File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 11# Changes here will be overwritten by Copier
2- _commit : v7.0.0
2+ _commit : v8.3.1
33_src_path : gh:eccenca/cmem-plugin-template
44author_mail : cmempy-developer@eccenca.com
55author_name : eccenca GmbH
Original file line number Diff line number Diff line change @@ -20,16 +20,23 @@ jobs:
2020
2121 steps :
2222 - name : Check out repository
23- uses : actions/checkout@v4
23+ uses : actions/checkout@v5
24+
25+ - name : Cache Trivy DB
26+ id : cache-trivydb
27+ uses : actions/cache@v4
28+ with :
29+ path : .trivycache
30+ key : ${{ runner.os }}-trivydb
2431
2532 - name : Install Task
2633 uses : arduino/setup-task@v2
2734
2835 - name : Set up python
2936 id : setup-python
30- uses : actions/setup-python@v5
37+ uses : actions/setup-python@v6
3138 with :
32- python-version : ' 3.11 '
39+ python-version : ' 3.13 '
3340
3441 - name : Install and configure poetry
3542 uses : snok/install-poetry@v1
5764 run : |
5865 task check:pytest
5966
60- - name : safety
67+ - name : deptry
68+ run : |
69+ task check:deptry
70+
71+ - name : trivy
72+ env :
73+ TRIVY_NO_PROGRESS : " true"
74+ TRIVY_CACHE_DIR : " .trivycache/"
75+ TRIVY_DISABLE_VEX_NOTICE : " true"
6176 run : |
62- task check:safety
77+ task check:trivy
6378
6479 - name : Publish Test Report in Action
6580 uses : mikepenz/action-junit-report@v4
Original file line number Diff line number Diff line change 11---
22default :
3- image : docker-registry.eccenca.com/eccenca-python:v3.11.4
3+ image : docker-registry.eccenca.com/eccenca-python:v3.13.8
44 # all jobs can be interrupted in case a new commit is pushed
55 interruptible : true
66 before_script :
@@ -53,22 +53,32 @@ pytest:
5353 junit :
5454 - dist/junit-pytest.xml
5555 paths :
56- - dist/badge-coverage.svg
57- - dist/badge-tests.svg
58- - dist/coverage
59- - dist/coverage.xml
56+ - dist/*
6057
61- safety :
58+ deptry :
6259 stage : test
6360 script :
64- - task check:safety
61+ - task check:deptry
62+
63+ trivy :
64+ stage : test
65+ variables :
66+ TRIVY_NO_PROGRESS : " true"
67+ TRIVY_CACHE_DIR : " .trivycache/"
68+ TRIVY_DISABLE_VEX_NOTICE : " true"
69+ script :
70+ - task check:trivy
71+ cache :
72+ paths :
73+ - .trivycache/
6574
6675build :
6776 stage : build
6877 needs :
6978 - mypy
7079 - pytest
71- - safety
80+ - trivy
81+ - deptry
7282 script :
7383 - task build
7484 artifacts :
Original file line number Diff line number Diff line change 1+ # .trivyignore
2+
3+ # ignore 51358 safety - dev dependency only
4+ CVE-2022-39280
Original file line number Diff line number Diff line change @@ -20,9 +20,11 @@ includes:
2020 custom :
2121 taskfile : ./TaskfileCustom.yaml
2222 optional : true
23+ flatten : true
2324 plugin :
2425 taskfile : .tasks-plugin.yml
2526 optional : true
27+ flatten : true
2628
2729tasks :
2830
4951 Check poetry versioning plugin. Currently not under Windows
5052 run : once
5153 preconditions :
52- - sh : ' [ -d .git ] '
54+ - sh : git -C . rev-parse
5355 msg : >
5456 Your newly created project directory needs to be initialized
5557 as a git repository.
6870 | head -1 | cut -d " " -f 2 | cut -d "." -f 1-2
6971
7072 poetry:install :
71- internal : true
7273 desc : Install dependencies managed by Poetry
7374 run : once
7475 deps :
@@ -110,7 +111,8 @@ tasks:
110111 cmds :
111112 - task : check:ruff
112113 - task : check:mypy
113- - task : check:safety
114+ - task : check:deptry
115+ - task : check:trivy
114116
115117 check:pytest :
116118 desc : Run unit and integration tests
@@ -152,14 +154,22 @@ tasks:
152154 vars :
153155 JUNIT_FILE : ./{{.DIST_DIR}}/junit-mypy.xml
154156
155- check:safety :
156- desc : Complain about vulnerabilities in dependencies
157+ check:trivy :
158+ desc : Scan for vulnerabilities using Trivy
159+ << : *preparation
160+ cmds :
161+ - >
162+ poetry run trivy fs
163+ --include-dev-deps
164+ --scanners vuln
165+ --exit-code 1
166+ .
167+
168+ check:deptry :
169+ desc : Complain about unused or missing dependencies
157170 << : *preparation
158171 cmds :
159- # ignore 51358 safety - dev dependency only
160- # ignore 74735 jinja2 - dev dependency only
161- # ignore 75180 pip - dev dependency only
162- - poetry run safety check -i 51358 -i 74735 -i 75180
172+ - poetry run deptry .
163173
164174 check:ruff :
165175 desc : Complain about everything else
You can’t perform that action at this time.
0 commit comments