test: change ci

Datata1 · Datata1 · commit f3769c9212ea · 2026-02-07T12:30:55.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,4 +1,4 @@
-name: Python tests
+name: Python CI
 
 on:
   pull_request:
@@ -13,96 +13,132 @@ permissions:
   pull-requests: write
 
 jobs:
-  pytest:
+  security_check:
+    name: Security Check (Bandit)
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install uv package manager
+        uses: astral-sh/setup-uv@v6
+        with:
+          activate-environment: true
+
+      - name: Install dependencies
+        run: uv sync --extra dev
+        shell: bash
+
+      - name: Run Bandit security check
+        id: bandit_check
+        run: |
+          echo "Running Bandit security check..."
+          # Wir nutzen 'uv run', um sicherzustellen, dass bandit im venv ausgeführt wird
+          # set +e erlaubt, dass der Step weiterläuft, auch wenn Bandit Fehler findet (Exit Code 1)
+          set +e
+          uv run bandit -r . -c pyproject.toml --format=custom --msg-template "{abspath}:{line}: {test_id}[{severity}]: {msg}" -o bandit-results.txt
+          BANDIT_EXIT_CODE=$?
+          set -e
+          
+          echo "Bandit scan finished. Exit code: $BANDIT_EXIT_CODE"
+          
+          # Zeige Ergebnisse im Log an
+          if [ -f bandit-results.txt ]; then
+            cat bandit-results.txt
+          fi
+
+          echo "BANDIT_EXIT_CODE=${BANDIT_EXIT_CODE}" >> $GITHUB_ENV
+        shell: bash
+
+      - name: Prepare Bandit comment body
+        id: prep_bandit_comment
+        if: github.event_name == 'pull_request'
+        run: |
+          echo "Preparing Bandit comment body..."
+          COMMENT_BODY_FILE="bandit-comment-body.md"
+          echo "COMMENT_BODY_FILE=${COMMENT_BODY_FILE}" >> $GITHUB_ENV
+
+          echo "### 🛡️ Bandit Security Scan Results" > $COMMENT_BODY_FILE
+          echo "" >> $COMMENT_BODY_FILE
+
+          # WICHTIG: Hier wurde der Pfad korrigiert (das 'backend/' Prefix entfernt)
+          if [ -s bandit-results.txt ]; then
+            echo "\`\`\`text" >> $COMMENT_BODY_FILE
+            cat bandit-results.txt >> $COMMENT_BODY_FILE
+            echo "\`\`\`" >> $COMMENT_BODY_FILE
+          else
+            echo "✅ No security issues found by Bandit." >> $COMMENT_BODY_FILE
+          fi
+        shell: bash
+
+      - name: Find Comment
+        uses: peter-evans/find-comment@v3
+        id: fc
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: Bandit Security Scan Results
+
+      - name: Post Bandit results as PR comment
+        if: github.event_name == 'pull_request'
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          repository: ${{ github.repository }}
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          body-file: ${{ env.COMMENT_BODY_FILE }}
+          edit-mode: replace
+
+      - name: Fail if Bandit found issues
+        if: env.BANDIT_EXIT_CODE != '0'
+        run: exit ${{ env.BANDIT_EXIT_CODE }}
+
+      - name: Minimize uv cache
+        run: uv cache prune --ci
 
+  pytest:
+    name: Python Tests
+    runs-on: ubuntu-latest
     permissions:
       contents: read
       pull-requests: write
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-
-    - name: Install uv package manager
-      uses: astral-sh/setup-uv@v6
-      with:
-        activate-environment: true
-
-    - name: Install dependencies using uv
-      run: |
-        uv sync --extra dev
-      shell: bash
-
-    - name: Run Bandit security check on backend code
-      id: bandit_check
-      run: |
-        echo "Running Bandit security check..."
-        set +e
-        bandit -r . -c pyproject.toml --format=custom --msg-template "{abspath}:{line}: {test_id}[{severity}]: {msg}" -o bandit-results.txt
-        cat bandit-results.txt
-        BANDIT_EXIT_CODE=$?
-        set -e
-        echo "Bandit scan finished. Exit code: $BANDIT_EXIT_CODE"
-        echo "BANDIT_EXIT_CODE=${BANDIT_EXIT_CODE}" >> $GITHUB_ENV
-      shell: bash
-
-    - name: Prepare Bandit comment body
-      id: prep_bandit_comment
-      if: github.event_name == 'pull_request'
-      run: |
-        echo "Preparing Bandit comment body..."
-        COMMENT_BODY_FILE="bandit-comment-body.md"
-        echo "COMMENT_BODY_FILE=${COMMENT_BODY_FILE}" >> $GITHUB_ENV
-
-        echo "### 🛡️ Bandit Security Scan Results" > $COMMENT_BODY_FILE
-        echo "" >> $COMMENT_BODY_FILE
-        echo "" >> $COMMENT_BODY_FILE
-        echo "" >> $COMMENT_BODY_FILE
-
-        if [ -s backend/bandit-results.txt ]; then
-          echo "\`\`\`text" >> $COMMENT_BODY_FILE
-          cat backend/bandit-results.txt >> $COMMENT_BODY_FILE
-          echo "\`\`\`" >> $COMMENT_BODY_FILE
-        else
-          echo "✅ No security issues found by Bandit." >> $COMMENT_BODY_FILE
-        fi
-      shell: bash
-
-    - name: Find Comment
-      uses: peter-evans/find-comment@v3
-      id: fc
-      with:
-        issue-number: ${{ github.event.pull_request.number }}
-        comment-author: 'github-actions[bot]'
-        body-includes: Bandit Security Scan Results
-
-    - name: Post Bandit results as PR comment
-      if: github.event_name == 'pull_request' && always()
-      uses: peter-evans/create-or-update-comment@v4
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        repository: ${{ github.repository }}
-        issue-number: ${{ github.event.pull_request.number }}
-        comment-id: ${{ steps.fc.outputs.comment-id }}
-        body-file: ${{ env.COMMENT_BODY_FILE }}
-        edit-mode: replace
-
-    - name: Run tests with pytest using uv
-      run: |
-        pytest --junitxml=junit/test-results.xml --cov-report=xml --cov-report=html --cov=. | tee pytest-coverage.txt
-      shell: bash
-
-    - name: Pytest coverage comment
-      if: github.event_name == 'pull_request' && always()
-      uses: MishaKav/pytest-coverage-comment@main
-      with:
-        unique-id-for-comment: coverage-report
-        pytest-xml-coverage-path: coverage.xml
-        pytest-coverage-path: pytest-coverage.txt
-        junitxml-path: junit/test-results.xml
-        title: Pytest Coverage Report
-        junitxml-title: Test Execution Summary
-
-    - name: Minimize uv cache
-      run: uv cache prune --ci
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install uv package manager
+        uses: astral-sh/setup-uv@v6
+        with:
+          activate-environment: true
+
+      - name: Install dependencies
+        run: uv sync --extra dev
+        shell: bash
+
+      - name: Run tests with pytest
+        env:
+          TOKEN: 'dummy-token-for-ci'
+          CODESPHERE_TOKEN: 'dummy-token-for-ci'
+        run: |
+          uv run pytest --junitxml=junit/test-results.xml --cov-report=xml --cov-report=html --cov=. | tee pytest-coverage.txt
+        shell: bash
+
+      - name: Pytest coverage comment
+        if: github.event_name == 'pull_request' && always()
+        uses: MishaKav/pytest-coverage-comment@main
+        with:
+          unique-id-for-comment: coverage-report
+          pytest-xml-coverage-path: coverage.xml
+          pytest-coverage-path: pytest-coverage.txt
+          junitxml-path: junit/test-results.xml
+          title: Pytest Coverage Report
+          junitxml-title: Test Execution Summary
+
+      - name: Minimize uv cache
+        run: uv cache prune --ci
