Merge pull request #48 from EVWorth/workflow-improvements

Refactored the Bandit Scan to use UV, pyproject.toml for configuration, and excluding paths like tests and .venv

I closed out the ~600 some CodeQL issues related to tests and this workflow update should keep those from showing back up,

I also moved conftest.py into the tests folder

Author: EVWorth

.github/workflows/bandit.yml

@@ -0,0 +1,27 @@
+name: Bandit
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    branches: ["master"]
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      # required for all workflows
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup uv
+        uses: astral-sh/setup-uv@v6
+
+      - name: Run Bandit
+        run: |
+          uv run bandit --configfile pyproject.toml --recursive . --format sarif --output results.sarif || true
+
+      - name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

.github/workflows/bandit_scan.yml

@@ -1,5 +1,3 @@
-# see https://github.com/marketplace/actions/publish-python-poetry-package
-
 name: Upload Release to PyPi
 
 on:

.github/workflows/pypi-publish.yml

@@ -1,7 +1,6 @@
-# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
+# This workflow will install Python dependencies and run tests with supported Python versions
 
-name: Test Multiple Python Versions
+name: Test with Supported Python Versions
 
 on:
   push:

.github/workflows/python-package.yml

@@ -26,6 +26,7 @@ dependencies = [
 [dependency-groups]
 dev = [
     "aioresponses>=0.7.8",
+    "bandit[sarif,toml]>=1.8.6",
     "build>=1.2.2.post1",
     "freezegun>=1.5.2",
     "pre-commit>=4.2.0",
@@ -36,3 +37,6 @@ dev = [
     "twine>=6.1.0",
     "typeguard>=4.4.4",
 ]
+
+[tool.bandit]
+exclude_dirs = ["tests", ".venv"]

pyproject.toml

@@ -3,7 +3,7 @@
 import pytest
 from lxml import html
 
-from conftest import LoginType, add_signin
+from tests.conftest import LoginType, add_signin
 from pyadtpulse.exceptions import PulseAuthenticationError, PulseNotLoggedInError
 from pyadtpulse.pyadtpulse_async import PyADTPulseAsync
 from pyadtpulse.site import ADTPulseSite

conftest.py tests/conftest.pyconftest.py renamed to tests/conftest.py

@@ -9,7 +9,7 @@
 from aiohttp.client_reqrep import ConnectionKey
 from yarl import URL
 
-from conftest import MOCKED_API_VERSION
+from tests.conftest import MOCKED_API_VERSION
 from pyadtpulse.exceptions import (
     PulseClientConnectionError,
     PulseNotLoggedInError,

tests/test_paa_codium.py

@@ -12,7 +12,7 @@
 from aioresponses import aioresponses
 from pytest_mock import MockerFixture
 
-from conftest import LoginType, add_custom_response, add_logout, add_signin
+from tests.conftest import LoginType, add_custom_response, add_logout, add_signin
 from pyadtpulse.const import (
     ADT_DEFAULT_POLL_INTERVAL,
     ADT_DEVICE_URI,

tests/test_pqm_codium.py

@@ -6,7 +6,7 @@
 import pytest
 from lxml import html
 
-from conftest import LoginType, add_custom_response, add_signin
+from tests.conftest import LoginType, add_custom_response, add_signin
 from pyadtpulse.const import ADT_LOGIN_URI, DEFAULT_API_HOST
 from pyadtpulse.exceptions import (
     PulseAccountLockedError,