diff --git a/CHANGELOG.md b/CHANGELOG.md index 6e65c00..83d7046 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,9 +24,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - fix finding of rejected cruft files - fix dependabot pr review assignment +- add missing pytest-xdist dependency +- fix linting issue in `docs/conf.py` ### Security +- fix trivy cve scan to work with pdm + ## [0.1.0] - 2024-03-11 ### Added diff --git a/mex-{{ cookiecutter.project_name }}/.github/workflows/cve-scan.yml b/mex-{{ cookiecutter.project_name }}/.github/workflows/cve-scan.yml index 585bca3..7b93497 100644 --- a/mex-{{ cookiecutter.project_name }}/.github/workflows/cve-scan.yml +++ b/mex-{{ cookiecutter.project_name }}/.github/workflows/cve-scan.yml @@ -26,30 +26,51 @@ jobs: with: fetch-depth: 1 - - name: Cache trivy + - name: Cache requirements uses: actions/cache@v4 env: - cache-name: cache-trivy + cache-name: cache-requirements with: - path: ~/.cache/trivy + path: ~/.cache/pip + {% raw %}key: ${{ env.cache-name }}-${{ hashFiles('requirements.txt') }}{% endraw %} + restore-keys: | + {% raw %}${{ env.cache-name }}-{% endraw %} + + - name: Cache environment + uses: actions/cache@v4 + env: + cache-name: cache-environment + with: + path: ~/.cache/pip {% raw %}key: ${{ env.cache-name }}-${{ hashFiles('*.lock') }}{% endraw %} restore-keys: | {% raw %}${{ env.cache-name }}-{% endraw %} + - name: Setup python + uses: actions/setup-python@v5 + with: + python-version: 3.11 + + - name: Install requirements + run: make setup + + - name: Export dependencies + run: | + mkdir --parents pdm + pdm export -G :all -f requirements > pdm/requirements.txt + - name: Run trivy uses: aquasecurity/trivy-action@master with: - exit-code: 1 format: 'sarif' + list-all-pkgs: 'true' output: 'trivy-results.sarif' scan-ref: '.' scan-type: 'fs' - severity: 'CRITICAL,HIGH' - list-all-pkgs: 'true' - ignore-unfixed: true + severity: 'MEDIUM,HIGH,CRITICAL' - name: Publish results - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: 'trivy-results.sarif' diff --git a/mex-{{ cookiecutter.project_name }}/.pre-commit-config.yaml b/mex-{{ cookiecutter.project_name }}/.pre-commit-config.yaml index f6b3559..ed2b9a4 100644 --- a/mex-{{ cookiecutter.project_name }}/.pre-commit-config.yaml +++ b/mex-{{ cookiecutter.project_name }}/.pre-commit-config.yaml @@ -3,12 +3,12 @@ default_language_version: python: python3.11 repos: - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.3.2 + rev: v0.3.3 hooks: - id: ruff args: [--fix, --exit-non-zero-on-fix] - repo: https://github.com/psf/black - rev: 24.2.0 + rev: 24.3.0 hooks: - id: black - repo: https://github.com/pre-commit/pre-commit-hooks diff --git a/mex-{{ cookiecutter.project_name }}/docs/conf.py b/mex-{{ cookiecutter.project_name }}/docs/conf.py index 9c56e00..2c12807 100644 --- a/mex-{{ cookiecutter.project_name }}/docs/conf.py +++ b/mex-{{ cookiecutter.project_name }}/docs/conf.py @@ -6,4 +6,4 @@ napoleon_include_init_with_doc = True napoleon_include_private_with_doc = True project = "mex-{{ cookiecutter.project_name }}" -templates_path = ['.'] +templates_path = ["."] diff --git a/mex-{{ cookiecutter.project_name }}/pyproject.toml b/mex-{{ cookiecutter.project_name }}/pyproject.toml index c19fd61..a402ce1 100644 --- a/mex-{{ cookiecutter.project_name }}/pyproject.toml +++ b/mex-{{ cookiecutter.project_name }}/pyproject.toml @@ -9,13 +9,14 @@ urls = { Repository = "https://github.com/robert-koch-institut/mex-{{ cookiecutt requires-python = ">=3.11" dependencies = [] optional-dependencies.dev = [ - "black>=24.2.0", + "black>=24.3.0", "ipdb>=0.13.13", "mypy>=1.9.0", "pytest>=8.1.1", "pytest-cov>=4.1.0", "pytest-random-order>=1.1.1", - "ruff>=0.3.2", + "pytest-xdist>=3.5.0", + "ruff>=0.3.3", "sphinx>=7.2.6", ]