diff --git a/templates/gitlab-ci-python.yml b/templates/gitlab-ci-python.yml
index 87127f039fa1a260b726188f5bd56c9deb742478..96783a02cbc5898b0ae17954dd30beb608342d64 100644
--- a/templates/gitlab-ci-python.yml
+++ b/templates/gitlab-ci-python.yml
@@ -923,7 +923,7 @@ py-lint:
- install_requirements
- _pip install pylint_gitlab # codeclimate reports
# run pylint and generate reports all at once
- - _run pylint --ignore=.cache --output-format=colorized,pylint_gitlab.GitlabCodeClimateReporter:reports/py-lint.codeclimate.json,parseable:reports/py-lint.parseable.txt ${PYLINT_ARGS} ${PYLINT_FILES:-$(find -type f -name "*.py")}
+ - _run pylint --output-format=colorized,pylint_gitlab.GitlabCodeClimateReporter:reports/py-lint.codeclimate.json,parseable:reports/py-lint.parseable.txt ${PYLINT_ARGS} ${PYLINT_FILES:-$(find -type f -name "*.py" -not -path "./.cache/*")}
artifacts:
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
expire_in: 1 day
@@ -969,7 +969,7 @@ py-isort:
script:
- install_requirements
- _pip install isort
- - _run isort . --check-only
+ - _run isort . --check-only --extend-skip .cache
rules:
# exclude if $PYTHON_ISORT_ENABLED not set
- if: '$PYTHON_ISORT_ENABLED != "true"'
@@ -1169,7 +1169,6 @@ py-trivy:
dependencies: []
script:
- mkdir -p -m 777 reports
- - install_requirements
- |
if [[ -z "$PYTHON_TRIVY_DIST_URL" ]]
then
@@ -1190,15 +1189,17 @@ py-trivy:
mv ./trivy $python_trivy
fi
- |
- if [[ "$PYTHON_BUILD_SYSTEM" == poetry* ]]
- then
- # When using Poetry, `pip freeze` outputs a requirements.txt with @file URLs for each wheel
- # These @file URLs in requirements.txt are not supported by Trivy
- # So instead of simply using pip freeze, we use `poetry export`
- poetry export -f requirements.txt --without-hashes --output reports/requirements.txt
- else
- _pip freeze | tee ./reports/requirements.txt
- fi
+ case "$PYTHON_BUILD_SYSTEM" in
+ poetry*|pipenv*)
+ log_info "$PYTHON_BUILD_SYSTEM build system (\\e[32muse lock file\\e[0m)"
+ cp poetry.lock Pipfile.lock ./reports 2>/dev/null || true
+ ;;
+ *)
+ log_info "$PYTHON_BUILD_SYSTEM build system used (\\e[32mmust generate pinned requirements.txt\\e[0m)"
+ install_requirements
+ _pip freeze | tee ./reports/requirements.txt
+ ;;
+ esac
if [[ -f "./requirements.txt" ]]
then
sort -u ./requirements.txt | grep -v "^[ ]*$" > ./requirements.txt.sorted
@@ -1208,7 +1209,7 @@ py-trivy:
log_warn "The ./requirements.txt file does not match the ./reports/requirements.txt file generated via pip freeze. Make sure to include all dependencies with pinned versions in ./requirements.txt and re-commit the file."
fi
fi
- if [ $($python_trivy fs ${PYTHON_TRIVY_ARGS} --format table --exit-code 0 ./reports/ | grep -c "Number of language-specific files: 0") -eq 1 ]; then
+ if [ $($python_trivy fs ${PYTHON_TRIVY_ARGS} --format table --exit-code 0 ./reports/ 2>&1 | grep -ic "Number of language-specific files[^0-9]*0$" ) -eq 1 ]; then
log_error "Could not find a file listing all dependencies with their versions."
exit 1
fi
@@ -1238,10 +1239,14 @@ py-sbom:
needs: []
script:
- mkdir -p -m 777 reports
- - install_requirements
- |
case "$PYTHON_BUILD_SYSTEM" in
- setuptools*|reqfile)
+ poetry*|pipenv*)
+ log_info "$PYTHON_BUILD_SYSTEM build system (\\e[32muse lock file\\e[0m)"
+ ;;
+ *)
+ log_info "$PYTHON_BUILD_SYSTEM build system used (\\e[32mmust generate pinned requirements.txt\\e[0m)"
+ install_requirements
_pip freeze > "${PYTHON_REQS_FILE}"
;;
esac