fix: client-cert API role gating + private-key download stratificatio… #394
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| workflow_dispatch: | |
| # Default to read-only. The single job below only reads source and uploads | |
| # coverage via codecov-action (which manages its own auth via the upload | |
| # token, not the GITHUB_TOKEN), so no job needs write here. | |
| permissions: read-all | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| # 3.12 matches the production Dockerfile. Python 3.14 is temporarily | |
| # out of the matrix: the current pin of josepy 1.13.0 (required by | |
| # certbot 2.10.0 → acme 3.3.0) raises ValueError at class definition | |
| # under PEP 649 evaluation. Tracked in #103 — restore when the | |
| # certbot/josepy/acme stack is upgraded. | |
| python-version: ['3.12'] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 (was v4) | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Cache pip dependencies | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 (was v3) | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements*.txt') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pip- | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| pip install -r requirements-test.txt | |
| - name: Lint with flake8 | |
| run: | | |
| pip install flake8 | |
| # stop the build if there are Python syntax errors or undefined names | |
| flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics | |
| # exit-zero treats all errors as warnings | |
| flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics | |
| - name: Security check with bandit | |
| run: | | |
| pip install bandit | |
| bandit -r modules/ app.py --severity-level medium | |
| - name: Run tests with coverage | |
| env: | |
| FLASK_ENV: testing | |
| TESTING: true | |
| run: | | |
| pytest -v --tb=short --cov=. --cov-report=xml --cov-report=html -m "not ui" | |
| - name: Upload coverage reports | |
| if: matrix.python-version == '3.12' | |
| uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 (was v3) | |
| with: | |
| file: ./coverage.xml | |
| flags: unittests | |
| name: codecov-umbrella | |
| - name: Test Docker build | |
| if: matrix.python-version == '3.12' | |
| run: | | |
| docker build -t certmate:test . |