Add workflows for Codecov, CodeQL, and Codacy integration#3
Add workflows for Codecov, CodeQL, and Codacy integration#3marekdkropiewnicki-dotcom wants to merge 9 commits intocodestorm-official:mainfrom
Conversation
This workflow performs a Codacy security scan and integrates the results with GitHub Advanced Security.
There was a problem hiding this comment.
Pull request overview
Adds GitHub Actions workflows and configuration to integrate code scanning and code quality/coverage tooling (CodeQL, Codecov, Codacy) plus Dependabot.
Changes:
- Add CodeQL “Advanced” code scanning workflow.
- Add pytest coverage workflow that uploads reports to Codecov.
- Add Codacy security scan workflow and a Dependabot configuration file.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| .github/workflows/codeql.yml | Introduces CodeQL scanning job for Actions + Python (currently has YAML indentation issues). |
| .github/workflows/codecov.yml | Adds a pytest coverage job and uploads to Codecov (may fail in repos without tests / fork PRs). |
| .github/workflows/codacy.yml | Adds Codacy SARIF generation + upload to code scanning (may fail on fork PRs due to secrets). |
| .github/dependabot.yml | Adds Dependabot config (currently invalid due to empty ecosystem). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
steps: is defined, but the step items (- name: etc.) are not indented beneath it, which will cause a YAML parse error and prevent the workflow from running. Indent all - name: entries under steps:.
| - name: Upload coverage reports to Codecov | ||
| uses: codecov/codecov-action@v5 | ||
| with: | ||
| token: ${{ secrets.CODECOV_TOKEN }} | ||
| slug: marekdkropiewnicki-dotcom/flask-api |
There was a problem hiding this comment.
Hardcoding slug: marekdkropiewnicki-dotcom/flask-api will break coverage uploads for forks and if the repository is renamed/transferred. The Codecov action can infer the repo from GITHUB_REPOSITORY, so it’s safer to remove the slug setting.
There was a problem hiding this comment.
@copilot apply changes based on this feedback
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This workflow runs Bandit, a security linter for Python, on pushes and pull requests to the main branch, and on a scheduled basis.
No description provided.