diff --git a/.audit-rules/change_management.yaml b/.audit-rules/change_management.yaml index a18ae9dc..1326d44b 100644 --- a/.audit-rules/change_management.yaml +++ b/.audit-rules/change_management.yaml @@ -55,7 +55,7 @@ rules: type: file_exists paths: - ".github/PULL_REQUEST_TEMPLATE.md" - - ".gitlab/merge_request_templates/*.md" + - "CONTRIBUTING.md" message: "Pull request template recommended" - id: CHANGE-REV-002 @@ -74,7 +74,6 @@ rules: type: file_exists paths: - ".github/CODEOWNERS" - - "CODEOWNERS" # GitLab uses root CODEOWNERS or .gitlab/CODEOWNERS - "CODEOWNERS" message: "Consider defining code owners for critical paths" @@ -91,7 +90,7 @@ rules: paths: - ".github/workflows/ci.yml" - ".github/workflows/test.yml" - - ".gitlab-ci.yml" + - ".gitea/workflows/*.yml" message: "CI workflow for automated testing required" - id: CHANGE-CI-002 @@ -102,7 +101,7 @@ rules: type: pattern_recommended paths: - ".github/workflows/*.yml" - - ".gitlab-ci.yml" + - ".gitea/workflows/*.yml" patterns: - "security|bandit|safety|snyk|trivy" message: "Consider security scanning in CI pipeline" @@ -115,7 +114,7 @@ rules: type: pattern_required paths: - ".github/workflows/*.yml" - - ".gitlab-ci.yml" + - ".gitea/workflows/*.yml" patterns: - "ruff|flake8|pylint|mypy|lint" message: "Code quality checks required in CI" @@ -146,7 +145,7 @@ rules: paths: - ".github/workflows/release.yml" - ".github/workflows/deploy.yml" - - ".gitlab-ci.yml" + - ".gitea/workflows/*.yml" - "Dockerfile" message: "Automated deployment process recommended" @@ -199,7 +198,7 @@ rules: paths: - "Dockerfile" - ".github/workflows/*.yml" - - ".gitlab-ci.yml" + - ".gitea/workflows/*.yml" patterns: - "tag|version|:v" message: "Container image versioning recommended" diff --git a/.audit-rules/compliance.yaml b/.audit-rules/compliance.yaml index 61e2006b..6f13c1a9 100644 --- a/.audit-rules/compliance.yaml +++ b/.audit-rules/compliance.yaml @@ -122,10 +122,9 @@ rules: type: file_exists paths: - ".github/PULL_REQUEST_TEMPLATE.md" - - ".gitlab/merge_request_templates/*.md" - "CONTRIBUTING.md" - ".github/workflows/*.yml" - - ".gitlab-ci.yml" + - ".gitea/workflows/*.yml" message: "Code review process must be documented/enforced" - id: COMP-POL-002 @@ -138,8 +137,7 @@ rules: - ".github/CODEOWNERS" - "CODEOWNERS" - ".github/workflows/*.yml" - - ".gitlab-ci.yml" - - ".gitlab-ci.yml" + - ".gitea/workflows/*.yml" message: "Document change approval requirements" - id: COMP-POL-003 @@ -166,7 +164,7 @@ rules: type: file_exists paths: - ".github/workflows/ci.yml" - - ".gitlab-ci.yml" + - ".gitea/workflows/*.yml" - "pytest.ini" - "pyproject.toml" patterns: @@ -181,7 +179,7 @@ rules: type: file_exists paths: - ".github/workflows/*.yml" - - ".gitlab-ci.yml" + - ".gitea/workflows/*.yml" patterns: - "deploy|release" message: "Deployment process must be automated and logged" diff --git a/.audit-rules/documentation.yaml b/.audit-rules/documentation.yaml index a1b236d0..23ccb24d 100644 --- a/.audit-rules/documentation.yaml +++ b/.audit-rules/documentation.yaml @@ -94,7 +94,7 @@ rules: paths: - "SECURITY.md" - ".github/SECURITY.md" - - ".gitlab/SECURITY.md" + - ".gitea/SECURITY.md" message: "Security policy (SECURITY.md) required" - id: DOC-SEC-002 diff --git a/.audit-rules/third_party.yaml b/.audit-rules/third_party.yaml index e3e7347f..0bdcfc60 100644 --- a/.audit-rules/third_party.yaml +++ b/.audit-rules/third_party.yaml @@ -57,7 +57,7 @@ rules: type: file_exists paths: - ".github/workflows/*.yml" - - ".gitlab-ci.yml" + - ".gitea/workflows/*.yml" patterns: - "safety|pip-audit|snyk|dependabot" message: "Dependency vulnerability scanning required" @@ -70,7 +70,7 @@ rules: type: file_exists paths: - ".github/dependabot.yml" - - ".gitlab-ci.yml" # GitLab uses built-in dependency scanning + - ".gitea/workflows/*.yml" message: "Consider enabling Dependabot for security updates" - id: THIRD-VULN-003 @@ -81,7 +81,7 @@ rules: type: pattern_recommended paths: - ".github/workflows/*.yml" - - ".gitlab-ci.yml" + - ".gitea/workflows/*.yml" patterns: - "trivy|grype|snyk.*container" message: "Consider container image vulnerability scanning" diff --git a/.dockerignore b/.dockerignore index ba4499d6..976656e2 100644 --- a/.dockerignore +++ b/.dockerignore @@ -3,7 +3,6 @@ !.env.example .git .gitea -.gitlab-ci.yml __pycache__ *.pyc *.pyo diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 404c8d44..af8d540f 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,6 +1,6 @@ # Gitea Actions CI/CD Configuration # ================================== -# Equivalent of the GitLab CI pipeline, using GitHub Actions-compatible syntax. +# Uses GitHub Actions-compatible syntax. Requires Gitea 1.19+ with Actions enabled. # Requires Gitea 1.19+ with Actions enabled. name: CI diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 9bcfc1a5..00000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,130 +0,0 @@ -# GitLab CI/CD Configuration -# ========================= - -stages: - - lint - - test - - security - - build - -variables: - PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip" - PYTHON_VERSION: "3.11" - -# Cache dependencies between jobs -cache: - paths: - - .cache/pip - - .venv/ - -# Lint Stage -# ---------- - -ruff: - stage: lint - image: python:${PYTHON_VERSION} - before_script: - - pip install uv - - uv sync --frozen - script: - - .venv/bin/ruff check . - rules: - - if: $CI_PIPELINE_SOURCE == "merge_request_event" - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - -# Test Stage -# ---------- - -pytest: - stage: test - image: python:${PYTHON_VERSION} - services: - - name: postgres:15 - alias: postgres - variables: - # PostgreSQL service configuration - POSTGRES_DB: orion_test - POSTGRES_USER: test_user - POSTGRES_PASSWORD: test_password - # Application database URL for tests - TEST_DATABASE_URL: "postgresql://test_user:test_password@postgres:5432/orion_test" - # Skip database validation during import (tests use TEST_DATABASE_URL) - DATABASE_URL: "postgresql://test_user:test_password@postgres:5432/orion_test" - before_script: - - pip install uv - - uv sync --frozen - # Wait for PostgreSQL to be ready - - apt-get update && apt-get install -y postgresql-client - - for i in $(seq 1 30); do pg_isready -h postgres -U test_user && break || sleep 1; done - script: - - .venv/bin/python -m pytest tests/ -v --tb=short - coverage: '/TOTAL.*\s+(\d+%)/' - artifacts: - reports: - junit: report.xml - coverage_report: - coverage_format: cobertura - path: coverage.xml - rules: - - if: $CI_PIPELINE_SOURCE == "merge_request_event" - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - -architecture: - stage: test - image: python:${PYTHON_VERSION} - variables: - # Set DATABASE_URL to satisfy validation (not actually used by validator) - DATABASE_URL: "postgresql://dummy:dummy@localhost:5432/dummy" - before_script: - - pip install uv - - uv sync --frozen - script: - - .venv/bin/python scripts/validate/validate_architecture.py - rules: - - if: $CI_PIPELINE_SOURCE == "merge_request_event" - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - -# Security Stage -# -------------- - -dependency_scanning: - stage: security - image: python:${PYTHON_VERSION} - before_script: - - pip install pip-audit - script: - - pip-audit --requirement requirements.txt || true - allow_failure: true - rules: - - if: $CI_PIPELINE_SOURCE == "merge_request_event" - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - -audit: - stage: security - image: python:${PYTHON_VERSION} - before_script: - - pip install uv - - uv sync --frozen - script: - - .venv/bin/python scripts/validate/validate_audit.py - allow_failure: true - rules: - - if: $CI_PIPELINE_SOURCE == "merge_request_event" - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - -# Build Stage -# ----------- - -docs: - stage: build - image: python:${PYTHON_VERSION} - before_script: - - pip install uv - - uv sync --frozen - script: - - .venv/bin/mkdocs build - artifacts: - paths: - - site/ - rules: - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH diff --git a/docs/deployment/gitea.md b/docs/deployment/gitea.md index 06243f77..a7cc92c5 100644 --- a/docs/deployment/gitea.md +++ b/docs/deployment/gitea.md @@ -1,6 +1,6 @@ # Gitea CI/CD Deployment Guide -This document describes how to **self-host Gitea** on an external server and migrate CI/CD from GitLab to **Gitea Actions** (GitHub Actions-compatible). +This document describes how to **self-host Gitea** on an external server with **Gitea Actions** CI/CD (GitHub Actions-compatible). --- @@ -8,8 +8,8 @@ This document describes how to **self-host Gitea** on an external server and mig - Lightweight, self-hosted Git forge (single binary or Docker image) - Built-in CI/CD via **Gitea Actions** (GitHub Actions-compatible YAML) -- Built-in migration tool imports repos, issues, and PRs from GitLab -- Low resource usage compared to GitLab +- Built-in migration tool imports repos, issues, and PRs from other forges +- Low resource usage --- @@ -176,22 +176,15 @@ git push gitea --tags ### Option B: Gitea built-in migration (code + issues + PRs) 1. In Gitea, click **+** > **New Migration**. -2. Select **GitLab** as the source. -3. Enter your GitLab URL and a Personal Access Token. -4. Gitea will import the repository, issues, labels, milestones, and merge requests. +2. Select the source forge (GitHub, GitLab, etc.). +3. Enter the source URL and a Personal Access Token. +4. Gitea will import the repository, issues, labels, milestones, and pull/merge requests. --- -## 6. CI/CD — GitLab vs Gitea Actions +## 6. CI/CD — Gitea Actions -The workflow file lives in `.gitea/workflows/ci.yml` (already created in this repository). - -| GitLab CI (`.gitlab-ci.yml`) | Gitea Actions (`.gitea/workflows/ci.yml`) | -|------------------------------|-------------------------------------------| -| `stages:` + `stage:` per job | Jobs run in parallel; use `needs:` for ordering | -| `services:` (top-level on job) | `services:` nested under each job with `options:` | -| `allow_failure: true` | `continue-on-error: true` | -| `rules: - if:` | `on:` triggers + `if:` conditionals per job | +The workflow file lives in `.gitea/workflows/ci.yml` (already created in this repository). Gitea Actions uses GitHub Actions-compatible YAML syntax. | `artifacts: paths:` | `actions/upload-artifact@v4` (not supported on Gitea GHES) | | `cache: paths:` | `actions/cache@v4` | | `coverage: '/regex/'` | Use coverage action or parse in step | @@ -299,14 +292,3 @@ docker run --rm -v gitea-data:/data -v $(pwd):/backup alpine \ ``` --- - -## 12. Removing GitLab (After Migration) - -Once you have verified everything works on Gitea: - -1. Update your local git remote: - ```bash - git remote set-url origin ssh://git@git.yourdomain.com:2222/your-username/letzshop-product-import.git - ``` -2. The `.gitlab-ci.yml` file can be removed from the repository. -3. Archive or delete the GitLab project. diff --git a/docs/deployment/gitlab.md b/docs/deployment/gitlab.md deleted file mode 100644 index ecbaa175..00000000 --- a/docs/deployment/gitlab.md +++ /dev/null @@ -1,400 +0,0 @@ -# GitLab CI/CD Deployment Guide - -This document describes how to deploy the Orion platform to a **DigitalOcean Droplet** using **bare-metal systemd + Nginx**, with automated deployments from **GitLab CI/CD**. - ---- - -## Prerequisites - -- DigitalOcean Droplet (Ubuntu 22.04+ recommended) -- Domain name pointing to your server -- GitLab repository with CI/CD enabled -- SSH key pair for deployment - ---- - -## 1. Server Folder Structure - -The application will be deployed to: - -``` -/var/www/orion/ -├── app/ # FastAPI application -├── static/ -│ ├── admin/ -│ ├── store/ -│ ├── shop/ -│ └── shared/ -├── templates/ -├── alembic/ # Database migrations -├── .venv/ # Python virtual environment -├── .env # Environment variables (created manually) -└── pyproject.toml -``` - ---- - -## 2. Server Setup - -### Create Deploy User (Recommended) - -```bash -sudo adduser deploy --disabled-password -sudo usermod -aG sudo deploy -sudo mkdir -p /var/www/orion -sudo chown -R deploy:deploy /var/www/orion -``` - -### Install System Dependencies - -```bash -sudo apt update -sudo apt install -y python3.11 python3.11-venv python3-pip \ - build-essential libpq-dev nginx postgresql postgresql-contrib \ - nodejs npm certbot python3-certbot-nginx -``` - -### Install uv (Python Package Manager) - -```bash -curl -LsSf https://astral.sh/uv/install.sh | sh -source ~/.bashrc -``` - ---- - -## 3. Database Setup (PostgreSQL) - -```bash -# Create database and user -sudo -u postgres psql << EOF -CREATE USER orion WITH PASSWORD 'your_secure_password'; -CREATE DATABASE orion OWNER orion; -GRANT ALL PRIVILEGES ON DATABASE orion TO orion; -EOF -``` - ---- - -## 4. systemd Service - -Create `/etc/systemd/system/orion.service`: - -```ini -[Unit] -Description=Orion FastAPI Application -After=network.target postgresql.service - -[Service] -User=deploy -Group=deploy -WorkingDirectory=/var/www/orion -Environment="PATH=/var/www/orion/.venv/bin" -EnvironmentFile=/var/www/orion/.env -ExecStart=/var/www/orion/.venv/bin/uvicorn app.main:app --host 127.0.0.1 --port 8000 --workers 4 -Restart=always -RestartSec=5 - -[Install] -WantedBy=multi-user.target -``` - -Enable the service: - -```bash -sudo systemctl daemon-reload -sudo systemctl enable orion -``` - ---- - -## 5. Nginx Configuration - -Create `/etc/nginx/sites-available/orion`: - -```nginx -server { - listen 80; - server_name yourdomain.com www.yourdomain.com; - - # Static files - location /static/ { - alias /var/www/orion/static/; - expires 30d; - add_header Cache-Control "public, immutable"; - } - - # Media/uploads - location /uploads/ { - alias /var/www/orion/uploads/; - expires 7d; - } - - # Proxy to FastAPI - location / { - proxy_pass http://127.0.0.1:8000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 300; - proxy_connect_timeout 300; - } -} -``` - -Enable the site: - -```bash -sudo ln -s /etc/nginx/sites-available/orion /etc/nginx/sites-enabled/ -sudo rm /etc/nginx/sites-enabled/default # Remove default site -sudo nginx -t -sudo systemctl restart nginx -``` - ---- - -## 6. HTTPS with Let's Encrypt - -```bash -sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com -``` - -Certbot will automatically configure HTTPS and set up auto-renewal. - ---- - -## 7. Firewall Configuration - -```bash -sudo ufw allow OpenSSH -sudo ufw allow 'Nginx Full' -sudo ufw enable -``` - ---- - -## 8. GitLab CI/CD Pipeline - -Create `.gitlab-ci.yml` in your project root: - -```yaml -stages: - - test - - build - - deploy - -variables: - PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip" - UV_CACHE_DIR: "$CI_PROJECT_DIR/.cache/uv" - -# Test stage -test: - stage: test - image: python:3.11 - before_script: - - pip install uv - - uv venv - - source .venv/bin/activate - - uv pip install -r requirements.txt - script: - - python -m pytest tests/ -v --tb=short - only: - - merge_requests - - main - -# Build Tailwind CSS -build: - stage: build - image: node:20 - script: - - npm install - - npx tailwindcss -i ./static/src/input.css -o ./static/dist/output.css --minify - artifacts: - paths: - - static/dist/ - expire_in: 1 week - only: - - main - -# Deploy to production -deploy: - stage: deploy - image: alpine:latest - before_script: - - apk add --no-cache openssh-client rsync - - mkdir -p ~/.ssh - - echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_ed25519 - - chmod 600 ~/.ssh/id_ed25519 - - ssh-keyscan -H $SERVER_HOST >> ~/.ssh/known_hosts - script: - # Sync files to server (excluding sensitive files) - - rsync -avz --delete - --exclude='.git' - --exclude='.env' - --exclude='*.pyc' - --exclude='__pycache__' - --exclude='.pytest_cache' - --exclude='htmlcov' - --exclude='*.db' - ./ $SERVER_USER@$SERVER_HOST:$SERVER_PATH/ - - # Install dependencies and run migrations - - ssh $SERVER_USER@$SERVER_HOST " - cd $SERVER_PATH && - ~/.cargo/bin/uv venv --python 3.11 && - source .venv/bin/activate && - ~/.cargo/bin/uv pip install -r requirements.txt && - python -m alembic upgrade head - " - - # Restart the service - - ssh $SERVER_USER@$SERVER_HOST "sudo systemctl restart orion" - - # Verify deployment - - ssh $SERVER_USER@$SERVER_HOST "sudo systemctl status orion --no-pager" - only: - - main - environment: - name: production - url: https://yourdomain.com -``` - ---- - -## 9. GitLab CI/CD Variables - -Configure these in **Settings > CI/CD > Variables**: - -| Variable | Description | Example | -|----------|-------------|---------| -| `SSH_PRIVATE_KEY` | Private key for server access | `-----BEGIN OPENSSH PRIVATE KEY-----...` | -| `SERVER_USER` | SSH user on server | `deploy` | -| `SERVER_HOST` | Server IP or hostname | `203.0.113.50` | -| `SERVER_PATH` | Application directory | `/var/www/orion` | - -Mark `SSH_PRIVATE_KEY` as **Protected** and **Masked**. - ---- - -## 10. Environment Variables - -Create `/var/www/orion/.env` on the server: - -```bash -# Application -APP_ENV=production -DEBUG=false -SECRET_KEY=your-super-secret-key-change-this - -# Database -DATABASE_URL=postgresql://orion:password@localhost:5432/orion - -# Stripe (if using billing) -STRIPE_SECRET_KEY=sk_live_... -STRIPE_WEBHOOK_SECRET=whsec_... - -# Email -SMTP_HOST=smtp.your-provider.com -SMTP_PORT=587 -SMTP_USER=your-email@domain.com -SMTP_PASSWORD=your-smtp-password -EMAILS_FROM=noreply@yourdomain.com - -# Letzshop Integration (if applicable) -LETZSHOP_API_URL=https://api.letzshop.lu -``` - -Secure the file: - -```bash -chmod 600 /var/www/orion/.env -``` - ---- - -## 11. Deployment Flow - -1. Developer pushes to `main` branch -2. GitLab runs tests -3. GitLab builds Tailwind CSS -4. GitLab syncs files to server via rsync -5. Server installs/updates Python dependencies -6. Alembic runs database migrations -7. systemd restarts the FastAPI service -8. Nginx serves the application over HTTPS - ---- - -## 12. Maintenance Commands - -```bash -# View application logs -sudo journalctl -u orion -f - -# Restart application -sudo systemctl restart orion - -# Check application status -sudo systemctl status orion - -# Run migrations manually -cd /var/www/orion -source .venv/bin/activate -python -m alembic upgrade head - -# Rollback migration -python -m alembic downgrade -1 -``` - ---- - -## 13. Security Recommendations - -- [ ] Use a non-root deploy user (as shown above) -- [ ] Enable fail2ban for SSH protection -- [ ] Configure PostgreSQL to only allow local connections -- [ ] Set up automated backups for the database -- [ ] Enable log rotation -- [ ] Consider using Docker for isolation -- [ ] Set up monitoring (e.g., Prometheus + Grafana) -- [ ] Configure rate limiting in Nginx - ---- - -## 14. Troubleshooting - -### Application won't start - -```bash -# Check logs -sudo journalctl -u orion -n 100 - -# Verify environment file -cat /var/www/orion/.env - -# Test manually -cd /var/www/orion -source .venv/bin/activate -uvicorn app.main:app --host 127.0.0.1 --port 8000 -``` - -### Database connection issues - -```bash -# Test PostgreSQL connection -psql -U orion -h localhost -d orion - -# Check PostgreSQL status -sudo systemctl status postgresql -``` - -### Nginx errors - -```bash -# Test configuration -sudo nginx -t - -# Check error logs -sudo tail -f /var/log/nginx/error.log -``` diff --git a/docs/deployment/hetzner-server-setup.md b/docs/deployment/hetzner-server-setup.md index 8402de3e..beaed503 100644 --- a/docs/deployment/hetzner-server-setup.md +++ b/docs/deployment/hetzner-server-setup.md @@ -459,9 +459,9 @@ Before setting up Caddy, point your domain's DNS to the server. | AAAA | `@` | `2a01:4f8:1c1a:b39c::1` | 300 | | AAAA | `www` | `2a01:4f8:1c1a:b39c::1` | 300 | -### IPv6 (AAAA) Records — TODO +### IPv6 (AAAA) Records — Completed -Optional but recommended. Add AAAA records for all domains above, pointing to the server's IPv6 address. Verify your IPv6 address first: +AAAA records are included in the DNS tables above for all domains. To verify your IPv6 address: ```bash ip -6 addr show eth0 | grep 'scope global' diff --git a/docs/development/code-quality-dashboard-implementation.md b/docs/development/code-quality-dashboard-implementation.md index a3bd89dd..dd887742 100644 --- a/docs/development/code-quality-dashboard-implementation.md +++ b/docs/development/code-quality-dashboard-implementation.md @@ -637,7 +637,7 @@ if args.json: - Consider adding background job support (Celery/RQ) for long-running scans - Add email notifications when violations assigned -- Consider GitHub/GitLab integration (comment on PRs) +- Consider Gitea/GitHub integration (comment on PRs) - Add historical comparison (violations introduced vs fixed) - Consider rule suggestions based on common violations diff --git a/mkdocs.yml b/mkdocs.yml index 989a4ab5..20441b06 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -212,7 +212,6 @@ nav: - Traditional VPS: deployment/production.md - Docker: deployment/docker.md - CloudFlare Setup: deployment/cloudflare.md - - GitLab CI/CD: deployment/gitlab.md - Gitea CI/CD: deployment/gitea.md - Hetzner Server Setup: deployment/hetzner-server-setup.md - Environment Variables: deployment/environment.md diff --git a/scripts/validate/validate_audit.py b/scripts/validate/validate_audit.py index fdac6909..c18ac030 100644 --- a/scripts/validate/validate_audit.py +++ b/scripts/validate/validate_audit.py @@ -264,27 +264,23 @@ class AuditValidator(BaseValidator): str(self.project_root), ) - # Check CI/CD exists (GitHub or GitLab) + # Check CI/CD exists (Gitea or GitHub) + gitea_ci = self.project_root / ".gitea" / "workflows" / "ci.yml" github_ci = self.project_root / ".github" / "workflows" / "ci.yml" - gitlab_ci = self.project_root / ".gitlab-ci.yml" - if not github_ci.exists() and not gitlab_ci.exists(): + if not gitea_ci.exists() and not github_ci.exists(): self.add_warning( "COMP-EVID-001", "CI workflow for automated testing recommended", - ".gitlab-ci.yml or .github/workflows/ci.yml", + ".gitea/workflows/ci.yml or .github/workflows/ci.yml", ) - # Check code review process (GitHub or GitLab) + # Check code review process github_pr_template = self.project_root / ".github" / "PULL_REQUEST_TEMPLATE.md" - gitlab_mr_templates = self.project_root / ".gitlab" / "merge_request_templates" - has_mr_template = github_pr_template.exists() or ( - gitlab_mr_templates.exists() and any(gitlab_mr_templates.iterdir()) - ) - if not has_mr_template: + if not github_pr_template.exists(): self.add_warning( "COMP-POL-001", - "Merge request template recommended for code review", - ".gitlab/merge_request_templates/ or .github/PULL_REQUEST_TEMPLATE.md", + "Pull request template recommended for code review", + ".github/PULL_REQUEST_TEMPLATE.md", ) # ================== @@ -371,19 +367,13 @@ class AuditValidator(BaseValidator): "pyproject.toml", ) - # Check for dependency scanning (GitHub Dependabot or GitLab) + # Check for dependency scanning dependabot = self.project_root / ".github" / "dependabot.yml" - gitlab_ci = self.project_root / ".gitlab-ci.yml" - has_dep_scanning = dependabot.exists() - if not has_dep_scanning and gitlab_ci.exists(): - # Check if GitLab CI includes dependency scanning - ci_content = gitlab_ci.read_text() - has_dep_scanning = "dependency_scanning" in ci_content.lower() - if not has_dep_scanning: + if not dependabot.exists(): self.add_info( "THIRD-VULN-002", "Consider enabling dependency scanning for security updates", - ".gitlab-ci.yml (include dependency_scanning) or .github/dependabot.yml", + ".github/dependabot.yml", ) # Check for insecure package sources