🎉 initial commit #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: pre-commit & security checks | |
| on: | |
| push: | |
| branches: [ main, master ] | |
| pull_request: | |
| workflow_dispatch: | |
| jobs: | |
| precommit: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Python 3.13 | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: "3.13" | |
| - name: Install pre-commit | |
| run: python -m pip install --upgrade pip && pip install "pre-commit>=2.20.0" | |
| - name: Run pre-commit (all files) | |
| run: pre-commit run --all-files | |
| - name: Install Bandit & Safety | |
| run: | | |
| pip install "bandit==1.8.6" "safety==3.6.2" | |
| - name: Run Bandit (full repo) | |
| run: | | |
| bandit -r . -f json -o bandit-report.json || true | |
| - name: Run Safety (uv.lock) | |
| run: | | |
| if [ -f uv.lock ]; then | |
| # write JSON output; tolerate non-zero exit so job doesn't fail | |
| safety check --file=uv.lock --full-report --json > safety-report.json || true | |
| else | |
| # ensure a file exists so upload-artifact has something to upload | |
| echo '{"notice":"uv.lock not found; skipping safety."}' > safety-report.json | |
| fi | |
| - name: Upload Bandit report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: bandit-report | |
| path: bandit-report.json | |
| - name: Upload Safety report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: safety-report | |
| path: safety-report.json |