ci: fix workflows and add pip-audit to dev dependencies

- Add concurrency control to prevent duplicate runs - Add timeout-minutes for all jobs - Add pip-audit to dev dependencies - Remove docs deployment (Gitea doesn't support Pages) - Fix security check (remove || true, proper exit codes) - Simplify release.yml (build only on tags) - Update CONTRIBUTING.md with local docs generation
2026-03-29 01:06:28 +00:00 · 2026-03-29 01:06:28 +00:00 · af8807a733
commit af8807a733
parent 309556c1a0
4 changed files with 54 additions and 49 deletions
--- a/.gitea/workflows/pr-check.yml
+++ b/.gitea/workflows/pr-check.yml
@ -4,9 +4,14 @@ on:
  pull_request:
    branches: [main]

+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  test:
    runs-on: ubuntu-latest
+    timeout-minutes: 15
    
    steps:
      - name: Checkout code
@ -14,7 +19,6 @@ jobs:
      
      - name: Use system Python
        run: |
-          echo "Python $(python3 --version)"
          echo "$HOME/.local/bin" >> $GITHUB_PATH
      
      - name: Install dependencies (with dev)
@ -65,6 +69,7 @@ jobs:

  security:
    runs-on: ubuntu-latest
+    timeout-minutes: 10
    
    steps:
      - name: Checkout code
@ -78,9 +83,16 @@ jobs:
        run: uv sync --group dev
      
      - name: Run safety check
-        run: uv run pip-audit || true
+        run: uv run pip-audit
      
      - name: Check for secrets
        run: |
-          ! grep -r "password\s*=" --include="*.py" src/ || true
-          ! grep -r "token\s*=" --include="*.py" src/ || true
+          if grep -r "password\s*=" --include="*.py" src/; then
+            echo "❌ Found hardcoded passwords in src/"
+            exit 1
+          fi
+          if grep -r "token\s*=" --include="*.py" src/; then
+            echo "❌ Found hardcoded tokens in src/"
+            exit 1
+          fi
+          echo "✅ No hardcoded secrets found"
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@ -6,10 +6,15 @@ on:
  tags:
    - 'v*'

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
  semantic-release:
    runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main'
+    timeout-minutes: 10
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
    outputs:
      new_release_version: ${{ steps.semantic.outputs['new_release_version'] }}
      new_release_published: ${{ steps.semantic.outputs['new_release_published'] }}
@ -59,8 +64,8 @@ jobs:

  build:
    runs-on: ubuntu-latest
-    needs: [semantic-release]
-    if: github.ref == 'refs/tags/v*' || github.event_name == 'push'
+    timeout-minutes: 15
+    if: github.ref == 'refs/tags/v*'
    
    outputs:
      version: ${{ steps.version.outputs.version }}
@ -76,14 +81,10 @@ jobs:
          echo "Python $(python3 --version)"
          echo "$HOME/.local/bin" >> $GITHUB_PATH
      
-      - name: Get version from tag or pyproject
+      - name: Get version from tag
        id: version
        run: |
-          if [[ $GITHUB_REF == refs/tags/v* ]]; then
          VERSION=${GITHUB_REF#refs/tags/v}
-          else
-            VERSION=$(uv run python -c "import tomllib; print(tomllib.load(open('pyproject.toml', 'rb'))['project']['version'])")
-          fi
          echo "version=$VERSION" >> $GITHUB_OUTPUT
      
      - name: Install dependencies (production only)
@ -102,6 +103,7 @@ jobs:
  publish-gitea:
    needs: build
    runs-on: ubuntu-latest
+    timeout-minutes: 10
    if: startsWith(github.ref, 'refs/tags/v')
    
    steps:
@ -117,30 +119,3 @@ jobs:
            --username ${{ github.actor }} \
            --password ${{ secrets.GITEA_TOKEN }} \
            https://git.much-data.ru/api/packages/${{ github.repository_owner }}/pypi
-
-  docs:
-    needs: build
-    runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main'
-    
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      
-      - name: Use system Python
-        run: |
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
-      
-      - name: Install dependencies
-        run: uv sync --no-dev
-      
-      - name: Build documentation
-        run: uv run mkdocs build
-      
-      - name: Deploy to Gitea Pages
-        uses: peaceiris/actions-gh-pages@v4
-        with:
-          personal_token: ${{ secrets.GITEA_TOKEN }}
-          publish_dir: ./site
-          external_repository: ${{ github.repository_owner }}/${{ github.event.repository.name }}-docs
-          publish_branch: gh-pages
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -17,6 +17,23 @@ uv sync --group dev
 uv run pre-commit install
 ```

+## Documentation
+
+Generate documentation locally:
+
+```bash
+# Install docs dependencies
+uv sync --group dev
+
+# Build HTML docs
+uv run mkdocs build
+
+# Serve locally (optional)
+uv run mkdocs serve
+```
+
+Documentation is built automatically by CI and available in `site/` folder.
+
 ## Branch Naming

 - `feature/description` — новые фичи
@ -76,20 +93,20 @@ docs(api): update client examples
 ## CI/CD

 **PR Checks:**
- ✅ Тесты с coverage
- ✅ Линтинг
- ✅ Форматирование
- ✅ Безопасность (secrets scan)
+- ✅ Тесты с coverage (90% threshold)
+- ✅ Линтинг (ruff)
+- ✅ Форматирование (ruff format)
+- ✅ Безопасность (pip-audit + secrets scan)
 - ✅ Commitlint (PR title)

 **Release (merge в main):**
- 📦 Сборка пакета
- 🚀 Публикация в Gitea Packages
- 📚 Деплой документации
+- 📦 Semantic release (auto versioning)
+- 📝 CHANGELOG generation
+- 🏷️ Git tag creation

 **Tag (v*):**
- 🏷️ Создание релиза
- 📦 Публикация версии
+- 📦 Сборка пакета
+- 🚀 Публикация в Gitea Packages

 ## Versioning

--- a/pyproject.toml
+++ b/pyproject.toml
@ -36,6 +36,7 @@ dev = [
    "respx>=0.20.0",
    "ruff>=0.3.0",
    "semantic-release>=24.0.0",
+    "pip-audit>=2.7.0",
 ]

 [project.urls]