Skip to content

[StepSecurity] Apply security best practices (#42) #3370

[StepSecurity] Apply security best practices (#42)

[StepSecurity] Apply security best practices (#42) #3370

Workflow file for this run

# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
name: CI
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 2 * * *'
permissions:
contents: read
jobs:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
release_test:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
python-version: ["3.8", "3.9", "3.10", "3.11"]
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: ${{ matrix.python-version }}
cache: 'pip'
- name: Upgrade PIP
run: |
# windows requires update pip via python module
python -m pip install --upgrade pip
- name: Install application
run: |
pip install .
- name: Remove sources dir to check installation
if: runner.os != 'Windows'
run: rm -rf credsweeper
- name: Remove sources dir to check installation WINDOWS PowerShell
if: runner.os == 'Windows'
run: Remove-Item -Path credsweeper -Force -Recurse
- name: CLI tool check
run: |
credsweeper --help
- name: Install test framework dependencies
run: |
pip install pytest pytest-random-order deepdiff
- name: UnitTest with pytest
run: |
# put the command into one line to use in various OS to avoid processing differences in new line char sequence
pytest --random-order --random-order-bucket=global tests
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
development_test:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version: ["3.8", "3.9", "3.10", "3.11"]
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: ${{ matrix.python-version }}
- name: Install requirements
run: |
python -m pip install --upgrade pip
python -m pip install --requirement requirements.txt
- name: UnitTest with pytest and coverage
run: |
mkdir -vp xmlcov
python -m \
pytest \
--random-order \
--random-order-bucket=global \
--ignore=docs \
--ignore=experiment \
--ignore=fuzz \
--ignore=tests/test_app.py \
--cov=credsweeper \
--cov-report html:coverage_html/ \
--cov-report xml:xmlcov/coverage.xml \
tests \
;
- name: ApplicationTest with pytest
run: |
python -m \
pytest \
--random-order \
--random-order-bucket=global \
tests/test_app.py \
;
- name: Check unit-test coverage
run: |
if [ ! -f xmlcov/coverage.xml ]; then echo "xmlcov/coverage.xml does not exist"; exit 1; fi
COVERED=$(grep '<coverage .*>' xmlcov/coverage.xml | sed 's/.* lines-covered="\([0-9]\+\)" .*/\1/')
echo "COVERED=${COVERED}"
VALID=$(grep '<coverage .*>' xmlcov/coverage.xml | sed 's/.* lines-valid="\([0-9]\+\)" .*/\1/')
echo "VALID=${VALID}"
if [ -z "${COVERED}" ] || [ -z "${VALID}" ] || [ ${VALID} -eq 0 ]; then echo "'${VALID}' or '${COVERED}' fail"; exit 1; fi
COVERAGE=$(python -c "print (round(100 * ${COVERED} / ${VALID}, 2))")
DESCRIPTION="Coverage of lines: ${COVERED} : ${VALID} = ${COVERAGE}%"
echo "${DESCRIPTION}"
if [ $(( 1000 * ${COVERED} / ${VALID} )) -lt 800 ]; then
echo "Coverage should be not less than 80% !"
exit 1
else
echo "Satisfied coverage"
fi
- name: HTML coverage reports
if: always()
uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3.2.1
with:
name: coverage_html-${{ matrix.python-version }}
path: coverage_html
- name: Upload coverage reports to Codecov
if: ${{ matrix.python-version == '3.8' }}
uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: xmlcov/coverage.xml
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #