CI testing

Author: irvingpop

.github/workflows/ci.yml

@@ -0,0 +1,188 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+env:
+  POETRY_VERSION: "2.3.0"
+  POETRY_VIRTUALENVS_IN_PROJECT: true
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Load cached Poetry installation
+        id: cached-poetry
+        uses: actions/cache@v4
+        with:
+          path: ~/.local
+          key: poetry-${{ env.POETRY_VERSION }}-${{ runner.os }}
+
+      - name: Install Poetry
+        if: steps.cached-poetry.outputs.cache-hit != 'true'
+        uses: snok/install-poetry@v1
+        with:
+          version: ${{ env.POETRY_VERSION }}
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+
+      - name: Load cached venv
+        id: cached-venv
+        uses: actions/cache@v4
+        with:
+          path: .venv
+          key: venv-lint-${{ runner.os }}-py3.12-${{ hashFiles('poetry.lock') }}
+          restore-keys: |
+            venv-lint-${{ runner.os }}-py3.12-
+
+      - name: Install dependencies
+        if: steps.cached-venv.outputs.cache-hit != 'true'
+        run: poetry install --only dev --no-interaction
+
+      - name: Run Black formatter check
+        run: poetry run black --check .
+
+      - name: Run isort import check
+        run: poetry run isort --check-only .
+
+      - name: Run Flake8 linter
+        run: poetry run flake8 .
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Load cached Poetry installation
+        id: cached-poetry
+        uses: actions/cache@v4
+        with:
+          path: ~/.local
+          key: poetry-${{ env.POETRY_VERSION }}-${{ runner.os }}
+
+      - name: Install Poetry
+        if: steps.cached-poetry.outputs.cache-hit != 'true'
+        uses: snok/install-poetry@v1
+        with:
+          version: ${{ env.POETRY_VERSION }}
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+
+      - name: Load cached venv
+        id: cached-venv
+        uses: actions/cache@v4
+        with:
+          path: .venv
+          key: venv-test-${{ runner.os }}-py3.12-${{ hashFiles('poetry.lock') }}
+          restore-keys: |
+            venv-test-${{ runner.os }}-py3.12-
+
+      - name: Install dependencies
+        if: steps.cached-venv.outputs.cache-hit != 'true'
+        run: poetry install --no-interaction
+
+      - name: Run tests with coverage
+        working-directory: src
+        run: |
+          poetry run pytest \
+            --cov=. \
+            --cov-report=xml \
+            --cov-report=term-missing \
+            -v \
+            --tb=short
+        env:
+          DJANGO_ENV: testing
+          ENVIRONMENT: TEST
+          SECRET_KEY: test-secret-key-for-ci
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          files: ./src/coverage.xml
+          fail_ci_if_error: false
+          verbose: true
+
+  security:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Load cached Poetry installation
+        id: cached-poetry
+        uses: actions/cache@v4
+        with:
+          path: ~/.local
+          key: poetry-${{ env.POETRY_VERSION }}-${{ runner.os }}
+
+      - name: Install Poetry
+        if: steps.cached-poetry.outputs.cache-hit != 'true'
+        uses: snok/install-poetry@v1
+        with:
+          version: ${{ env.POETRY_VERSION }}
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+
+      - name: Load cached venv
+        id: cached-venv
+        uses: actions/cache@v4
+        with:
+          path: .venv
+          key: venv-security-${{ runner.os }}-py3.12-${{ hashFiles('poetry.lock') }}
+          restore-keys: |
+            venv-security-${{ runner.os }}-py3.12-
+
+      - name: Install dependencies
+        if: steps.cached-venv.outputs.cache-hit != 'true'
+        run: poetry install --no-interaction
+
+      - name: Run Bandit security linter
+        run: poetry run bandit -r . --skip B101 -f json -o bandit-report.json || true
+
+      - name: Display Bandit results
+        run: poetry run bandit -r . --skip B101 -f txt || true
+
+  # Final status check for branch protection
+  ci-success:
+    name: CI Success
+    needs: [lint, test, security]
+    runs-on: ubuntu-latest
+    if: always()
+    steps:
+      - name: Check all jobs passed
+        run: |
+          if [[ "${{ needs.lint.result }}" != "success" ]]; then
+            echo "Lint job failed"
+            exit 1
+          fi
+          if [[ "${{ needs.test.result }}" != "success" ]]; then
+            echo "Test job failed"
+            exit 1
+          fi
+          # Security is informational, doesn't fail CI
+          echo "All required jobs passed!"

poetry.lock

@@ -51,6 +51,8 @@ pytest-django = "^4.8"                      # Keep
 pytest-env = "^1.1"                         # Keep
 pytest-mock = "^3.14"                       # Keep
 responses = "^0.25"                         # Keep
+ruff = "^0.14.14"
+pytest-cov = "^7.0.0"
 
 [tool.isort]
 line_length = 88
@@ -59,6 +61,22 @@ include_trailing_comma = true
 force_grid_wrap = 0
 use_parentheses = true
 
+[tool.ruff]
+line-length = 88
+exclude = [
+    "*/migrations/*",
+    ".venv",
+    "__pycache__",
+]
+
+[tool.ruff.lint]
+select = ["E", "F", "W", "I"]
+ignore = ["E501"]  # Line too long (handled by formatter)
+
+[tool.ruff.format]
+quote-style = "double"
+indent-style = "space"
+
 [build-system]
 requires = ["poetry>=2.3.0"]
 build-backend = "poetry.masonry.api"

pyproject.toml

@@ -1,6 +1,7 @@
 """
 Custom password hashers with tuned parameters for web authentication.
 """
+
 from django.contrib.auth.hashers import Argon2PasswordHasher
 
 
@@ -21,6 +22,7 @@ class TunedArgon2PasswordHasher(Argon2PasswordHasher):
     - OWASP Password Storage Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
     - Django default uses 100 MB which is optimized for maximum security but too slow for web
     """
+
     time_cost = 2
     memory_cost = 19456  # 19 MB (OWASP minimum recommendation)
-    parallelism = 1      # Single-threaded for web servers
+    parallelism = 1  # Single-threaded for web servers

src/core/hashers.py

@@ -1,4 +1,3 @@
-from django.contrib.auth import get_user_model
 from dj_rest_auth.registration.serializers import (
     RegisterSerializer as BaseRegisterSerializer,
 )
@@ -7,6 +6,7 @@
     PasswordResetConfirmSerializer as BasePasswordResetConfirmSerializer,
 )
 from dj_rest_auth.serializers import UserDetailsSerializer as BaseUserDetailsSerializer
+from django.contrib.auth import get_user_model
 from rest_framework import serializers
 
 from core.models import Profile
@@ -78,9 +78,12 @@ def validate(self, data):
             data["username"] = data.get("email", "")
         # Check for duplicate email - this prevents hitting DB unique constraint
         from django.contrib.auth import get_user_model
+
         User = get_user_model()
         if User.objects.filter(email=data.get("email")).exists():
-            raise serializers.ValidationError({"email": ["A user with that email already exists."]})
+            raise serializers.ValidationError(
+                {"email": ["A user with that email already exists."]}
+            )
         return data
 
 

src/core/serializers.py

@@ -5,7 +5,6 @@
 from django.contrib.auth.models import User as AuthUser
 from django.core.mail import send_mail
 from django.template.loader import render_to_string
-from django_q.tasks import async_task
 from mailchimp3 import MailChimp
 
 logger = logging.getLogger(__name__)

src/core/tasks.py

@@ -1,7 +1,7 @@
-from django.urls import include, path
-from django.views.generic import TemplateView
 from dj_rest_auth.registration.views import VerifyEmailView
 from dj_rest_auth.views import PasswordChangeView, PasswordResetConfirmView
+from django.urls import include, path
+from django.views.generic import TemplateView
 from rest_framework_simplejwt.views import TokenRefreshView, TokenVerifyView
 
 from . import views
@@ -13,6 +13,7 @@ class DummyPasswordResetConfirmView(TemplateView):
     is handled by the PasswordResetConfirmView via POST.
     This pattern exists to satisfy Django's reverse() call in password reset emails.
     """
+
     template_name = ""
 
 

src/core/urls.py

@@ -1,9 +1,9 @@
+from dj_rest_auth.registration.views import RegisterView as BaseRegisterView
 from django.contrib.auth.models import User
 from django.utils.decorators import method_decorator
 from django.views.decorators.debug import sensitive_post_parameters
 from drf_yasg.openapi import IN_QUERY, TYPE_STRING, Parameter
 from drf_yasg.utils import swagger_auto_schema
-from dj_rest_auth.registration.views import RegisterView as BaseRegisterView
 from rest_framework.exceptions import NotFound, ValidationError
 from rest_framework.generics import RetrieveUpdateAPIView
 from rest_framework.permissions import IsAuthenticated

src/core/views.py

@@ -212,8 +212,8 @@ def worker_int(worker):
     worker.log.info("worker received INT or QUIT signal")
 
     # get traceback info
-    import threading
     import sys
+    import threading
     import traceback
 
     id2name = {th.ident: th.name for th in threading.enumerate()}

src/gunicorn_config.py

@@ -5,6 +5,7 @@
 To change settings file:
 `DJANGO_ENV=production python manage.py runserver`
 """
+
 from os import environ
 
 from split_settings.tools import include, optional