🛡️ Bastion Quality Gates #50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Analyze and SonarQube Scan | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| workflow_dispatch: | |
| permissions: | |
| pull-requests: read # Allows SonarQube to decorate PRs with analysis results | |
| jobs: | |
| Analyze: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| tool: [bandit, ruff, mypy] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 | |
| - name: Set up Python | |
| uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 | |
| with: | |
| python-version: '3.13' | |
| - name: Cache pip dependencies | |
| uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 | |
| with: | |
| path: /usr/local/lib/python3.12/site-packages | |
| key: pip-${{ hashFiles('pyproject.toml') }} | |
| restore-keys: | | |
| pip- | |
| - name: Install project dependencies | |
| run: | | |
| pip install . | |
| pip install .[dev] | |
| - name: Install analysis tools | |
| run: | | |
| pip install bandit ruff mypy | |
| ruff --version # For debugging | |
| mypy --version # For debugging | |
| - name: Run Bandit | |
| if: matrix.tool == 'bandit' | |
| run: bandit -r . -o bandit_report.json --format json --exclude tests,.git || true | |
| - name: Run Ruff | |
| if: matrix.tool == 'ruff' | |
| run: ruff check . --output-format json --output-file ruff_report.json --exclude tests,.git || true | |
| - name: Run Mypy | |
| if: matrix.tool == 'mypy' | |
| run: mypy . 2>&1 | tee mypy_report.txt || true # Capture output to file and console, continue on error | |
| - name: Upload report artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 | |
| with: | |
| name: ${{ matrix.tool }}-report | |
| path: ${{ matrix.tool }}_report.* | |
| SonarQube: | |
| needs: Analyze | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 | |
| - name: Download analysis reports | |
| uses: actions/download-artifact@e9b2e897dilf532e1d0f7ea2dbee0f23fb39bb8 | |
| with: | |
| path: reports | |
| - name: Move reports to working directory | |
| run: | | |
| mv reports/bandit-report/bandit_report.json . | |
| mv reports/ruff-report/ruff_report.json . | |
| mv reports/mypy-report/mypy_report.txt . | |
| - name: Check if reports exist | |
| run: | | |
| for report in bandit_report.json ruff_report.json mypy_report.txt; do | |
| if [ ! -f "$report" ]; then | |
| echo "$report not found. Exiting." | |
| exit 1 | |
| fi | |
| done | |
| - name: Analyze with SonarQube | |
| uses: SonarSource/sonarqube-scan-action@aa494459d7c39c106cc77b166de8b4250a32bb97 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} | |
| with: | |
| args: > | |
| -Dsonar.projectKey=DavidOsipov_PostQuantum-Feldman-VSS | |
| -Dsonar.organization=davidosipov | |
| -Dsonar.python.bandit.reportPaths=bandit_report.json | |
| -Dsonar.python.ruff.reportPaths=ruff_report.json | |
| -Dsonar.python.mypy.reportPaths=mypy_report.txt | |
| -Dsonar.python.version=3.10-3.13 | |
| -Dsonar.languages=python |