gitlab-ci: port to Safety 3.x and move to own job

https://docs.safetycli.com/safety-docs/installation/gitlab https://docs.safetycli.com/safety-docs/administration/safety-policy-files
2025-11-03 22:20:28 +03:00 · 2024-08-30 12:05:23 +02:00 · 2024-08-30 12:05:23 +02:00 · d9e9618c56
commit d9e9618c56
parent b1084c0b8a
2 changed files with 83 additions and 35 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -213,7 +213,7 @@ gradlew-fdroid:


 # Run all the various linters and static analysis tools.
-lint_format_safety_bandit_checks:
+lint_format_bandit_checks:
  image: debian:bookworm-slim
  variables:
    LANG: C.UTF-8
@ -235,7 +235,7 @@ lint_format_safety_bandit_checks:
          python3-pip
          python3-yaml
          shellcheck
-    - $pip install --break-system-packages bandit safety
+    - $pip install --break-system-packages bandit
    - export EXITVALUE=0
    - function set_error() { export EXITVALUE=1; printf "\x1b[31mERROR `history|tail -2|head -1|cut -b 6-500`\x1b[0m\n"; }
    - ./hooks/pre-commit || set_error
@ -244,7 +244,6 @@ lint_format_safety_bandit_checks:
        -ii
        --ini .bandit
        || set_error
-    - safety check --full-report || set_error
    - pylint --output-format=colorized --reports=n
            fdroid
            makebuildserver
@ -258,6 +257,34 @@ lint_format_safety_bandit_checks:
    - exit $EXITVALUE


+# Check all the dependencies in Debian to mirror production.  CVEs are
+# generally fixed in the latest versions in pip/pypi.org, so it isn't
+# so important to scan that kind of install in CI.
+# https://docs.safetycli.com/safety-docs/installation/gitlab
+safety:
+  only:
+    changes:
+      - .gitlab-ci.yml
+      - .safety-policy.yml
+      - pyproject.toml
+      - setup.py
+  image: debian:bookworm-slim
+  <<: *apt-template
+  variables:
+    LANG: C.UTF-8
+  script:
+    - test -n "$SAFETY_API_KEY" || exit 0
+    - apt-get install
+        fdroidserver
+        python3-biplist
+        python3-pip
+        python3-pycountry
+    - $pip install --break-system-packages .
+
+    - $pip install --break-system-packages safety
+    - python3 -m safety --key "$SAFETY_API_KEY" --stage cicd scan
+
+
 # Run all the various linters and static analysis tools.
 locales:
  image: debian:bookworm-slim