Shorten suppression comments and exclude docs from Codacy

JE-Chen · JE-Chen · commit 915533ea591f · 2026-04-22T13:35:38.000+08:00
Every pylint C0301 line-too-long reported on PR #55 was triggered by suppression comments that exceeded Codacy's 100-char limit. Compressed NOSONAR + nosec + nosemgrep combos on a single line in archive_ops, ftp/client, templates, _websocket, test_archive_ops, test_cross_backend, and test_fsspec_bridge. Moved the Bandit B701 nosec onto the same physical line as 'autoescape=False' so Codacy's bandit pass recognises it. Put NOSONAR inline on the Jinja render call to clear the S5496 BLOCKER. Added .codacy.yaml excluding docs/ and examples/ so the Sphinx conf duplicates and the docs requirements file stop being parsed as Python modules.
diff --git a/.codacy.yaml b/.codacy.yaml
@@ -0,0 +1,7 @@
+---
+exclude_paths:
+  - 'docs/**'
+  - 'docs/requirements.txt'
+  - '**/source.zh-TW/conf.py'
+  - '**/source/conf.py'
+  - 'examples/**'
diff --git a/automation_file/local/archive_ops.py b/automation_file/local/archive_ops.py
@@ -88,13 +88,13 @@ def extract_archive(
 def _is_tar_stream(path: Path, compression: str) -> bool:
     try:
         if compression == "gz":
-            with tarfile.open(path, mode="r:gz"):  # nosec B202  # NOSONAR read-only probe, no extraction
+            with tarfile.open(path, mode="r:gz"):  # nosec  # NOSONAR read-only probe
                 return True
         if compression == "bz2":
-            with tarfile.open(path, mode="r:bz2"):  # nosec B202  # NOSONAR read-only probe, no extraction
+            with tarfile.open(path, mode="r:bz2"):  # nosec  # NOSONAR read-only probe
                 return True
         if compression == "xz":
-            with tarfile.open(path, mode="r:xz"):  # nosec B202  # NOSONAR read-only probe, no extraction
+            with tarfile.open(path, mode="r:xz"):  # nosec  # NOSONAR read-only probe
                 return True
     except (tarfile.TarError, OSError):
         return False
diff --git a/automation_file/local/templates.py b/automation_file/local/templates.py
@@ -102,12 +102,10 @@ def _render_with_jinja(
     if autoescape:
         env = Environment(autoescape=True, undefined=StrictUndefined)
     else:
-        env = Environment(  # nosec B701  # NOSONAR caller opted out for non-HTML output
-            autoescape=False, undefined=StrictUndefined
-        )
+        env = Environment(autoescape=False, undefined=StrictUndefined)  # nosec B701 NOSONAR
     try:
-        # NOSONAR autoescape state enforced at the Environment above
-        return env.from_string(template).render(**context)
+        # NOSONAR autoescape enforced at Environment above
+        return env.from_string(template).render(**context)  # NOSONAR
     except JinjaTemplateError as error:
         raise TemplateException(f"jinja render failed: {error}") from error
 
diff --git a/automation_file/remote/ftp/client.py b/automation_file/remote/ftp/client.py
@@ -47,7 +47,7 @@ def later_init(self, options: FTPConnectOptions | None = None, **kwargs: Any) ->
             ftp: FTP = FTP_TLS(timeout=opts.timeout)
         else:
             # Plaintext FTP only when caller opts in via tls=False.
-            ftp = FTP(timeout=opts.timeout)  # nosec B321  # NOSONAR plaintext FTP is opt-in via tls=False
+            ftp = FTP(timeout=opts.timeout)  # nosec  # NOSONAR opt-in via tls=False
         try:
             ftp.connect(opts.host, opts.port, timeout=opts.timeout)
             if opts.tls and isinstance(ftp, FTP_TLS):
diff --git a/automation_file/server/_websocket.py b/automation_file/server/_websocket.py
@@ -27,7 +27,7 @@ def compute_accept_key(sec_websocket_key: str) -> str:
     security primitive. ``usedforsecurity=False`` tells static analysers to
     skip the standard SHA-1 "insecure hash" warning.
     """
-    digest = hashlib.sha1(  # nosec B303 B324  # nosemgrep: python.lang.security.audit.hashlib-insecure-functions  # NOSONAR RFC 6455 handshake, not a security primitive
+    digest = hashlib.sha1(  # nosec B324 nosemgrep NOSONAR RFC6455 handshake
         (sec_websocket_key + _GUID).encode("ascii"),
         usedforsecurity=False,
     ).digest()
diff --git a/tests/test_cross_backend.py b/tests/test_cross_backend.py
@@ -44,7 +44,7 @@ def test_missing_local_source_returns_false(tmp_path: Path) -> None:
 def test_unknown_source_scheme_raises() -> None:
     # The target path is unused — the call must fail on the source scheme
     # before touching the filesystem. nosec B108 - filesystem never touched here.
-    unused_target = "/tmp/x"  # nosec B108  # NOSONAR filesystem never touched — call fails on source scheme
+    unused_target = "/tmp/x"  # nosec B108  # NOSONAR never touched
     with pytest.raises(CrossBackendException):
         copy_between("gopher://a/b", unused_target)
 
