m4.2_sql_to_arc/.github/workflows/python-quality.yml at main · fairagro/m4.2_sql_to_arc · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: Python Code Quality (Reusable)

on:
  workflow_call: {}

permissions:
  contents: read

jobs:
  code-quality:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version: ['3.12']

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Install uv
      uses: astral-sh/setup-uv@v4
      with:
        version: "latest"

    - name: Set up Python ${{ matrix.python-version }}
      run: uv python install ${{ matrix.python-version }}

    - name: Install dependencies
      run: |
        # Install all dependencies including dev dependencies
        uv sync --dev --all-packages

    - name: Code formatting and linting check with Ruff
      run: |
        # Check formatting (do not auto-format), then check linting
        uv run ruff format --check --diff middleware/
        uv run ruff check middleware/
      continue-on-error: false

    - name: Linting with pylint
      run: |
        uv run pylint middleware/ --fail-under=8.0 --output-format=colorized
      continue-on-error: false

    - name: Type checking with mypy
      run: |
        uv run mypy middleware/
      continue-on-error: false

    - name: Security check with bandit
      id: bandit
      run: |
        # Run bandit, but don't fail the job immediately.
        # We will check the output in the next step.
        # We exclude tests and skip B101 (assert_used) to align with pre-commit.
        uv run bandit -r middleware/ --exclude middleware/tests/ --skip B101 -f json -o bandit-report.json || true
      continue-on-error: false

    - name: Review bandit results
      if: always() && steps.bandit.outcome == 'success'
      id: bandit-review
      shell: bash
      run: |
        echo "## 🛡️ Bandit Security Scan Results" >> $GITHUB_STEP_SUMMARY

        if [ ! -f bandit-report.json ]; then
          echo "✅ No bandit report file found. Nothing to review." >> $GITHUB_STEP_SUMMARY
          exit 0
        fi

        # Count issues by severity
        HIGH_ISSUES=$(jq '[.results[] | select(.issue_severity == "HIGH")] | length' bandit-report.json)
        MEDIUM_ISSUES=$(jq '[.results[] | select(.issue_severity == "MEDIUM")] | length' bandit-report.json)
        LOW_ISSUES=$(jq '[.results[] | select(.issue_severity == "LOW")] | length' bandit-report.json)
        TOTAL_ISSUES=$((HIGH_ISSUES + MEDIUM_ISSUES + LOW_ISSUES))

        echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
        echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
        echo "| High     | $HIGH_ISSUES   |" >> $GITHUB_STEP_SUMMARY
        echo "| Medium   | $MEDIUM_ISSUES |" >> $GITHUB_STEP_SUMMARY
        echo "| Low      | $LOW_ISSUES    |" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY

        if [ $TOTAL_ISSUES -gt 0 ]; then
          echo "### Findings:" >> $GITHUB_STEP_SUMMARY
          jq -r '.results[] | " - **\(.issue_severity)/\(.issue_confidence)**: `\(.test_id)` - \(.issue_text) in `\(.filename):\(.line_number)`"' bandit-report.json >> $GITHUB_STEP_SUMMARY
        else
          echo "✅ No security issues found by bandit." >> $GITHUB_STEP_SUMMARY
        fi

        # Decide if the job should fail
        if [ $HIGH_ISSUES -gt 0 ] || [ $MEDIUM_ISSUES -gt 0 ]; then
          echo "FAIL_JOB=true" >> $GITHUB_OUTPUT
        else
          echo "FAIL_JOB=false" >> $GITHUB_OUTPUT
        fi

    - name: Fail job on critical findings
      if: steps.bandit-review.outputs.FAIL_JOB == 'true'
      run: |
        echo "❌ Failing workflow due to HIGH or MEDIUM severity security issues found by bandit."
        exit 1

    - name: Run tests (Unit & Integration)
      run: |
        uv run pytest \
          middleware/*/tests/unit/ \
          middleware/*/tests/integration/ \
          --cov=sql_to_arc \
          --cov-report=xml \
          --cov-report=html \
          --cov-report=term-missing \
          --junitxml=pytest-report.xml

    - name: Upload coverage to Codecov
      uses: codecov/codecov-action@v4
      with:
        file: ./coverage.xml
        flags: tests
        name: codecov-umbrella
        fail_ci_if_error: false

    - name: Upload test results
      uses: actions/upload-artifact@v4
      if: always()
      with:
        name: test-reports-${{ matrix.python-version }}
        path: |
          pytest-report.xml
          coverage.xml
          htmlcov/
          bandit-report.json

    - name: Create quality summary
      if: always()
      run: |
        echo "## 📊 Code Quality Summary" >> $GITHUB_STEP_SUMMARY
        echo "| Tool | Status | Details |" >> $GITHUB_STEP_SUMMARY
        echo "|------|--------|---------|" >> $GITHUB_STEP_SUMMARY
        echo "| Ruff | ✅ Formatting & Linting | Code formatting and linting check |" >> $GITHUB_STEP_SUMMARY
        echo "| pylint | ✅ Code quality | Static analysis (min score: 8.0) |" >> $GITHUB_STEP_SUMMARY
        echo "| mypy | ✅ Type checking | Static type analysis |" >> $GITHUB_STEP_SUMMARY
        echo "| bandit | ✅ Security | Security vulnerability scan |" >> $GITHUB_STEP_SUMMARY
        echo "| pytest | ✅ Unit & Integration tests | Test execution with coverage |" >> $GITHUB_STEP_SUMMARY