security: harden workflow — permissions, pin deps, pin actions #83

Workflow file for this run

	name: CI

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]

	permissions:
	contents: read

	jobs:
	test:
	runs-on: ubuntu-latest

	steps:
	- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

	- name: Set up Python
	uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
	with:
	python-version: "3.12"
	cache: "pip"

	- name: Install dependencies
	run: \|
	python -m pip install --upgrade pip
	pip install -r requirements-dev.txt

	- name: Lint with ruff
	run: \|
	ruff check . --ignore E501

	- name: Type check with mypy
	run: \|
	mypy main.py --ignore-missing-imports --no-error-summary \|\| true

	- name: Run tests with coverage
	env:
	METTLE_SECRET_KEY: "ci-test-secret-key-12345"
	METTLE_ADMIN_API_KEY: "ci-test-admin-key-12345"
	METTLE_ENVIRONMENT: "test"
	run: \|
	pytest tests/ -v --tb=short --cov=. --cov-report=xml --cov-report=term-missing --reruns 2 --reruns-delay 1

	- name: Upload coverage
	uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
	with:
	file: ./coverage.xml
	fail_ci_if_error: false

	security:
	runs-on: ubuntu-latest

	steps:
	- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

	- name: Set up Python
	uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
	with:
	python-version: "3.12"

	- name: Install dependencies
	run: \|
	python -m pip install --upgrade pip
	pip install bandit==1.9.2 safety==3.7.0

	- name: Security scan with bandit
	run: \|
	bandit -r . -x ./tests --skip B101 \|\| true

	- name: Check dependencies with safety
	run: \|
	pip install -r requirements.txt
	safety check \|\| true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

security: harden workflow — permissions, pin deps, pin actions #83

Workflow file

security: harden workflow — permissions, pin deps, pin actions #83

Uh oh!

Workflow file for this run