From 1eef69f300c1b8e0e8581866de385121a8ab5ae9 Mon Sep 17 00:00:00 2001 From: Samir Boulahtit Date: Thu, 19 Feb 2026 22:49:04 +0100 Subject: [PATCH] ci: add security/performance/audit validators to pre-commit and CI - Add validate-security, validate-performance, validate-audit hooks to .pre-commit-config.yaml (previously only architecture was checked) - Break single "Run all validators" CI step into 4 explicit steps (architecture, security, performance, audit) for clearer pipeline output - Add noqa: SEC001 suppressions for test fixture hashed_password values Co-Authored-By: Claude Opus 4.6 --- .gitea/workflows/ci.yml | 13 +++++++++++-- .pre-commit-config.yaml | 29 ++++++++++++++++++++++++++++- tests/unit/api/test_deps.py | 16 ++++++++-------- 3 files changed, 47 insertions(+), 11 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index af8d540f..57d4ce71 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -94,8 +94,17 @@ jobs: - name: Install dependencies run: uv pip install --system -r requirements.txt - - name: Run all validators - run: python scripts/validate/validate_all.py + - name: Validate architecture patterns + run: python scripts/validate/validate_all.py --architecture + + - name: Validate security patterns + run: python scripts/validate/validate_all.py --security + + - name: Validate performance patterns + run: python scripts/validate/validate_all.py --performance + + - name: Validate audit patterns + run: python scripts/validate/validate_all.py --audit # --------------------------------------------------------------------------- # Security (non-blocking) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c1892df6..68fcb04a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,7 +4,7 @@ # Run manually: pre-commit run --all-files repos: - # Architecture validation + # Code validators (architecture, security, performance, audit) - repo: local hooks: - id: validate-architecture @@ -16,6 +16,33 @@ repos: additional_dependencies: [pyyaml] verbose: true + - id: validate-security + name: Validate Security Patterns + entry: python scripts/validate/validate_all.py --security + language: python + pass_filenames: false + always_run: true + additional_dependencies: [pyyaml] + verbose: true + + - id: validate-performance + name: Validate Performance Patterns + entry: python scripts/validate/validate_all.py --performance + language: python + pass_filenames: false + always_run: true + additional_dependencies: [pyyaml] + verbose: true + + - id: validate-audit + name: Validate Audit Patterns + entry: python scripts/validate/validate_all.py --audit + language: python + pass_filenames: false + always_run: true + additional_dependencies: [pyyaml] + verbose: true + # Python code quality - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.5.0 diff --git a/tests/unit/api/test_deps.py b/tests/unit/api/test_deps.py index 0191b5da..f95b11ee 100644 --- a/tests/unit/api/test_deps.py +++ b/tests/unit/api/test_deps.py @@ -210,7 +210,7 @@ class TestValidateCustomerToken: owner = User( email=f"owner_{uid}@test.com", username=f"owner_{uid}", - hashed_password="not_a_real_hash", + hashed_password="not_a_real_hash", # noqa: SEC001 role="merchant_owner", is_active=True, ) @@ -239,7 +239,7 @@ class TestValidateCustomerToken: customer = Customer( store_id=store.id, email=f"{email_prefix}_{uid}@example.com", - hashed_password="not_a_real_hash", # noqa: SEC001 + hashed_password="not_a_real_hash", # noqa: SEC001 # noqa: SEC001 first_name="Test", last_name="Customer", customer_number=f"CUST_{uid}", @@ -785,7 +785,7 @@ class TestGetCurrentCustomerFromCookieOrHeader: owner = User( email=f"csowner_{uid}@test.com", username=f"csowner_{uid}", - hashed_password="not_a_real_hash", + hashed_password="not_a_real_hash", # noqa: SEC001 role="merchant_owner", is_active=True, ) @@ -813,7 +813,7 @@ class TestGetCurrentCustomerFromCookieOrHeader: customer = Customer( store_id=store.id, email=f"cust_{uid}@example.com", - hashed_password="not_a_real_hash", # noqa: SEC001 + hashed_password="not_a_real_hash", # noqa: SEC001 # noqa: SEC001 first_name="Test", last_name="Customer", customer_number=f"CUST_{uid}", @@ -878,7 +878,7 @@ class TestGetCurrentCustomerApi: owner = User( email=f"caowner_{uid}@test.com", username=f"caowner_{uid}", - hashed_password="not_a_real_hash", + hashed_password="not_a_real_hash", # noqa: SEC001 role="merchant_owner", is_active=True, ) @@ -906,7 +906,7 @@ class TestGetCurrentCustomerApi: customer = Customer( store_id=store.id, email=f"capi_{uid}@example.com", - hashed_password="not_a_real_hash", # noqa: SEC001 + hashed_password="not_a_real_hash", # noqa: SEC001 # noqa: SEC001 first_name="API", last_name="Customer", customer_number=f"CAPI_{uid}", @@ -961,7 +961,7 @@ class TestGetCurrentCustomerOptional: owner = User( email=f"coowner_{uid}@test.com", username=f"coowner_{uid}", - hashed_password="not_a_real_hash", + hashed_password="not_a_real_hash", # noqa: SEC001 role="merchant_owner", is_active=True, ) @@ -989,7 +989,7 @@ class TestGetCurrentCustomerOptional: customer = Customer( store_id=store.id, email=f"copt_{uid}@example.com", - hashed_password="not_a_real_hash", # noqa: SEC001 + hashed_password="not_a_real_hash", # noqa: SEC001 # noqa: SEC001 first_name="Optional", last_name="Customer", customer_number=f"COPT_{uid}",