.github/workflows/lint.yaml

---
name: "Lint"
on: # yamllint disable-line rule:truthy
  push:
    branches:
      - "main"
  pull_request:
    branches: ["*"]
jobs:
  lint:
    name: "Format & Lint"
    runs-on: "ubuntu-latest"
    strategy:
      matrix:
        python-version:
          - "3.10"
      fail-fast: false
    steps:
      - uses: "actions/checkout@v4"
      - uses: "bewuethr/yamllint-action@v1.3.0"
        with:
          config-file: ".yamllint"
      - uses: "actions/setup-python@v5"
        with:
          python-version: "3.10"
      - name: "Setup Python Environment"
        run: "pip install -U pip virtualenv"
      - name: "Install Dependencies"
        run: |
          virtualenv ~/.cache/virtualenv/authzedpy
          source ~/.cache/virtualenv/authzedpy/bin/activate
          pip install poetry
          poetry env info
          poetry install --only dev
      - name: "Pyflakes"
        run: |
          source ~/.cache/virtualenv/authzedpy/bin/activate
          find . -name "*.py" | grep -v "_pb2" | xargs pyflakes
      - name: "Blacken"
        run: |
          source ~/.cache/virtualenv/authzedpy/bin/activate
          black --check --diff .
      - name: "Isort"
        run: |
          source ~/.cache/virtualenv/authzedpy/bin/activate
          find . -name "*.py" | grep -v "_pb2" | xargs isort --check --diff
  codeql:
    name: "Analyze with CodeQL"
    runs-on: "ubuntu-latest"
    permissions:
      actions: "read"
      contents: "read"
      security-events: "write"
    strategy:
      fail-fast: false
      matrix:
        language: ["python"]
    steps:
      - uses: "actions/checkout@v4"
      - uses: "authzed/actions/codeql@main"
  trivy:
    name: "Analyze with Trivy"
    runs-on: "ubuntu-latest"
    steps:
      - uses: "actions/checkout@v4"
      - name: "Run Trivy vulnerability scanner"
        uses: "aquasecurity/trivy-action@master"
        with:
          scan-type: "fs"
          ignore-unfixed: true
          format: "sarif"
          output: "trivy-results.sarif"
          severity: "CRITICAL"
      - name: "Upload Trivy scan results to GitHub Security tab"
        uses: "github/codeql-action/upload-sarif@v3"
        with:
          sarif_file: "trivy-results.sarif"
  mypy:
    name: "Type Check with Mypy"
    runs-on: "ubuntu-latest"
    steps:
      - uses: "actions/checkout@v4"
      - uses: "actions/setup-python@v5"
        with:
          python-version: "3.10"
      - name: "Setup Python Environment"
        run: "pip install -U pip virtualenv"
      - name: "Install Dependencies"
        run: |
          virtualenv ~/.cache/virtualenv/authzedpy
          source ~/.cache/virtualenv/authzedpy/bin/activate
          pip install poetry
          poetry env info
          poetry install --only dev
      - name: "mypy"
        run: |
          source ~/.cache/virtualenv/authzedpy/bin/activate
          mypy authzed