From af8807a73320e6a905ee9828a386cfd08a2c5b95 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 29 Mar 2026 01:06:28 +0000 Subject: [PATCH] ci: fix workflows and add pip-audit to dev dependencies - Add concurrency control to prevent duplicate runs - Add timeout-minutes for all jobs - Add pip-audit to dev dependencies - Remove docs deployment (Gitea doesn't support Pages) - Fix security check (remove || true, proper exit codes) - Simplify release.yml (build only on tags) - Update CONTRIBUTING.md with local docs generation --- .gitea/workflows/pr-check.yml | 20 ++++++++++++--- .gitea/workflows/release.yml | 47 ++++++++--------------------------- CONTRIBUTING.md | 35 +++++++++++++++++++------- pyproject.toml | 1 + 4 files changed, 54 insertions(+), 49 deletions(-) diff --git a/.gitea/workflows/pr-check.yml b/.gitea/workflows/pr-check.yml index d14f57f..124cfee 100644 --- a/.gitea/workflows/pr-check.yml +++ b/.gitea/workflows/pr-check.yml @@ -4,9 +4,14 @@ on: pull_request: branches: [main] +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + jobs: test: runs-on: ubuntu-latest + timeout-minutes: 15 steps: - name: Checkout code @@ -14,7 +19,6 @@ jobs: - name: Use system Python run: | - echo "Python $(python3 --version)" echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Install dependencies (with dev) @@ -65,6 +69,7 @@ jobs: security: runs-on: ubuntu-latest + timeout-minutes: 10 steps: - name: Checkout code @@ -78,9 +83,16 @@ jobs: run: uv sync --group dev - name: Run safety check - run: uv run pip-audit || true + run: uv run pip-audit - name: Check for secrets run: | - ! grep -r "password\s*=" --include="*.py" src/ || true - ! grep -r "token\s*=" --include="*.py" src/ || true + if grep -r "password\s*=" --include="*.py" src/; then + echo "❌ Found hardcoded passwords in src/" + exit 1 + fi + if grep -r "token\s*=" --include="*.py" src/; then + echo "❌ Found hardcoded tokens in src/" + exit 1 + fi + echo "✅ No hardcoded secrets found" diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index 3e6af28..5a4e2dc 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -6,10 +6,15 @@ on: tags: - 'v*' +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: semantic-release: runs-on: ubuntu-latest - if: github.ref == 'refs/heads/main' + timeout-minutes: 10 + if: github.ref == 'refs/heads/main' && github.event_name == 'push' outputs: new_release_version: ${{ steps.semantic.outputs['new_release_version'] }} new_release_published: ${{ steps.semantic.outputs['new_release_published'] }} @@ -59,8 +64,8 @@ jobs: build: runs-on: ubuntu-latest - needs: [semantic-release] - if: github.ref == 'refs/tags/v*' || github.event_name == 'push' + timeout-minutes: 15 + if: github.ref == 'refs/tags/v*' outputs: version: ${{ steps.version.outputs.version }} @@ -76,14 +81,10 @@ jobs: echo "Python $(python3 --version)" echo "$HOME/.local/bin" >> $GITHUB_PATH - - name: Get version from tag or pyproject + - name: Get version from tag id: version run: | - if [[ $GITHUB_REF == refs/tags/v* ]]; then - VERSION=${GITHUB_REF#refs/tags/v} - else - VERSION=$(uv run python -c "import tomllib; print(tomllib.load(open('pyproject.toml', 'rb'))['project']['version'])") - fi + VERSION=${GITHUB_REF#refs/tags/v} echo "version=$VERSION" >> $GITHUB_OUTPUT - name: Install dependencies (production only) @@ -102,6 +103,7 @@ jobs: publish-gitea: needs: build runs-on: ubuntu-latest + timeout-minutes: 10 if: startsWith(github.ref, 'refs/tags/v') steps: @@ -117,30 +119,3 @@ jobs: --username ${{ github.actor }} \ --password ${{ secrets.GITEA_TOKEN }} \ https://git.much-data.ru/api/packages/${{ github.repository_owner }}/pypi - - docs: - needs: build - runs-on: ubuntu-latest - if: github.ref == 'refs/heads/main' - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Use system Python - run: | - echo "$HOME/.local/bin" >> $GITHUB_PATH - - - name: Install dependencies - run: uv sync --no-dev - - - name: Build documentation - run: uv run mkdocs build - - - name: Deploy to Gitea Pages - uses: peaceiris/actions-gh-pages@v4 - with: - personal_token: ${{ secrets.GITEA_TOKEN }} - publish_dir: ./site - external_repository: ${{ github.repository_owner }}/${{ github.event.repository.name }}-docs - publish_branch: gh-pages diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 57e3c2a..59548e4 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -17,6 +17,23 @@ uv sync --group dev uv run pre-commit install ``` +## Documentation + +Generate documentation locally: + +```bash +# Install docs dependencies +uv sync --group dev + +# Build HTML docs +uv run mkdocs build + +# Serve locally (optional) +uv run mkdocs serve +``` + +Documentation is built automatically by CI and available in `site/` folder. + ## Branch Naming - `feature/description` — новые фичи @@ -76,20 +93,20 @@ docs(api): update client examples ## CI/CD **PR Checks:** -- ✅ Тесты с coverage -- ✅ Линтинг -- ✅ Форматирование -- ✅ Безопасность (secrets scan) +- ✅ Тесты с coverage (90% threshold) +- ✅ Линтинг (ruff) +- ✅ Форматирование (ruff format) +- ✅ Безопасность (pip-audit + secrets scan) - ✅ Commitlint (PR title) **Release (merge в main):** -- 📦 Сборка пакета -- 🚀 Публикация в Gitea Packages -- 📚 Деплой документации +- 📦 Semantic release (auto versioning) +- 📝 CHANGELOG generation +- 🏷️ Git tag creation **Tag (v*):** -- 🏷️ Создание релиза -- 📦 Публикация версии +- 📦 Сборка пакета +- 🚀 Публикация в Gitea Packages ## Versioning diff --git a/pyproject.toml b/pyproject.toml index 0bc27d2..682d8fe 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -36,6 +36,7 @@ dev = [ "respx>=0.20.0", "ruff>=0.3.0", "semantic-release>=24.0.0", + "pip-audit>=2.7.0", ] [project.urls]