Enhances CI with tests and analysis

Integrates a Python tests workflow with multi-version support and caching.
Adds new analysis tools (Pyright, CycloneDX) and updates the quality gate workflow.
Introduces least privilege permissions and weekly scheduling.

Signed-off-by: DavidOsipov <[email protected]>

Author: DavidOsipov

.github/workflows/python-tests.yml

@@ -0,0 +1,64 @@
+name: 🧪 Python Tests
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  workflow_dispatch:
+  workflow_call:
+    # Adding empty outputs to properly define the workflow_call trigger
+    outputs:
+      result:
+        description: "Test execution result"
+        value: ${{ jobs.test.result }}
+    
+# Adding explicit permissions following the principle of least privilege
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Test Python ${{ matrix.python-version }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55
+      with:
+        python-version: ${{ matrix.python-version }}
+        cache: 'pip'
+        
+    - name: Cache pip dependencies
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684
+      with:
+        path: |
+          ~/.cache/pip
+          ~/.cache/pypoetry
+        key: ${{ runner.os }}-pip-${{ matrix.python-version }}-${{ hashFiles('pyproject.toml') }}
+        restore-keys: |
+          ${{ runner.os }}-pip-${{ matrix.python-version }}-
+          
+    - name: Install Poetry
+      run: |
+        pip install poetry
+        poetry --version
+        
+    - name: Install dependencies
+      run: |
+        poetry install --no-interaction
+        
+    - name: Typecheck with mypy
+      run: |
+        poetry run mypy feldman_vss.py
+        
+    # Uncomment and modify when you have tests
+    # - name: Run tests
+    #   run: |
+    #     poetry run pytest

.github/workflows/sonarqube.yml

@@ -1,22 +1,29 @@
 name: 🛡️ Bastion Quality Gates
 
+
 on:
   push:
     branches: [ "main" ]
   pull_request:
     branches: [ "main" ]
+  schedule:
+    - cron: '0 0 * * 0'  # Weekly on Sunday
   workflow_dispatch:
 
 permissions:
   pull-requests: read
   security-events: write
 
 jobs:
+  test:
+    uses: ./.github/workflows/python-tests.yml
+  # This workflow now depends on the successful completion of the python-tests workflow
   Analyze:
+    needs: test
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        tool: [bandit, ruff, mypy, flake8, pylint, codeql, snyk]
+        tool: [bandit, ruff, mypy, flake8, pylint, codeql, snyk, pyright, cyclonedx]
     steps:
       - name: Checkout code
         uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
@@ -50,7 +57,7 @@ jobs:
           poetry install --with dev --no-interaction
 
       - name: Install analysis tools
-        if: matrix.tool != 'codeql' && matrix.tool != 'snyk'
+        if: matrix.tool != 'codeql' && matrix.tool != 'snyk' && matrix.tool != 'pyright' && matrix.tool != 'cyclonedx'
         run: |
           poetry run pip install bandit ruff mypy flake8 pylint
           poetry run bandit --version
@@ -59,6 +66,24 @@ jobs:
           poetry run flake8 --version
           poetry run pylint --version
 
+      - name: Install Node.js for Pyright
+        if: matrix.tool == 'pyright'
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install Pyright
+        if: matrix.tool == 'pyright'
+        run: |
+          npm install -g pyright
+          pyright --version
+
+      - name: Install CycloneDX
+        if: matrix.tool == 'cyclonedx'
+        run: |
+          poetry run pip install cyclonedx-bom
+          poetry run cyclonedx-py --version || echo "CycloneDX installed"
+
       - name: Setup Snyk CLI
         if: matrix.tool == 'snyk'
         uses: snyk/actions/setup@cdb760004ba9ea4d525f2e043745dfe85bb9077e
@@ -73,8 +98,9 @@ jobs:
         run: |
           pip install poetry
           pip install poetry-plugin-export
-          poetry export --format requirements.txt --output requirements.txt
-          snyk test --file=requirements.txt --sarif-file-output=snyk_report.sarif
+          poetry export --format requirements.txt --output requirements.txt --with dev
+          pip install black blake3 click colorama flake8 gmpy2 isort mccabe msgpack-types mypy-extensions pathspec psutil pycodestyle pyflakes setuptools types-requests types-setuptools typing-extensions
+          snyk test --file=requirements.txt --sarif-file-output=snyk_report.sarif --skip-unresolved || snyk test --file=requirements.txt --sarif-file-output=snyk_report.sarif --skip-unresolved --all-projects
 
       - name: Run Bandit
         if: matrix.tool == 'bandit'
@@ -96,6 +122,15 @@ jobs:
         if: matrix.tool == 'pylint'
         run: poetry run pylint --recursive=y . --output-format=json > pylint_report.json || true
 
+      - name: Run Pyright
+        if: matrix.tool == 'pyright'
+        run: pyright --outputjson > pyright_report.json || true
+
+      - name: Generate Software Bill of Materials (SBOM)
+        if: matrix.tool == 'cyclonedx'
+        run: |
+          poetry run cyclonedx-py -o cyclonedx_report.json -j . || true
+
       - name: Initialize CodeQL
         if: matrix.tool == 'codeql'
         uses: github/codeql-action/init@main
@@ -137,10 +172,12 @@ jobs:
           mv reports/pylint-report/pylint_report.json .
           mv reports/codeql-report/codeql_report.sarif .
           mv reports/snyk-report/snyk_report.sarif .
+          mv reports/pyright-report/pyright_report.json .
+          mv reports/cyclonedx-report/cyclonedx_report.json .
 
       - name: Check if reports exist
         run: |
-          for report in bandit_report.json ruff_report.json mypy_report.txt flake8_report.txt pylint_report.json codeql_report.sarif snyk_report.sarif; do
+          for report in bandit_report.json ruff_report.json mypy_report.txt flake8_report.txt pylint_report.json codeql_report.sarif snyk_report.sarif pyright_report.json cyclonedx_report.json; do
             if [ ! -f "$report" ]; then
               echo "$report not found. Exiting."
               exit 1
@@ -163,5 +200,7 @@ jobs:
             -Dsonar.python.flake8.reportPaths=flake8_report.txt
             -Dsonar.python.pylint.reportPaths=pylint_report.json
             -Dsonar.sarifReportPaths=codeql_report.sarif,snyk_report.sarif
+            -Dsonar.externalIssuesReportPaths=pyright_report.json
+            -Dsonar.dependencyCheck.jsonReportPath=cyclonedx_report.json
             -Dsonar.python.version=3.10-3.13
             -Dsonar.languages=python