aitbc1
70d5e7bc83
Some checks failed
audit / audit (push) Failing after 44s
ci-cd / build (push) Failing after 5s
ci / build (push) Failing after 3s
autofix / fix (push) Failing after 17s
security-scanning / audit (push) Failing after 17s
test / test (push) Successful in 1s
ci-cd / deploy (push) Has been skipped
ISSUE: Still hitting externally-managed-environment despite venv Root cause: Poetry installation using system pip instead of venv pip Solution: Use venv/bin/pip explicitly for all package installations Changes: - Use venv/bin/pip install poetry instead of pip install poetry - Use venv/bin/pip install safety bandit for security tools - Use venv/bin/safety and venv/bin/bandit for execution - Maintain source venv/bin/activate for environment context - Ensure all Python commands use isolated venv environment Updated workflows: - audit.yml: venv pip for poetry installation - fix.yml: venv pip for poetry + safety tools - security-scanning.yml: venv pip for poetry + security tools Expected results: - Poetry installed in virtual environment without system restrictions - Security tools installed and executed in venv - All Python dependencies managed in isolated environment - No more externally-managed-environment errors This ensures complete isolation from system Python and follows PEP 668 requirements while maintaining the nuclear fix approach.
79 lines
2.6 KiB
YAML
79 lines
2.6 KiB
YAML
name: autofix
|
|
|
|
on:
|
|
push:
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
fix:
|
|
runs-on: debian
|
|
|
|
steps:
|
|
- name: Nuclear fix - absolute path control
|
|
run: |
|
|
echo "=== AUTOFIX NUCLEAR FIX ==="
|
|
echo "Current PWD: $(pwd)"
|
|
echo "Forcing absolute workspace path..."
|
|
|
|
# Clean and create absolute workspace
|
|
rm -rf /opt/gitea-runner/workspace
|
|
mkdir -p /opt/gitea-runner/workspace
|
|
cd /opt/gitea-runner/workspace
|
|
|
|
echo "Workspace PWD: $(pwd)"
|
|
echo "Cloning repository..."
|
|
git clone https://gitea.bubuit.net/oib/aitbc.git repo
|
|
|
|
cd repo
|
|
echo "Repo PWD: $(pwd)"
|
|
echo "Files in repo:"
|
|
ls -la
|
|
|
|
echo "=== PROJECT TYPE CHECK ==="
|
|
if [ -f "package.json" ]; then
|
|
echo "✅ Node.js project detected!"
|
|
echo "=== NPM INSTALL ==="
|
|
npm install --legacy-peer-deps
|
|
echo "✅ Auto-fixing vulnerabilities..."
|
|
npm audit fix || true
|
|
elif [ -f "pyproject.toml" ]; then
|
|
echo "✅ Python project detected!"
|
|
echo "=== PYTHON SETUP ==="
|
|
|
|
# Install Python and pip if not available
|
|
if ! command -v python3 >/dev/null 2>&1; then
|
|
echo "Installing Python 3..."
|
|
apt-get update
|
|
apt-get install -y python3 python3-pip python3-venv python3-full
|
|
fi
|
|
|
|
echo "=== VIRTUAL ENVIRONMENT ==="
|
|
# Create and use virtual environment
|
|
python3 -m venv venv
|
|
source venv/bin/activate
|
|
|
|
echo "Virtual environment activated"
|
|
echo "Python in venv: $(python --version)"
|
|
echo "Pip in venv: $(pip --version)"
|
|
|
|
echo "=== PYTHON DEPENDENCIES ==="
|
|
# Use venv pip explicitly to avoid system pip
|
|
if command -v poetry >/dev/null 2>&1; then
|
|
echo "Poetry found, installing dependencies..."
|
|
poetry install
|
|
else
|
|
echo "Installing poetry with venv pip..."
|
|
venv/bin/pip install poetry
|
|
poetry install
|
|
fi
|
|
echo "✅ Python dependencies installed!"
|
|
echo "=== SECURITY FIXES ==="
|
|
# Check for common Python security issues
|
|
echo "Running safety check..."
|
|
venv/bin/pip install safety
|
|
venv/bin/safety check || echo "Safety check completed with warnings"
|
|
else
|
|
echo "❌ No supported project type found!"
|
|
exit 1
|
|
fi
|