-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathjustfile
More file actions
62 lines (50 loc) · 2.4 KB
/
Copy pathjustfile
File metadata and controls
62 lines (50 loc) · 2.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
set shell := ["bash", "-eu", "-o", "pipefail", "-c"]
default:
@just --list
# The complete local gate — every PR-blocking check, reproducible locally.
# Mirrors template/justfile.jinja's `ci` (audit is a member — the template chains it,
# and audit is itself a PR-blocking check here via the CI `scan` job's pip-audit step).
# `test` is the full generation matrix: give it a roomy TMPDIR (the default 4G tmpfs
# /tmp can overflow) — see "Run every gate" in AGENTS.md. Scanners stay CI-only (off `ci`).
ci: fmt-check lint typecheck test audit
@echo "ci: all gates passed"
verify: ci
# Run the template generation + update tests
test:
uv run pytest
# Lint this repo's own tooling
lint:
uv run ruff check .
# Type-check this repo's own tooling (the tests/ harness) under basedpyright recommended.
typecheck:
uv run basedpyright
# Auto-format + apply safe lint fixes to this repo's own tooling (the tests/ harness).
# Lint-fix BEFORE format: ruff's fixes (import sort, SIM/UP/C4 rewrites) can emit
# unformatted code, so the formatter must run last or `fmt-check` may reject `fmt`'s output.
fmt:
uv run ruff check --fix .
uv run ruff format .
# CI's format gate: fail if anything is unformatted.
fmt-check:
uv run ruff format --check .
# one-time: sync the venv and install the git hooks (maintainer is not copier-generated)
setup:
uv sync
uv run pre-commit install
# run every hook over the whole tree: commit-stage hooks, then pre-push basedpyright
precommit:
uv run pre-commit run --all-files
uv run pre-commit run --all-files --hook-stage pre-push
# Out-of-band secret + SAST scan (semgrep + gitleaks); enforced in CI by the `scan` job, not `ci`.
scan:
uvx semgrep@1.167.0 scan --config .semgrep.yml --metrics=off --error .
# `git` (not `dir`): scan committed history like CI, catching secrets committed then deleted.
gitleaks git . --redact --exit-code 1
# Dependency vulnerability audit: pip-audit over the FULL locked graph.
# `--no-dev` is dropped (unlike the template): package=false puts every dep in the
# dev group, so the template's --no-dev would export 0 packages and pass vacuously.
# Chained into `just ci` (mirrors the template) and independently enforced in CI by the `scan` job's pip-audit step.
audit:
uv export --frozen --no-emit-project --no-hashes -o requirements-audit.txt
uvx pip-audit@2.10.1 -r requirements-audit.txt
rm -f requirements-audit.txt