From ee56aef18ec411cedc66f69fb5d68b045a455089 Mon Sep 17 00:00:00 2001 From: Tom Halpin Date: Sun, 9 Jul 2023 16:39:19 +0100 Subject: [PATCH 1/3] Refactored default Actions enabled, enabled Python linting --- .github/dependabot.yml | 12 ------ .github/linters/python.yaml | 17 ++++++++ .github/workflows/bandit.yml | 52 ----------------------- .github/workflows/codeql.yml | 77 ---------------------------------- .github/workflows/linter.yml | 81 ++++++++++++++++++------------------ CHANGELOG.md | 5 +++ README.md | 12 ++---- 7 files changed, 67 insertions(+), 189 deletions(-) delete mode 100644 .github/dependabot.yml create mode 100644 .github/linters/python.yaml delete mode 100644 .github/workflows/bandit.yml delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 7f7a24d..0000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,12 +0,0 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for all configuration options: -# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates - -version: 2 -updates: - - package-ecosystem: "pip" - directory: "/" - schedule: - interval: "daily" - open-pull-requests-limit: 10 diff --git a/.github/linters/python.yaml b/.github/linters/python.yaml new file mode 100644 index 0000000..d2b1cfd --- /dev/null +++ b/.github/linters/python.yaml @@ -0,0 +1,17 @@ +--- +version: 1 +pylint: + enabled: true + options: "" + ignore: | + missing-docstring, + invalid-name, + broad-except, + logging-fstring-interpolation, + wrong-import-position + conventions: "" + min-public-methods: 1 +flake8: + enabled: true + ignore: "" + max_line_length: 79 diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml deleted file mode 100644 index 7466e77..0000000 --- a/.github/workflows/bandit.yml +++ /dev/null @@ -1,52 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# Bandit is a security linter designed to find common security issues in Python code. -# This action will run Bandit on your codebase. -# The results of the scan will be found under the Security tab of your repository. - -# https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname -# https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA - -name: Bandit -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - schedule: - - cron: '31 23 * * 3' - -jobs: - bandit: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Bandit Scan - uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c - with: # optional arguments - # exit with 0, even with results found - exit_zero: true # optional, default is DEFAULT - # Github token of the repository (automatically created by Github) - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information. - # File or directory to run bandit on - # path: # optional, default is . - # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) - # level: # optional, default is UNDEFINED - # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) - # confidence: # optional, default is UNDEFINED - # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg) - # excluded_paths: # optional, default is DEFAULT - # comma-separated list of test IDs to skip - # skips: # optional, default is DEFAULT - # path to a .bandit file that supplies command line arguments - # ini_path: # optional, default is DEFAULT - diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 425d999..0000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,77 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - schedule: - - cron: '33 9 * * 0' - -jobs: - analyze: - name: Analyze - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'python' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] - # Use only 'java' to analyze code written in Java, Kotlin or both - # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: "/language:${{matrix.language}}" diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 4eeb5ae..2219841 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -1,41 +1,42 @@ --- -name: Linter - Workflow -# Trigger the workflow on push or pull request and include main -on: - pull_request: - types: - - opened - - synchronize - push: - branches: - - main -jobs: - super-linter: - # Job name - name: lint-code-base-using-super-linter - # Set the agent to run on - runs-on: ubuntu-latest - # Load all steps - steps: - # Checkout the code base - - name: Check out code - uses: actions/checkout@v3 - # Run Linter against code base - - name: Lint code base - uses: docker://github/super-linter:v5 - env: - LINTER_RULES_PATH: .github/linters - MARKDOWN_CONFIG_FILE: .markdownlint.json - # Parse the entire repository and find all files to validate across all types. - # NOTE: When set to false, only new or edited files will be parsed for validation. - VALIDATE_ALL_CODEBASE: true - DEFAULT_BRANCH: main - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - VALIDATE_JSON: true - VALIDATE_MD: true - VALIDATE_YML: true - # Flag to enable additional information about the linter, versions, and additional output. - ACTIONS_RUNNER_DEBUG: false - # Flag to have the linter complete with exit code 0 even if errors were detected. - DISABLE_ERROR: false - DEFAULT_WORKSPACE: /tmp/lint + name: SuperLinterWorkflow + # Trigger the workflow on push or pull request and include main + on: + pull_request: + types: + - opened + - synchronize + push: + branches: + - main + jobs: + super-linter: + # Job name + name: lint-code-base-using-super-linter + # Set the agent to run on + runs-on: ubuntu-latest + # Load all steps + steps: + # Checkout the code base + - name: Check out code + uses: actions/checkout@v3 + # Run Linter against code base + - name: Lint code base + uses: docker://github/super-linter:v5 + env: + LINTER_RULES_PATH: .github/linters + MARKDOWN_CONFIG_FILE: .markdownlint.json + # Parse the entire repository and find all files to validate across all types. + # NOTE: When set to false, only new or edited files will be parsed for validation. + VALIDATE_ALL_CODEBASE: true + DEFAULT_BRANCH: main + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VALIDATE_JSON: true + VALIDATE_MD: true + VALIDATE_PYTHON: true + VALIDATE_YML: true + # Flag to enable additional information about the linter, versions, and additional output. + ACTIONS_RUNNER_DEBUG: false + # Flag to have the linter complete with exit code 0 even if errors were detected. + DISABLE_ERROR: false + DEFAULT_WORKSPACE: /tmp/lint \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 68456cd..a9be35a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.4.0] - 2023-07-09 + +- [CHANGED] Replaced some of the default GitHub action workflow files with instructions in README.md on how to enable workflows. +- [ADDED] Python linting. + ## [1.3.1] - 2023-07-03 - [CHANGED] Tidied up badges in README.md. diff --git a/README.md b/README.md index 6a6c79b..39a92da 100644 --- a/README.md +++ b/README.md @@ -23,14 +23,8 @@ It includes bug and feature issue templates, a pull request (PR) template, CodeQ - ```.github/PULL_REQUEST_TEMPLATE.md```: Template for creating pull requests. -- ```.github/workflows/bandit.yaml```: GitHub Actions workflow for security linter designed to find common security issues in Python code. - -- ```.github/codeql.yml```: GitHub Actions workflow for CodeQL analysis. - - ```.github/workflows/coverage.yaml```: GitHub Actions workflow for Python unit test code coverage. -- ```.github/dependabot.yml```: GitHub Actions workflow controlling how Dependabot maintains the repository. - - ```.github/workflows/greetings.yml```: GitHub Actions workflow for automated Greeting messages. - ```.github/workflows/linter.yml```: GitHub Actions workflow for YML & Markdown validation. @@ -67,9 +61,11 @@ The following changes need to be made: - Review and update ```CODEOWNERS```. -- Enable [CodeQL analysis](https://github.com/tom-halpin/template-repo-template/settings/security_analysis) to identify vulnerabilities and errors with [CodeQL](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql). +- Enable [CodeQL analysis](https://github.com/tom-halpin/template-repo-template/settings/security_analysis) to identify vulnerabilities and errors with [CodeQL](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql), when enabling select the option to generate - ```.github/codeql.yml```: the GitHub Actions workflow for CodeQL analysis. + +- Enable [Dependabot](https://github.com/tom-halpin/template-repo-template/settings/security_analysis) alerts, security updates and version updates when enabling it select the option to generate - ```.github/dependabot.yml```: the GitHub Actions workflow controlling how Dependabot maintains the repository. -- Enable [Dependabot](https://github.com/tom-halpin/template-repo-template/settings/security_analysis) alerts, security updates and version updates. +- Enable [Bandit](https://github.com/genai-musings/chatting-with-ChatGPT/actions/new?category=security) when enabling it select the option to generate - ```.github/bandit.yml```: the GitHub Actions workflow designed to find common security issues in Python code. - Enable [Secret Scanning with Push Protection](https://github.com/tom-halpin/template-repo-template/settings/security_analysis) to receive alerts on GitHub for detected secrets, keys, or other tokens, and to block commits which contain supported secrets. From 24a831f82af33637b2b9305a815d8cc29d939e49 Mon Sep 17 00:00:00 2001 From: Tom Halpin Date: Sun, 9 Jul 2023 16:46:23 +0100 Subject: [PATCH 2/3] Refactored default Actions enabled, enabled Python linting --- .github/config/.wordlist.txt | 1 + README.md | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/config/.wordlist.txt b/.github/config/.wordlist.txt index 50858bb..3d268ae 100644 --- a/.github/config/.wordlist.txt +++ b/.github/config/.wordlist.txt @@ -25,6 +25,7 @@ README spellingcheck superlinter TODO +URLs yamllint YML diff --git a/README.md b/README.md index 39a92da..a88eca9 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ This is a template repository for creating new repositories with pre-configured settings and files commonly used in my Python projects. [![License: MPL 2.0](https://img.shields.io/badge/License-MPL%202.0-brightgreen.svg)](https://opensource.org/licenses/MPL-2.0) -[![Bandit](https://github.com/tom-halpin/template-repo-template/actions/workflows/bandit.yml/badge.svg)](https://github.com/tom-halpin/template-repo-template/actions/new?category=security) + [![Super-Linter](https://github.com/tom-halpin/template-repo-template/actions/workflows/linter.yml/badge.svg)](https://github.com/marketplace/actions/super-linter) [![CodeQL](https://github.com/tom-halpin/template-repo-template/workflows/CodeQL/badge.svg?branch=main) [![Markdown Links Check](https://github.com/tom-halpin/template-repo-template/actions/workflows/md-links.yml/badge.svg)](https://github.com/gaurav-nelson/github-action-markdown-link-check) @@ -63,7 +63,7 @@ The following changes need to be made: - Enable [CodeQL analysis](https://github.com/tom-halpin/template-repo-template/settings/security_analysis) to identify vulnerabilities and errors with [CodeQL](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql), when enabling select the option to generate - ```.github/codeql.yml```: the GitHub Actions workflow for CodeQL analysis. -- Enable [Dependabot](https://github.com/tom-halpin/template-repo-template/settings/security_analysis) alerts, security updates and version updates when enabling it select the option to generate - ```.github/dependabot.yml```: the GitHub Actions workflow controlling how Dependabot maintains the repository. +- Enable [Dependabot](https://github.com/tom-halpin/template-repo-template/settings/security_analysis) alerts, security updates and version updates when enabling it select the option to generate - ```.github/dependabot.yml```: the configuration file controlling how Dependabot maintains the repository. - Enable [Bandit](https://github.com/genai-musings/chatting-with-ChatGPT/actions/new?category=security) when enabling it select the option to generate - ```.github/bandit.yml```: the GitHub Actions workflow designed to find common security issues in Python code. @@ -75,7 +75,7 @@ The following changes need to be made: - Replace code in ```main.py``` with your code, update tests and associated GitHub action workflows accordingly. -- Review and update ```README.md```. +- Review and update ```README.md```. Remove redundant instructions such as this and update Badges displayed including their URLs. - Review and enable required linters in the ```.github/workflows/linter.yml``` GitHub action. From dca47225dc1b20fa831ea3c026a9d79c9a8cf55e Mon Sep 17 00:00:00 2001 From: Tom Halpin Date: Sun, 9 Jul 2023 16:51:23 +0100 Subject: [PATCH 3/3] Refactored default Actions enabled, enabled Python linting --- .github/config/.wordlist.txt | 1 + .github/pull_request_template.md | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/config/.wordlist.txt b/.github/config/.wordlist.txt index 3d268ae..f65ed22 100644 --- a/.github/config/.wordlist.txt +++ b/.github/config/.wordlist.txt @@ -17,6 +17,7 @@ MPL orgname OSSF pre +PR PRL Python reponame diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index adf961b..8bcbe0c 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -18,6 +18,7 @@ _Put an `x` in the boxes that apply_ _Put an `x` in the boxes that apply you can view the checklist as a heads up as to what we are going to look for before merging your code._ +- [ ] I have added a description of the changes made in this PR to CHANGELOG.md. - [ ] I have read the CONTRIBUTING.md guidelines for this repository. - [ ] I have included any and all necessary documentation where appropriate. - [ ] I will fix any problems reported with this PR by the GitHub Actions on this repository.