WIP update to work with MXLIMS 0.6.9 (rhfogh: rhfogh_mxlims_2025) #457
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Bandit and SonarQube | |
| "on": | |
| pull_request: null | |
| push: | |
| branches: [develop] | |
| workflow_dispatch: null | |
| jobs: | |
| bandit: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Generate Bandit skips from Ruff | |
| id: bandit_skips | |
| run: | | |
| # Extract all Ruff security rules (Sxxx), convert them to Bandit codes (Bxxx), | |
| # and join them as a comma-separated list for Bandit's --skip option. | |
| # This keeps Bandit and Ruff in sync, | |
| # so ignored security rules in Ruff are also skipped by Bandit. | |
| pip install ruff jq | |
| SKIPS=$(ruff rule --all --output-format json \ | |
| | jq -r '.[] | select(.code | test("^S[0-9]{3}$")) | .code' \ | |
| | sed 's/S/B/' \ | |
| | paste -sd, -) | |
| echo "skips=$SKIPS" >> $GITHUB_OUTPUT | |
| - name: Install Bandit | |
| run: pip install 'bandit>=1.7.4' | |
| - name: Run Bandit | |
| run: | | |
| bandit -r . \ | |
| --exclude ./test/ \ | |
| --severity-level medium \ | |
| --confidence-level high \ | |
| --skip "${{ steps.bandit_skips.outputs.skips }}" \ | |
| --format json \ | |
| -o results.json || true | |
| - name: Upload Bandit results as artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: bandit-results | |
| path: results.json | |
| sonarcloud: | |
| name: SonarCloud Scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| if: | | |
| (github.event_name == 'push' && github.repository == 'mxcube/mxcubecore') || | |
| (github.event_name == 'pull_request' && | |
| github.event.pull_request.head.repo.full_name == 'mxcube/mxcubecore') | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Java | |
| uses: actions/setup-java@v3 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '17' | |
| - name: Cache SonarCloud packages | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.sonar/cache | |
| key: ${{ runner.os }}-sonar | |
| restore-keys: ${{ runner.os }}-sonar | |
| - name: SonarCloud Scan | |
| uses: SonarSource/sonarcloud-github-action@v2 | |
| with: | |
| args: > | |
| -Dsonar.organization=mxcubeweb | |
| -Dsonar.projectKey=mxcube_mxcubecore | |
| -Dsonar.coverage.exclusions=** | |
| -Dsonar.cpd.exclusions=** | |
| -Dsonar.cpd.skip=true | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} |