cvat/.github/workflows/bandit.yml

name: Linter
on: pull_request
jobs:
  Bandit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - id: files
        uses: jitterbit/get-changed-files@v1
        continue-on-error: true

      - name: Run checks
        env:
          PR_FILES_AM: ${{ steps.files.outputs.added_modified }}
          PR_FILES_RENAMED: ${{ steps.files.outputs.renamed }}
        run: |
          PR_FILES="$PR_FILES_AM $PR_FILES_RENAMED"
          for FILE in $PR_FILES; do
              EXTENSION="${FILE##*.}"
              if [[ $EXTENSION == 'py' ]]; then
                  CHANGED_FILES+=" $FILE"
              fi
          done

          if [[ ! -z $CHANGED_FILES ]]; then
            sudo apt-get --no-install-recommends install -y build-essential curl python3-dev python3-pip python3-venv
            python3 -m venv .env
            . .env/bin/activate
            pip install -U pip wheel setuptools
            pip install bandit
            mkdir -p bandit_report

            echo "Bandit version: "$(bandit --version | head -1)
            echo "The files will be checked: "$(echo $CHANGED_FILES)
            bandit $CHANGED_FILES --exclude '**/tests/**' -a file --ini ./.bandit -f html -o ./bandit_report/bandit_checks.html
            deactivate
          else
            echo "No files with the \"py\" extension found"
          fi          

      - name: Upload artifacts
        if: failure()
        uses: actions/upload-artifact@v2
        with:
          name: bandit_report
          path: bandit_report