Issue 1288: Adding CodeQL and Ruff as additional workflow items #1307
Conversation
.github/workflows/codeql.yml
Outdated
There was a problem hiding this comment.
I think it is missing the codeql directory, which is the configuration, from here.
There was a problem hiding this comment.
I'll make sure to add them in.
.github/workflows/ruff.yml
Outdated
| name: Analyze | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| actions: write |
There was a problem hiding this comment.
Does it need write access? That seems like we're handing the VM a lot of power.
There was a problem hiding this comment.
It does not as it's merely analyzing the code. I'm assuming I should take away its permission to write during security-events as well?
| with: | ||
| python-version: '3.10' | ||
| - name: Upgrade tooling | ||
| run: | |
There was a problem hiding this comment.
Is there a way to use the build command to make this happen? Maybe through a virtual environment so there's not so much installation stuff (that seems a little friable for future upgrades)? Please let me know if I'm wrong.
There was a problem hiding this comment.
Make what happen exactly? Upgrading tools? I'm a little confused what installing tools through a virtual environment would do in this situation and how it would mitigate the need to install extra stuff.
Also, I don't think we need pip3 install --upgrade build importlib_metadata setuptools setuptools_scm wheel as we're running a lint check on the code.
| # to add extra rules or a configuration file. | ||
| run: ruff check --output-file ruff_report.txt . || true | ||
| continue-on-error: true | ||
| - name: Upload Artifact |
There was a problem hiding this comment.
Looks great. But what if we don't compress it? Then maybe it can be viewable in the browser instead of requiring a bunch of clicks and unpacking, etc.
There was a problem hiding this comment.
We can run ruff check --output-format=github . and have it output in the browser if you'd like.
| run: | | ||
| pip3 install -r requirements.txt | ||
| pip3 install -e . | ||
| - name: Prepare PYTHONPATH |
There was a problem hiding this comment.
All that path stuff is required, I think. Well maybe it can be condensed into the above: 'Prepare Test Environment' or something...
There was a problem hiding this comment.
Let's talk about this one please. ... it's sort of a prototype for shared configurations, so needs things to be a little generic in some ways. In other ways, there are some customizations requested for EXOTIC.
Much of the file tested here may be better suited as a contribution to JPL's standards.
|
I will hold this for the next release. We have a lot of balls up in the air. Thanks! |
CodeQL will help identify vulnerability issues, and Ruff as a linter to detect errors and formatting suggestions.