-
Notifications
You must be signed in to change notification settings - Fork 7
feat: add official Dockerfile and release workflow for CI (fixes #85) #92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,12 @@ | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| FROM python:3.12-slim | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
| # Install git since becwright shells out to git commands | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| RUN apt-get update && \ | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| apt-get install -y --no-install-recommends git && \ | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rm -rf /var/lib/apt/lists/* | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
| # Install becwright from PyPI | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| RUN pip install --no-cache-dir becwright | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
| # Set entrypoint to run becwright automatically | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ENTRYPOINT ["becwright"] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+1
to
+12
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
printf 'Repo root files:\n'
git ls-files | sed -n '1,200p'
printf '\nDockerfile:\n'
cat -n Dockerfile
printf '\nLikely release/workflow files mentioning becwright or image publish:\n'
rg -n --hidden --glob '!**/.git/**' -e 'becwright|GHCR|ghcr|docker build|image tag|pypi|pip install' .github Dockerfile pyproject.toml setup.py setup.cfg 2>/dev/null || trueRepository: DataDave-Dev/becwright Length of output: 8651 🏁 Script executed: #!/bin/bash
set -euo pipefail
printf 'release.yml relevant section:\n'
sed -n '80,120p' .github/workflows/release.yml | cat -n
printf '\nAny Docker image build/push references:\n'
rg -n -C 3 'docker|ghcr|image|publish' .github/workflows/release.yml .github/workflows/*.yml Dockerfile action.yml README.md documentation -g '!**/node_modules/**' || true
printf '\nPyPI/package version source:\n'
sed -n '1,120p' pyproject.toml | cat -nRepository: DataDave-Dev/becwright Length of output: 20869 Run This image currently starts 🔒 Proposed fix RUN pip install --no-cache-dir becwright
+RUN useradd --create-home --shell /usr/sbin/nologin becwright
+USER becwright
ENTRYPOINT ["becwright"]📝 Committable suggestion
Suggested change
🧰 Tools🪛 Trivy (0.69.3)[error] 1-1: Image user should not be 'root' Specify at least 1 USER command in Dockerfile with non-root user as argument Rule: DS-0002 (IaC/Dockerfile) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -170,6 +170,30 @@ jobs: | |
| Marcalo como check *required* en la protección de rama y las reglas ya no se | ||
| pueden saltar con `git commit --no-verify`. | ||
|
|
||
| ## CI: Docker y GitLab CI (o entornos genéricos) | ||
|
|
||
| Para entornos de CI que soportan contenedores Docker (como GitLab CI o Jenkins), o para ejecutar validaciones sin instalar Python localmente, puedes usar la imagen oficial de Docker. | ||
|
|
||
| Ejecuta el contenedor montando la raíz de tu repositorio como volumen: | ||
|
|
||
| ```sh | ||
| docker run --rm -v "$PWD:/repo" -w /repo ghcr.io/datadave-dev/becwright check --diff origin/main | ||
| ``` | ||
|
|
||
| ### Integración con GitLab CI | ||
|
|
||
| Agrega el siguiente trabajo a tu `.gitlab-ci.yml`: | ||
|
|
||
| ```yaml | ||
| becwright: | ||
| stage: test | ||
| image: | ||
| name: ghcr.io/datadave-dev/becwright:latest | ||
| entrypoint: [""] | ||
| script: | ||
| - becwright check --diff origin/main | ||
|
Comment on lines
+185
to
+194
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
# Map relevant documentation files and inspect the Spanish recipe section plus any matching English recipe.
git ls-files 'documentation/*recipes*' 'documentation/*.md' | sed -n '1,120p'
printf '\n--- Spanish recipe excerpt ---\n'
sed -n '170,210p' documentation/recipes.es.md
printf '\n--- Search for becwright / diff-based recipes ---\n'
rg -n "becwright check --diff|git fetch origin main|clone depth|fetch-depth|origin/main" documentation -SRepository: DataDave-Dev/becwright Length of output: 2227 🏁 Script executed: #!/bin/bash
set -euo pipefail
printf '\n--- English recipe excerpt ---\n'
sed -n '150,195p' documentation/recipes.md
printf '\n--- GitLab/CI related lines in Spanish recipe ---\n'
sed -n '150,195p' documentation/recipes.es.mdRepository: DataDave-Dev/becwright Length of output: 2448 🌐 Web query:
💡 Result: In GitLab CI/CD, the repository is typically cloned as a shallow copy, which affects the availability of remote references like origin/main [1][2]. Default Git Depth The default value for GIT_DEPTH is 20, which limits the number of commits fetched during the cloning process [3][4][2]. This value can be overridden by setting the GIT_DEPTH variable in your.gitlab-ci.yml file [3][2]. Setting it to 0 will perform a full clone of the repository, making all remote references and history available [3]. Accessing Remote Refs Because GitLab CI performs a shallow clone by default, you may find that branches or tags other than the one currently being processed are not available in the local repository [5][6]. If you need to access origin/main or other remote branches, you can: 1. Increase GIT_DEPTH or set it to 0 (full clone) to fetch more history [3]. 2. Explicitly fetch the desired branches or refs within your job script: - git fetch origin main - git fetch --all (Note: This may require specific repository access configurations depending on your runner's setup) [5]. Default Branch GitLab tracks the project's default branch via the predefined CI/CD variable CI_DEFAULT_BRANCH [7][8]. This variable is useful in conditional logic (e.g., in workflow rules) to ensure specific jobs run only when the pipeline is executing on the default branch [9][10]. Citations:
Fetch the base ref before the diff check
🤖 Prompt for AI Agents |
||
| ``` | ||
|
|
||
| ## Framework pre-commit | ||
|
|
||
| `.pre-commit-config.yaml`: | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -163,6 +163,30 @@ jobs: | |
| Make it a *required* check in branch protection and the rules can no longer be | ||
| skipped with `git commit --no-verify`. | ||
|
|
||
| ## CI: Docker & GitLab CI (or generic environments) | ||
|
|
||
| For CI environments that support Docker containers (such as GitLab CI or Jenkins), or to run checks without installing Python locally, you can use the official Docker image. | ||
|
|
||
| Run the container by mounting your repository root as a volume: | ||
|
|
||
| ```sh | ||
| docker run --rm -v "$PWD:/repo" -w /repo ghcr.io/datadave-dev/becwright check --diff origin/main | ||
| ``` | ||
|
|
||
| ### GitLab CI Integration | ||
|
|
||
| Add the following job to your `.gitlab-ci.yml`: | ||
|
|
||
| ```yaml | ||
| becwright: | ||
| stage: test | ||
| image: | ||
| name: ghcr.io/datadave-dev/becwright:latest | ||
| entrypoint: [""] | ||
| script: | ||
| - becwright check --diff origin/main | ||
|
Comment on lines
+178
to
+187
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
printf 'Repo files of interest:\n'
git ls-files documentation/recipes.md .gitlab-ci.yml .github/workflows 2>/dev/null | sed -n '1,200p'
printf '\n--- documentation/recipes.md around relevant lines ---\n'
wc -l documentation/recipes.md
sed -n '140,220p' documentation/recipes.md
printf '\n--- search for git fetch / depth in docs ---\n'
rg -n "git fetch|fetch-depth|clone depth|origin/main|becwright check --diff" documentation .github .gitlab-ci.yml -SRepository: DataDave-Dev/becwright Length of output: 2834 🏁 Script executed: #!/bin/bash
set -euo pipefail
wc -l documentation/recipes.md
sed -n '160,210p' documentation/recipes.md
rg -n "git fetch|fetch-depth|clone depth|origin/main|becwright check --diff" documentation .github .gitlab-ci.yml -SRepository: DataDave-Dev/becwright Length of output: 1947 Fetch 🤖 Prompt for AI Agents |
||
| ``` | ||
|
|
||
| ## pre-commit framework | ||
|
|
||
| `.pre-commit-config.yaml`: | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
Repository: DataDave-Dev/becwright
Length of output: 251
🏁 Script executed:
Repository: DataDave-Dev/becwright
Length of output: 4922
🏁 Script executed:
Repository: DataDave-Dev/becwright
Length of output: 852
Disable persisted checkout credentials in the Docker job.
actions/checkoutleaves the repo token in.git/configby default, and this workflow sends the whole repo as the Docker build context. Setpersist-credentials: falsehere since no later step needs git auth.🛡️ Proposed fix
📝 Committable suggestion
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 89-89: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Source: Linters/SAST tools