com/en/8.1.x/ -# -signature-mutators=click.decorators.option diff --git a/README.md b/README.md index 56b9d40..1e827c7 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,19 @@ -# Python Cookiecutter repository +# Base Cookiecutter repository Python template repository including boilerplate workflows and CI. ```bash -.bandit.yaml .pre-commit-config.yaml .github └── workflows +.gitlab +└── issue_templates +└── merge_request_templates +.gitlab-ci.yaml ``` +Delete unused folder after creating the repository. + ## Creating a new project The name of a new project should be descriptive and short. @@ -40,7 +45,7 @@ docker-compose run pre-commit Tune the Github pipelines in [.github/workflows](.github/workflows/). To speed up the development, you can test the pipeline with [act](https://github.com/nektos/act). -Installing `act` is beyond the scope of this document. +Its installation is beyond the scope of this document. To test the pipeline locally and ensure that secrets (e.g., service accounts and other credentials) are correctly configured, use: @@ -50,3 +55,14 @@ are correctly configured, use: act -j test -s CI_API_TOKEN="$(cat gh-ci.json)" \ -s CI_ACCOUNT=my-secret-account ``` + +## Testing gitlab-ci + +Tune the Gitlab pipelines in [.gitlab-ci.yml](.gitlab-ci.yml). + +To speed up the development, you can test the pipeline with gitlab-ci-local. +Its installation is beyond the scope of this document. + +```bash +gitlab-ci-local --file .gitlab-ci.yaml super-linter +``` diff --git a/docker-compose.yaml b/docker-compose.yaml index 13064b5..48d6a88 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,14 +1,14 @@ # # Run this file using # -# $ docker-compose up processor +# $ docker-compose up pre-commit # version: "3.9" services: pre-commit: build: context: . - dockerfile: tests/Dockerfile.pre-commit + dockerfile: pre-commit.dockerfile working_dir: /code volumes: - .:/code @@ -23,7 +23,6 @@ services: - IGNORE_GITIGNORED_FILES=true volumes: - .:/tmp/lint/ - - ./tox.ini:/action/lib/.automation/.flake8 # This container will run successfully # only if all dependencies return no errors. test: diff --git a/tests/Dockerfile.pre-commit b/pre-commit.dockerfile similarity index 100% rename from tests/Dockerfile.pre-commit rename to pre-commit.dockerfile diff --git a/requirements-dev.txt b/requirements-dev.txt deleted file mode 100644 index e1c44e2..0000000 --- a/requirements-dev.txt +++ /dev/null @@ -1,2 +0,0 @@ -# Further requirements file for testing safety. -pytest diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index e69de29..0000000 diff --git a/tests/test_noop.py b/tests/test_noop.py deleted file mode 100644 index ee76f38..0000000 --- a/tests/test_noop.py +++ /dev/null @@ -1,2 +0,0 @@ -def test_noop(): - assert True diff --git a/tox.ini b/tox.ini deleted file mode 100644 index dcbe1fb..0000000 --- a/tox.ini +++ /dev/null @@ -1,79 +0,0 @@ -[tox] -envlist = py3, safety - -# By default, we do not publish a module. -skipsdist=True - -[testenv] -deps = - -rrequirements.txt - -rrequirements-dev.txt - -# Uncomment here to set an extra PIP_INDEX_URL -# setenv = -# PIP_EXTRA_INDEX_URL = https://mypypiserver.org - -setenv = - PYTHONPATH=:.: - -# To show pytest logs in console, use -# tox -- --log-cli-level=DEBUG -commands = - pytest {posargs} - -[testenv:safety] -# Tune up this section (e.g., if safety does not use requirement files.) -deps = - -rrequirements.txt - -rrequirements-dev.txt - safety - -setenv = - PYTHONPATH=:.: - -commands = - safety check --short-report -r requirements.txt - -[testenv:release] -# Release with tox via: -# -# tox -e release -- $PARAMETERS -# -# passing the repo references you would set via -# twine, eg: -# --repository-url https://test.pypi.org/legacy/ -# -# To pass -deps = - build - twine - wheel - -# Limit TWINE_* to this section. -passenv = - TWINE_USERNAME - TWINE_PASSWORD - TWINE_REPOSITORY_URL - -commands = -# rm dist -rf - python -m build # sdist, or whatever - twine upload {posargs} dist/* - - -# Uncomment the following section if you want to -# test the installation on the test pypi -# [testenv:test-release] -#commands = -# pip install --index-url=https://test.pypi.org/simple - -# -# Tools configuration. -# -[flake8] -# Ignore long lines in flake8 because -# they are managed by black and we -# want to support links. -max-line-length = 150 -# Disable E203 because black correctly handles whitespaces before ':'. -extend-ignore = E203