From 980c712e655ba2dbc8d46476ef28fd325f996626 Mon Sep 17 00:00:00 2001 From: QuantuM Date: Sun, 19 Apr 2026 13:46:23 +0100 Subject: [PATCH 01/15] Add Codecov workflow for test coverage reporting --- .github/workflows/codecov.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/codecov.yml diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml new file mode 100644 index 0000000..4e3ad88 --- /dev/null +++ b/.github/workflows/codecov.yml @@ -0,0 +1,32 @@ +name: Coverage + +on: + push: + branches: [ main, master ] + pull_request: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: "3.11" + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + pip install pytest pytest-cov + + - name: Run tests with coverage + run: pytest --cov --cov-branch --cov-report=xml + + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v5 + with: + token: ${{ secrets.CODECOV_TOKEN }} + slug: marekdkropiewnicki-dotcom/flask-api From 851236d15f52ce1da134523a1dbbd6e3fd436d05 Mon Sep 17 00:00:00 2001 From: QuantuM Date: Wed, 22 Apr 2026 21:05:07 +0100 Subject: [PATCH 02/15] Add CodeQL analysis workflow configuration --- .github/workflows/codeql.yml | 101 +++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..8e14eca --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,101 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '32 13 * * 2' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: python + build-mode: none + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - name: Run manual build steps + if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{matrix.language}}" From 26a0cd3e23b80a9a57164e74bd8dee51d4df325c Mon Sep 17 00:00:00 2001 From: QuantuM Date: Wed, 22 Apr 2026 21:16:27 +0100 Subject: [PATCH 03/15] Add Codacy security scan workflow This workflow performs a Codacy security scan and integrates the results with GitHub Advanced Security. --- .github/workflows/codacy.yml | 61 ++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/workflows/codacy.yml diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml new file mode 100644 index 0000000..a1a6abb --- /dev/null +++ b/.github/workflows/codacy.yml @@ -0,0 +1,61 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, performs a Codacy security scan +# and integrates the results with the +# GitHub Advanced Security code scanning feature. For more information on +# the Codacy security scan action usage and parameters, see +# https://github.com/codacy/codacy-analysis-cli-action. +# For more information on Codacy Analysis CLI in general, see +# https://github.com/codacy/codacy-analysis-cli. + +name: Codacy Security Scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '16 15 * * 3' + +permissions: + contents: read + +jobs: + codacy-security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Codacy Security Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout code + uses: actions/checkout@v4 + + # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b + with: + # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository + # You can also omit the token and run the tools that support default configurations + project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} + verbose: true + output: results.sarif + format: sarif + # Adjust severity of non-security issues + gh-code-scanning-compat: true + # Force 0 exit code to allow SARIF file generation + # This will handover control about PR rejection to the GitHub side + max-allowed-issues: 2147483647 + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From 3ae610b538b335f886dd487999fad22d8358254b Mon Sep 17 00:00:00 2001 From: QuantuM Date: Wed, 22 Apr 2026 21:19:14 +0100 Subject: [PATCH 04/15] Fix formatting in dependabot.yml --- .github/dependabot.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..5990d9c --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" From 11dec4e29aee1649901c21cda0cbc5a6ec41d9d4 Mon Sep 17 00:00:00 2001 From: QuantuM Date: Thu, 23 Apr 2026 01:25:58 +0100 Subject: [PATCH 05/15] Update .github/workflows/codecov.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/codecov.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml index 4e3ad88..e2ddb96 100644 --- a/.github/workflows/codecov.yml +++ b/.github/workflows/codecov.yml @@ -26,7 +26,10 @@ jobs: run: pytest --cov --cov-branch --cov-report=xml - name: Upload coverage reports to Codecov + if: ${{ github.event_name != 'pull_request' || env.CODECOV_TOKEN != '' }} + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} uses: codecov/codecov-action@v5 with: - token: ${{ secrets.CODECOV_TOKEN }} + token: ${{ env.CODECOV_TOKEN }} slug: marekdkropiewnicki-dotcom/flask-api From 1b60e29bfceac2ea43840016771837b0b6789db1 Mon Sep 17 00:00:00 2001 From: QuantuM Date: Thu, 23 Apr 2026 01:26:14 +0100 Subject: [PATCH 06/15] Update .github/dependabot.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5990d9c..0d08e26 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,7 +5,7 @@ version: 2 updates: - - package-ecosystem: "" # See documentation for possible values + - package-ecosystem: "github-actions" # See documentation for possible values directory: "/" # Location of package manifests schedule: interval: "weekly" From ac6ccbc0ab993c278b0f470e2ac20c6e84833030 Mon Sep 17 00:00:00 2001 From: QuantuM Date: Thu, 23 Apr 2026 01:26:30 +0100 Subject: [PATCH 07/15] Update .github/workflows/codeql.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/codeql.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8e14eca..48684e9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -43,10 +43,10 @@ jobs: fail-fast: false matrix: include: - - language: actions - build-mode: none - - language: python - build-mode: none + - language: actions + build-mode: none + - language: python + build-mode: none # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' # Use `c-cpp` to analyze code written in C, C++ or both # Use 'java-kotlin' to analyze code written in Java, Kotlin or both From 75f5e6bd50d1ba9d8bdebcf3c944c44559a4776f Mon Sep 17 00:00:00 2001 From: QuantuM Date: Thu, 23 Apr 2026 01:26:50 +0100 Subject: [PATCH 08/15] Update .github/workflows/codecov.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/codecov.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml index e2ddb96..3674d1d 100644 --- a/.github/workflows/codecov.yml +++ b/.github/workflows/codecov.yml @@ -23,7 +23,14 @@ jobs: pip install pytest pytest-cov - name: Run tests with coverage - run: pytest --cov --cov-branch --cov-report=xml + run: | + pytest --cov --cov-branch --cov-report=xml + status=$? + if [ "$status" -eq 5 ]; then + echo "No tests were collected by pytest; treating exit code 5 as success." + exit 0 + fi + exit "$status" - name: Upload coverage reports to Codecov if: ${{ github.event_name != 'pull_request' || env.CODECOV_TOKEN != '' }} From fbd044e9bf676497a398c3cb1e043ba93e450144 Mon Sep 17 00:00:00 2001 From: QuantuM Date: Thu, 23 Apr 2026 13:00:23 +0100 Subject: [PATCH 09/15] Add Bandit security linter workflow This workflow runs Bandit, a security linter for Python, on pushes and pull requests to the main branch, and on a scheduled basis. --- .github/workflows/bandit.yml | 52 ++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/bandit.yml diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml new file mode 100644 index 0000000..c7baeee --- /dev/null +++ b/.github/workflows/bandit.yml @@ -0,0 +1,52 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Bandit is a security linter designed to find common security issues in Python code. +# This action will run Bandit on your codebase. +# The results of the scan will be found under the Security tab of your repository. + +# https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname +# https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA + +name: Bandit +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '26 5 * * 3' + +jobs: + bandit: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Bandit Scan + uses: shundor/python-bandit-scan@ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd + with: # optional arguments + # exit with 0, even with results found + exit_zero: true # optional, default is DEFAULT + # Github token of the repository (automatically created by Github) + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information. + # File or directory to run bandit on + # path: # optional, default is . + # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) + # level: # optional, default is UNDEFINED + # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) + # confidence: # optional, default is UNDEFINED + # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg) + # excluded_paths: # optional, default is DEFAULT + # comma-separated list of test IDs to skip + # skips: # optional, default is DEFAULT + # path to a .bandit file that supplies command line arguments + # ini_path: # optional, default is DEFAULT + From 3a9c1a45d56913d6f97302a4980f7e2d23d35003 Mon Sep 17 00:00:00 2001 From: QuantuM Date: Sat, 9 May 2026 00:10:42 +0100 Subject: [PATCH 10/15] Comment out ini_path option in bandit.yml --- .github/workflows/bandit.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index c7baeee..0f37045 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -49,4 +49,3 @@ jobs: # skips: # optional, default is DEFAULT # path to a .bandit file that supplies command line arguments # ini_path: # optional, default is DEFAULT - From ab1238d046b03cf90f19a8272137f9f8eb5dc14d Mon Sep 17 00:00:00 2001 From: QuantuM Date: Sat, 9 May 2026 11:05:37 +0100 Subject: [PATCH 11/15] Add Bandit configuration for assert_used checks --- .bandit | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 .bandit diff --git a/.bandit b/.bandit new file mode 100644 index 0000000..d56bbd5 --- /dev/null +++ b/.bandit @@ -0,0 +1,6 @@ +assert_used: + skips: + - "*_test.py" + - "test_*.py" + - "tests/**/*_test.py" + - "tests/**/test_*.py" From c66dacdbdf05d4abf271c8189c6818663d10feae Mon Sep 17 00:00:00 2001 From: QuantuM Date: Sat, 9 May 2026 11:08:47 +0100 Subject: [PATCH 12/15] Fix formatting in .bandit file From 8aee30935a1b9dcc5fc033095cacaaa37a836d32 Mon Sep 17 00:00:00 2001 From: QuantuM Date: Sat, 9 May 2026 12:09:48 +0100 Subject: [PATCH 13/15] Fix slug formatting in codecov.yml From 64438bd927caaa2a77a377b4b3c61d45cf323ae3 Mon Sep 17 00:00:00 2001 From: QuantuM Date: Sat, 9 May 2026 12:12:18 +0100 Subject: [PATCH 14/15] Fix slug formatting in codecov.yml From 618a6c8f1b82db8360af3d32a480341a4fbf4393 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Mon, 11 May 2026 13:09:54 +0100 Subject: [PATCH 15/15] test: add pytest suite to fix failing Coverage workflow (#3) * Initial plan * test: add pytest tests for Flask app routes and coverage Agent-Logs-Url: https://github.com/marekdkropiewnicki-dotcom/flask-api/sessions/067a86e5-a314-4704-95ea-37ce97190e48 Co-authored-by: marekdkropiewnicki-dotcom <259442047+marekdkropiewnicki-dotcom@users.noreply.github.com> * chore: add coverage.xml to .gitignore Agent-Logs-Url: https://github.com/marekdkropiewnicki-dotcom/flask-api/sessions/067a86e5-a314-4704-95ea-37ce97190e48 Co-authored-by: marekdkropiewnicki-dotcom <259442047+marekdkropiewnicki-dotcom@users.noreply.github.com> * test: improve test assertions based on code review feedback Agent-Logs-Url: https://github.com/marekdkropiewnicki-dotcom/flask-api/sessions/067a86e5-a314-4704-95ea-37ce97190e48 Co-authored-by: marekdkropiewnicki-dotcom <259442047+marekdkropiewnicki-dotcom@users.noreply.github.com> * Update conftest.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * test: add module/fixture docstrings and silence pylint redefined-outer-name Agent-Logs-Url: https://github.com/marekdkropiewnicki-dotcom/flask-api/sessions/cb23b390-6a95-4ef9-acee-0a6aefd31765 Co-authored-by: marekdkropiewnicki-dotcom <259442047+marekdkropiewnicki-dotcom@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: marekdkropiewnicki-dotcom <259442047+marekdkropiewnicki-dotcom@users.noreply.github.com> Co-authored-by: QuantuM Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .gitignore | 1 + pytest.ini | 2 ++ tests/__init__.py | 0 tests/conftest.py | 25 +++++++++++++++++++++++++ tests/test_app.py | 39 +++++++++++++++++++++++++++++++++++++++ 5 files changed, 67 insertions(+) create mode 100644 pytest.ini create mode 100644 tests/__init__.py create mode 100644 tests/conftest.py create mode 100644 tests/test_app.py diff --git a/.gitignore b/.gitignore index ceacb12..487161f 100644 --- a/.gitignore +++ b/.gitignore @@ -20,6 +20,7 @@ venv.bak/ .mypy_cache/ .coverage htmlcov/ +coverage.xml .vscode/ .idea/ diff --git a/pytest.ini b/pytest.ini new file mode 100644 index 0000000..5ee6477 --- /dev/null +++ b/pytest.ini @@ -0,0 +1,2 @@ +[pytest] +testpaths = tests diff --git a/tests/__init__.py b/tests/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/tests/conftest.py b/tests/conftest.py new file mode 100644 index 0000000..a82411c --- /dev/null +++ b/tests/conftest.py @@ -0,0 +1,25 @@ +"""Pytest fixtures for the Flask application test suite.""" + +import pytest + +from app import create_app + + +@pytest.fixture() +def app(): + """Create and configure a Flask app instance for tests.""" + flask_app = create_app() + flask_app.config.update( + { + "TESTING": True, + "ENVIRONMENT": "testing", + "DEBUG": False, + } + ) + yield flask_app + + +@pytest.fixture() +def client(app): # pylint: disable=redefined-outer-name + """Return a Flask test client for the configured app fixture.""" + return app.test_client() diff --git a/tests/test_app.py b/tests/test_app.py new file mode 100644 index 0000000..de1bcf2 --- /dev/null +++ b/tests/test_app.py @@ -0,0 +1,39 @@ +"""Smoke tests for the Flask application factory and built-in routes.""" + + +def test_app_testing_mode(app): # pylint: disable=redefined-outer-name + """App is configured with TESTING=True.""" + assert app is not None + assert app.config["TESTING"] is True + + +def test_root(client): # pylint: disable=redefined-outer-name + """GET / returns 200 with expected response shape.""" + response = client.get("/") + assert response.status_code == 200 + body = response.get_json() + assert body["status"] == 200 + assert body["message"] == "Root endpoint" + assert "app" in body["data"] + assert "environment" in body["data"] + + +def test_health(client): # pylint: disable=redefined-outer-name + """GET /health returns 200 with healthy=True.""" + response = client.get("/health") + assert response.status_code == 200 + body = response.get_json() + assert body["status"] == 200 + assert body["message"] == "Health check OK" + assert body["data"]["healthy"] is True + + +def test_status(client): # pylint: disable=redefined-outer-name + """GET /status returns 200 with uptime_seconds and environment.""" + response = client.get("/status") + assert response.status_code == 200 + body = response.get_json() + assert body["status"] == 200 + assert body["message"] == "Service status" + assert isinstance(body["data"]["uptime_seconds"], (int, float)) + assert isinstance(body["data"]["environment"], str)