Skip to content

Commit 338cfd8

Browse files
committed
update dependencies and template
1 parent 9b05fbd commit 338cfd8

7 files changed

Lines changed: 173 additions & 115 deletions

File tree

.copier-answers.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
# Changes here will be overwritten by Copier
2-
_commit: v7.0.0
2+
_commit: v8.3.1
33
_src_path: gh:eccenca/cmem-plugin-template
44
author_mail: cmempy-developer@eccenca.com
55
author_name: eccenca GmbH

.github/workflows/check.yml

Lines changed: 20 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -20,16 +20,23 @@ jobs:
2020

2121
steps:
2222
- name: Check out repository
23-
uses: actions/checkout@v4
23+
uses: actions/checkout@v5
24+
25+
- name: Cache Trivy DB
26+
id: cache-trivydb
27+
uses: actions/cache@v4
28+
with:
29+
path: .trivycache
30+
key: ${{ runner.os }}-trivydb
2431

2532
- name: Install Task
2633
uses: arduino/setup-task@v2
2734

2835
- name: Set up python
2936
id: setup-python
30-
uses: actions/setup-python@v5
37+
uses: actions/setup-python@v6
3138
with:
32-
python-version: '3.11'
39+
python-version: '3.13'
3340

3441
- name: Install and configure poetry
3542
uses: snok/install-poetry@v1
@@ -57,9 +64,17 @@ jobs:
5764
run: |
5865
task check:pytest
5966
60-
- name: safety
67+
- name: deptry
68+
run: |
69+
task check:deptry
70+
71+
- name: trivy
72+
env:
73+
TRIVY_NO_PROGRESS: "true"
74+
TRIVY_CACHE_DIR: ".trivycache/"
75+
TRIVY_DISABLE_VEX_NOTICE: "true"
6176
run: |
62-
task check:safety
77+
task check:trivy
6378
6479
- name: Publish Test Report in Action
6580
uses: mikepenz/action-junit-report@v4

.gitlab-ci.yml

Lines changed: 18 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
---
22
default:
3-
image: docker-registry.eccenca.com/eccenca-python:v3.11.4
3+
image: docker-registry.eccenca.com/eccenca-python:v3.13.8
44
# all jobs can be interrupted in case a new commit is pushed
55
interruptible: true
66
before_script:
@@ -53,22 +53,32 @@ pytest:
5353
junit:
5454
- dist/junit-pytest.xml
5555
paths:
56-
- dist/badge-coverage.svg
57-
- dist/badge-tests.svg
58-
- dist/coverage
59-
- dist/coverage.xml
56+
- dist/*
6057

61-
safety:
58+
deptry:
6259
stage: test
6360
script:
64-
- task check:safety
61+
- task check:deptry
62+
63+
trivy:
64+
stage: test
65+
variables:
66+
TRIVY_NO_PROGRESS: "true"
67+
TRIVY_CACHE_DIR: ".trivycache/"
68+
TRIVY_DISABLE_VEX_NOTICE: "true"
69+
script:
70+
- task check:trivy
71+
cache:
72+
paths:
73+
- .trivycache/
6574

6675
build:
6776
stage: build
6877
needs:
6978
- mypy
7079
- pytest
71-
- safety
80+
- trivy
81+
- deptry
7282
script:
7383
- task build
7484
artifacts:

.trivyignore

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
# .trivyignore
2+
3+
# ignore 51358 safety - dev dependency only
4+
CVE-2022-39280

Taskfile.yaml

Lines changed: 19 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -20,9 +20,11 @@ includes:
2020
custom:
2121
taskfile: ./TaskfileCustom.yaml
2222
optional: true
23+
flatten: true
2324
plugin:
2425
taskfile: .tasks-plugin.yml
2526
optional: true
27+
flatten: true
2628

2729
tasks:
2830

@@ -49,7 +51,7 @@ tasks:
4951
Check poetry versioning plugin. Currently not under Windows
5052
run: once
5153
preconditions:
52-
- sh: '[ -d .git ]'
54+
- sh: git -C . rev-parse
5355
msg: >
5456
Your newly created project directory needs to be initialized
5557
as a git repository.
@@ -68,7 +70,6 @@ tasks:
6870
| head -1 | cut -d " " -f 2 | cut -d "." -f 1-2
6971
7072
poetry:install:
71-
internal: true
7273
desc: Install dependencies managed by Poetry
7374
run: once
7475
deps:
@@ -110,7 +111,8 @@ tasks:
110111
cmds:
111112
- task: check:ruff
112113
- task: check:mypy
113-
- task: check:safety
114+
- task: check:deptry
115+
- task: check:trivy
114116

115117
check:pytest:
116118
desc: Run unit and integration tests
@@ -152,14 +154,22 @@ tasks:
152154
vars:
153155
JUNIT_FILE: ./{{.DIST_DIR}}/junit-mypy.xml
154156

155-
check:safety:
156-
desc: Complain about vulnerabilities in dependencies
157+
check:trivy:
158+
desc: Scan for vulnerabilities using Trivy
159+
<<: *preparation
160+
cmds:
161+
- >
162+
poetry run trivy fs
163+
--include-dev-deps
164+
--scanners vuln
165+
--exit-code 1
166+
.
167+
168+
check:deptry:
169+
desc: Complain about unused or missing dependencies
157170
<<: *preparation
158171
cmds:
159-
# ignore 51358 safety - dev dependency only
160-
# ignore 74735 jinja2 - dev dependency only
161-
# ignore 75180 pip - dev dependency only
162-
- poetry run safety check -i 51358 -i 74735 -i 75180
172+
- poetry run deptry .
163173

164174
check:ruff:
165175
desc: Complain about everything else

0 commit comments

Comments
 (0)