diff --git a/templates/gitlab-ci-python.yml b/templates/gitlab-ci-python.yml index 87127f039fa1a260b726188f5bd56c9deb742478..96783a02cbc5898b0ae17954dd30beb608342d64 100644 --- a/templates/gitlab-ci-python.yml +++ b/templates/gitlab-ci-python.yml @@ -923,7 +923,7 @@ py-lint: - install_requirements - _pip install pylint_gitlab # codeclimate reports # run pylint and generate reports all at once - - _run pylint --ignore=.cache --output-format=colorized,pylint_gitlab.GitlabCodeClimateReporter:reports/py-lint.codeclimate.json,parseable:reports/py-lint.parseable.txt ${PYLINT_ARGS} ${PYLINT_FILES:-$(find -type f -name "*.py")} + - _run pylint --output-format=colorized,pylint_gitlab.GitlabCodeClimateReporter:reports/py-lint.codeclimate.json,parseable:reports/py-lint.parseable.txt ${PYLINT_ARGS} ${PYLINT_FILES:-$(find -type f -name "*.py" -not -path "./.cache/*")} artifacts: name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" expire_in: 1 day @@ -969,7 +969,7 @@ py-isort: script: - install_requirements - _pip install isort - - _run isort . --check-only + - _run isort . --check-only --extend-skip .cache rules: # exclude if $PYTHON_ISORT_ENABLED not set - if: '$PYTHON_ISORT_ENABLED != "true"' @@ -1169,7 +1169,6 @@ py-trivy: dependencies: [] script: - mkdir -p -m 777 reports - - install_requirements - | if [[ -z "$PYTHON_TRIVY_DIST_URL" ]] then @@ -1190,15 +1189,17 @@ py-trivy: mv ./trivy $python_trivy fi - | - if [[ "$PYTHON_BUILD_SYSTEM" == poetry* ]] - then - # When using Poetry, `pip freeze` outputs a requirements.txt with @file URLs for each wheel - # These @file URLs in requirements.txt are not supported by Trivy - # So instead of simply using pip freeze, we use `poetry export` - poetry export -f requirements.txt --without-hashes --output reports/requirements.txt - else - _pip freeze | tee ./reports/requirements.txt - fi + case "$PYTHON_BUILD_SYSTEM" in + poetry*|pipenv*) + log_info "$PYTHON_BUILD_SYSTEM build system (\\e[32muse lock file\\e[0m)" + cp poetry.lock Pipfile.lock ./reports 2>/dev/null || true + ;; + *) + log_info "$PYTHON_BUILD_SYSTEM build system used (\\e[32mmust generate pinned requirements.txt\\e[0m)" + install_requirements + _pip freeze | tee ./reports/requirements.txt + ;; + esac if [[ -f "./requirements.txt" ]] then sort -u ./requirements.txt | grep -v "^[ ]*$" > ./requirements.txt.sorted @@ -1208,7 +1209,7 @@ py-trivy: log_warn "The ./requirements.txt file does not match the ./reports/requirements.txt file generated via pip freeze. Make sure to include all dependencies with pinned versions in ./requirements.txt and re-commit the file." fi fi - if [ $($python_trivy fs ${PYTHON_TRIVY_ARGS} --format table --exit-code 0 ./reports/ | grep -c "Number of language-specific files: 0") -eq 1 ]; then + if [ $($python_trivy fs ${PYTHON_TRIVY_ARGS} --format table --exit-code 0 ./reports/ 2>&1 | grep -ic "Number of language-specific files[^0-9]*0$" ) -eq 1 ]; then log_error "Could not find a file listing all dependencies with their versions." exit 1 fi @@ -1238,10 +1239,14 @@ py-sbom: needs: [] script: - mkdir -p -m 777 reports - - install_requirements - | case "$PYTHON_BUILD_SYSTEM" in - setuptools*|reqfile) + poetry*|pipenv*) + log_info "$PYTHON_BUILD_SYSTEM build system (\\e[32muse lock file\\e[0m)" + ;; + *) + log_info "$PYTHON_BUILD_SYSTEM build system used (\\e[32mmust generate pinned requirements.txt\\e[0m)" + install_requirements _pip freeze > "${PYTHON_REQS_FILE}" ;; esac