RustamovAkrom
diff --git a/‎.gitattributes‎
Lines changed: 4 additions & 0 deletions b/‎.gitattributes‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/SECURITY.md‎
Lines changed: 6 additions & 0 deletions b/‎.github/SECURITY.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 14 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 44 additions & 8 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 44 additions & 8 deletions
diff --git a/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 32 additions & 0 deletions b/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎.github/workflows/notify-telegram.yml‎
Lines changed: 13 additions & 22 deletions b/‎.github/workflows/notify-telegram.yml‎
Lines changed: 13 additions & 22 deletions
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 1 deletion b/‎.gitignore‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 34 additions & 8 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 34 additions & 8 deletions
@@ -0,0 +1,4 @@
+* text=auto
+*.py text eol=lf
+*.toml text eol=lf
+*.yaml text eol=lf
@@ -0,0 +1,6 @@
+# Security Policy
+
+If you found a security vulnerability, please reach out to akromjonrustamov56@gmail.com (or open a private issue).
+We will respond within 72 hours.
+
+Preferred disclosure: private report to the above address.
@@ -0,0 +1,14 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/" 
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    rebase-strategy: "auto"
+    # optional: ignore dev deps or certain packages
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
@@ -12,40 +12,76 @@ jobs:
     strategy:
       matrix:
         python-version: [3.12]
+
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python-version }}
-      
+          cache: "pip"
+
       - name: Install UV
         run: |
           python -m pip install --upgrade pip
           pip install uv
 
+      - name: Cache UV virtualenv
+        uses: actions/cache@v4
+        with:
+          path: |
+            .venv
+            ~/.cache/uv
+          key: ${{ runner.os }}-uv-${{ hashFiles('pyproject.toml') }}
+          restore-keys: |
+            ${{ runner.os }}-uv-
+
       - name: Sync dependencies
         run: uv sync
 
       - name: Run Pre-commit checks
         uses: pre-commit/action@v3.0.0
         with:
           extra_args: --all-files
-          
+
       - name: Clear pre-commit cache
         run: pre-commit clean
 
-      - name: Run type checking
+      - name: Run Mypy
         run: uv run mypy src/
 
-      - name: Run linter
+      - name: Run Ruff
         run: uv run ruff check src/
 
-      - name: Run tests
+      - name: Run Tests
         env:
-          # Для CI подставляем тестовые значения
+          ENV: test
           MAIL_USERNAME: test@example.com
           MAIL_PASSWORD: testpass
-        run: uv run pytest -v tests
+        run: uv run pytest -v --disable-warnings --maxfail=1
+      
+      # - name: Install security tools
+      #   run: |
+      #     python -m pip install --upgrade pip
+      #     pip install pip-audit bandit safety
+
+      - name: Dependency security audit (pip-audit)
+        run: |
+          pip-audit --format=human
+
+      - name: Static security scan (Bandit)
+        run: |
+          bandit -r src -ll
+
+      - name: Safety check (optional)
+        run: |
+          safety check
+
+      - name: Upload pytest cache
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: pytest-cache
+          path: .pytest_cache/
@@ -0,0 +1,32 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: "0 3 * * 0"
+
+jobs:
+  analyze:
+    name: Analyze (CodeQL)
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: python
+
+      - name: Autobuild (if needed)
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Run CodeQL analysis
+        uses: github/codeql-action/analyze@v2
@@ -1,37 +1,28 @@
 name: Telegram Notifications
 
 on:
-  push:
-    branches: [ main ]
-  pull_request:
+  workflow_run:
+    workflows: ["CI Pipeline"]
+    types:
+      - completed
 
 jobs:
   notify:
     runs-on: ubuntu-latest
     steps:
-      - name: Push Notification
-        if: github.event_name == 'push'
+      - name: Send Telegram Message
         uses: appleboy/telegram-action@master
         with:
           token: ${{ secrets.TELEGRAM_BOT_TOKEN }}
           to: ${{ secrets.TELEGRAM_CHAT_ID }}
           format: markdown
           message: |
-            📌 *Push Event*  
-            Repository: [${{ github.repository }}](https://github.com/${{ github.repository }})  
-            Branch: `${{ github.ref }}`  
-            Author: `${{ github.actor }}`
+            🚀 *CI Pipeline Finished*
+            Repository: [${{ github.repository }}](https://github.com/${{ github.repository }})
+            Status: *${{ github.event.workflow_run.conclusion }}*
+            Branch: `${{ github.event.workflow_run.head_branch }}`
+            Commit: `${{ github.event.workflow_run.head_sha }}`
 
-      - name: Pull Request Notification
-        if: github.event_name == 'pull_request'
-        uses: appleboy/telegram-action@master
-        with:
-          token: ${{ secrets.TELEGRAM_BOT_TOKEN }}
-          to: ${{ secrets.TELEGRAM_CHAT_ID }}
-          format: markdown
-          message: |
-            🔀 *Pull Request Event*  
-            Repository: [${{ github.repository }}](https://github.com/${{ github.repository }})  
-            Action: `${{ github.event.action }}`  
-            PR: [#${{ github.event.number }} - ${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }})  
-            Author: `${{ github.event.pull_request.user.login }}`
+            👤 Author: `${{ github.event.workflow_run.actor }}`
+
+            🔗 [Open Workflow Run](${{ github.event.workflow_run.html_url }})
@@ -142,4 +142,4 @@ dmypy.json
 cython_debug/
 .ruff_cache/
 database.db
-__pycache__/
+__pycache__/
@@ -1,20 +1,46 @@
 repos:
-  # - repo: https://github.com/pre-commit/mirrors-isort
-  #   rev: v5.10.1
-  #   hooks:
-  #     - id: isort
-      
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: check-added-large-files
+      - id: check-ast
+      - id: end-of-file-fixer
+
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        args: [--baseline, .secrets.baseline]
+
   - repo: https://github.com/psf/black
-    rev: 24.1.0
+    rev: 25.12.0
     hooks:
       - id: black
 
-  - repo: https://github.com/charliermarsh/ruff-pre-commit
-    rev: v0.14.7
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.14.8
     hooks:
       - id: ruff
+        args: [--fix]
 
   - repo: https://github.com/pre-commit/mirrors-mypy
     rev: v1.19.0
     hooks:
       - id: mypy
+# repos:
+#   - repo: https://github.com/psf/black
+#     rev: 24.1.0
+#     hooks:
+#       - id: black
+
+#   - repo: https://github.com/astral-sh/ruff-pre-commit
+#     rev: v0.4.7
+#     hooks:
+#       - id: ruff
+#         args: [--fix]
+
+#   - repo: https://github.com/pre-commit/mirrors-mypy
+#     rev: v1.19.0
+#     hooks:
+#       - id: mypy
+#         args: [--ignore-missing-imports]