4343 ~/.cache/pip
4444 ~/.cache/pypoetry
4545 /usr/local/lib/python3.13/site-packages
46- key : ${{ runner.os }}-poetry-${{ matrix.tool }}-${{ hashFiles('**/poetry.lock', 'pyproject.toml') }}
46+ key : ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock', 'pyproject.toml') }}
4747 restore-keys : |
48- ${{ runner.os }}-poetry-${{ matrix.tool }}-
4948 ${{ runner.os }}-poetry-
5049
5150# Consolidated Poetry installation - used by multiple steps
@@ -61,20 +60,59 @@ jobs:
6160name : Install project dependencies
6261 if : matrix.tool != 'codeql'
6362 run : |
64- poetry install --with dev --no-interaction
63+ # Only install the dependencies needed for each specific tool
64+ case "${{ matrix.tool }}" in
65+ snyk)
66+ # Snyk only needs dependency export
67+ ;;
68+ cyclonedx)
69+ # CycloneDX needs core dependencies for accurate SBOM
70+ poetry install --only main --no-interaction
71+ ;;
72+ *)
73+ # Analysis tools need dev dependencies
74+ poetry install --with dev --no-interaction
75+ ;;
76+ esac
6577
66- # Consolidated tool installation
78+ # Optimized tool installation - only install the tool being used
6779 - name : Install analysis tools
68- if : matrix.tool != 'codeql' && matrix.tool != 'snyk' && matrix.tool != 'pyright'
80+ if : matrix.tool != 'codeql' && matrix.tool != 'snyk'
6981 run : |
70- poetry run pip install bandit ruff mypy flake8 pylint cyclonedx-bom pyright
71- poetry run bandit --version
72- poetry run ruff --version
73- poetry run mypy --version
74- poetry run flake8 --version
75- poetry run pylint --version
76- poetry run cyclonedx-py --version
77- poetry run pyright --version
82+ case "${{ matrix.tool }}" in
83+ bandit)
84+ poetry run pip install bandit
85+ poetry run bandit --version
86+ ;;
87+ ruff)
88+ poetry run pip install ruff
89+ poetry run ruff --version
90+ ;;
91+ mypy)
92+ poetry run pip install mypy types-setuptools types-requests
93+ poetry run mypy --version
94+ ;;
95+ flake8)
96+ poetry run pip install flake8
97+ poetry run flake8 --version
98+ ;;
99+ pylint)
100+ poetry run pip install pylint
101+ poetry run pylint --version
102+ ;;
103+ pyright)
104+ poetry run pip install pyright
105+ poetry run pyright --version
106+ ;;
107+ cyclonedx)
108+ poetry run pip install cyclonedx-bom
109+ poetry run cyclonedx-py --version
110+ ;;
111+ *)
112+ echo "Unknown tool: ${{ matrix.tool }}"
113+ exit 1
114+ ;;
115+ esac
78116
79117name : Setup Snyk CLI
80118 if : matrix.tool == 'snyk'
@@ -132,15 +170,29 @@ jobs:
132170 --mc-type application \
133171 .
134172
135- # Add error handling
173+ # Improved error handling with more detailed fallback SBOM
136174 if [ -f "cyclonedx_report.json" ]; then
137175 echo "✅ Successfully generated cyclonedx_report.json"
138176 # Show first few lines for debugging
139177 head -n 20 cyclonedx_report.json
140178 else
141179 echo "❌ Failed to generate cyclonedx_report.json"
142- # Create minimal valid file
143- echo '{"bomFormat":"CycloneDX","specVersion":"1.5","version":1,"metadata":{"component":{"name":"PostQuantum-Feldman-VSS","type":"application"}},"components":[]}' > cyclonedx_report.json
180+ # Create more detailed minimal valid file
181+ echo '{
182+ "bomFormat": "CycloneDX",
183+ "specVersion": "1.5",
184+ "serialNumber": "urn:uuid:'$(uuidgen)'",
185+ "version": 1,
186+ "metadata": {
187+ "timestamp": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'",
188+ "component": {
189+ "name": "PostQuantum-Feldman-VSS",
190+ "type": "application",
191+ "bom-ref": "pkg:github/DavidOsipov/PostQuantum-Feldman-VSS"
192+ }
193+ },
194+ "components": []
195+ }' > cyclonedx_report.json
144196 fi
145197
146198name : Initialize CodeQL
0 commit comments