From 814862d315c3194977db1209523e3c0636d2f65d Mon Sep 17 00:00:00 2001 From: John Whitlock Date: Wed, 19 May 2021 10:43:29 -0500 Subject: [PATCH 1/3] Sync lint build with scripts/lint.sh Run commands in same order as scripts/lint.sh, re-arrange args to match more closely. This adds pylint, and switches mypy to use mypy.ini. detect-secrets is skipped, because it requires git. It still works best as a pre-commit hook. --- docker/Dockerfile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index cf272f5a..9c1018da 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -78,13 +78,14 @@ ENTRYPOINT ["/docker-entrypoint.sh"] CMD uvicorn ctms.app:app --reload --host=0.0.0.0 --port=$PORT -# 'lint' stage runs black and isort +# 'lint' stage runs similar checks to pre-commit / scripts/lint.sh # running in check mode means build will fail if any linting errors occur FROM development AS lint -RUN isort --settings-path ./pyproject.toml --recursive --check-only -RUN black --config ./pyproject.toml --check ctms tests -RUN mypy --no-strict-optional --ignore-missing-imports ctms RUN bandit -lll --recursive ctms --exclude "ctms/poetry.lock,ctms/.venv,ctms/.mypy,ctms/build" +RUN mypy ctms +RUN black --config ./pyproject.toml --check ctms tests +RUN isort --recursive --settings-path ./pyproject.toml --check-only ctms +RUN pylint ctms tests/unit CMD ["tail", "-f", "/dev/null"] From e570a83257f5d83c35efed158ea59a2da597d37b Mon Sep 17 00:00:00 2001 From: John Whitlock Date: Wed, 19 May 2021 10:52:18 -0500 Subject: [PATCH 2/3] Move docker-compose.lint.yaml --- Makefile | 4 ++-- docker-compose.lint.yaml => tests/docker-compose.lint.yaml | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename docker-compose.lint.yaml => tests/docker-compose.lint.yaml (100%) diff --git a/Makefile b/Makefile index 3647b1e5..aa159b18 100644 --- a/Makefile +++ b/Makefile @@ -42,8 +42,8 @@ build: .env .PHONY: lint lint: .env - docker-compose -f ./docker-compose.lint.yaml build \ - --build-arg userid=${CTMS_UID} --build-arg groupid=${CTMS_GID} + docker-compose -f ./docker-compose.yaml -f ./tests/docker-compose.lint.yaml build \ + --build-arg userid=${CTMS_UID} --build-arg groupid=${CTMS_GID} lint .PHONY: db-only db-only: .env diff --git a/docker-compose.lint.yaml b/tests/docker-compose.lint.yaml similarity index 100% rename from docker-compose.lint.yaml rename to tests/docker-compose.lint.yaml From 3f899a191f1e4b4f3cbded1f96e61b7301dd4399 Mon Sep 17 00:00:00 2001 From: John Whitlock Date: Wed, 19 May 2021 11:20:58 -0500 Subject: [PATCH 3/3] Allow scripts/lint.sh to run in container Skip detect-secrets-hook when git is not installed. This allows the other checks to be run inside the Docker container. --- docker/Dockerfile | 2 +- scripts/lint.sh | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 9c1018da..17e48ed4 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -86,7 +86,7 @@ RUN mypy ctms RUN black --config ./pyproject.toml --check ctms tests RUN isort --recursive --settings-path ./pyproject.toml --check-only ctms RUN pylint ctms tests/unit -CMD ["tail", "-f", "/dev/null"] +CMD ./scripts/lint.sh # 'test' stage runs our unit tests with pytest and diff --git a/scripts/lint.sh b/scripts/lint.sh index 335c00bb..949681ee 100755 --- a/scripts/lint.sh +++ b/scripts/lint.sh @@ -4,12 +4,16 @@ set -e CURRENT_DIR=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd) BASE_DIR="$(dirname "$CURRENT_DIR")" +HAS_GIT="$(command -v git || echo '')" +echo $HAS_GIT bandit -lll --recursive "${BASE_DIR}" --exclude "${BASE_DIR}/poetry.lock,${BASE_DIR}/.venv,${BASE_DIR}/.mypy,${BASE_DIR}/build" -# Scan only files checked into the repo, omit poetry.lock -SECRETS_TO_SCAN=`git ls-tree --full-tree -r --name-only HEAD | grep -v poetry.lock` -detect-secrets-hook $SECRETS_TO_SCAN --baseline .secrets.baseline +if [ -n "$HAS_GIT" ]; then + # Scan only files checked into the repo, omit poetry.lock + SECRETS_TO_SCAN=`git ls-tree --full-tree -r --name-only HEAD | grep -v poetry.lock` + detect-secrets-hook $SECRETS_TO_SCAN --baseline .secrets.baseline +fi mypy "${BASE_DIR}" black --config "${BASE_DIR}/pyproject.toml" "${BASE_DIR}"