Merge branch 'use-codeclimate-for-linting-tests' into 'master'

ci: use GitLab Code Quality for linting tests

See merge request fdroid/fdroidserver!1443

.bandit

@@ -1,3 +0,0 @@
-[bandit]
-skips: B110,B404,B408,B410,B603,B607
-targets: .

.bandit.yaml

@@ -0,0 +1,2 @@
+skips: [B110, B404, B408, B410, B603, B607, B322]
+targets: .

.codeclimate.yml

@@ -0,0 +1,47 @@
+---
+version: "2"
+plugins:
+  shellcheck:
+    enabled: true
+    channel:
+    # Only include tests/run-tests
+    exclude_patterns:
+      - "**/*"
+      - "!tests/run-tests"
+    checks:
+      SC2046:
+        enabled: false
+      SC2090:
+        enabled: false
+      # Disable as the followings are absent in the shellcheck version provided by debian
+      # https://gitlab.com/fdroid/fdroidserver/-/merge_requests/1443#note_1769237096
+      SC2086:
+        enabled: false
+      SC2129:
+        enabled: false
+      SC2006:
+        enabled: false
+      SC2126:
+        enabled: false
+      SC1007:
+        enabled: false
+      SC1001:
+        enabled: false
+      SC2016:
+        enabled: false
+      SC2181:
+        enabled: false
+      SC2103:
+        enabled: false
+      SC2089:
+        enabled: false
+
+  bandit:
+    enabled: true
+
+  # Disable as they are not among the array of linters we used previously
+  duplication:
+    enabled: false
+
+  structure:
+    enabled: false

.gitlab-ci.yml

@@ -1,4 +1,6 @@
 ---
+include:
+  - template: Code-Quality.gitlab-ci.yml
 
 variables:
   pip: pip3 --timeout 100 --retries 10
@@ -213,7 +215,7 @@ gradlew-fdroid:
 
 
 # Run all the various linters and static analysis tools.
-lint_format_safety_bandit_checks:
+lint_format_safety_checks:
   image: debian:bookworm-slim
   variables:
     LANG: C.UTF-8
@@ -228,34 +230,52 @@ lint_format_safety_bandit_checks:
           make
           pycodestyle
           pyflakes3
-          pylint
           python3-dev
           python3-git
           python3-nose
           python3-pip
           python3-yaml
-          shellcheck
-    - $pip install --break-system-packages bandit safety
+    - $pip install --break-system-packages safety
     - export EXITVALUE=0
     - function set_error() { export EXITVALUE=1; printf "\x1b[31mERROR `history|tail -2|head -1|cut -b 6-500`\x1b[0m\n"; }
     - ./hooks/pre-commit || set_error
-    - bandit
-        -r
-        -ii
-        --ini .bandit
-        || set_error
     - safety check --full-report || set_error
-    - pylint --output-format=colorized --reports=n
-            fdroid
+    - exit $EXITVALUE
+
+
+code_quality:
+  rules:
+    - if: $CODE_QUALITY_DISABLED
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" # Run code quality job in merge request pipelines
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH      # Run code quality job in pipelines on the default branch (but not in other branch pipelines)
+    - if: $CI_COMMIT_TAG                               # Run code quality job in pipelines for tags
+  tags:
+    - saas-linux-medium-amd64
+
+
+pylint:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" # Run code quality job in merge request pipelines
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH      # Run code quality job in pipelines on the default branch (but not in other branch pipelines)
+    - if: $CI_COMMIT_TAG                               # Run code quality job in pipelines for tags
+  image: debian:bookworm-slim
+  script:
+    - apt-get update
+    - apt-get -y install --no-install-recommends
+          python3-pip
+          pylint
+    - $pip install --break-system-packages pylint-gitlab
+    - pylint --exit-zero --output-format=pylint_gitlab.GitlabCodeClimateReporter 
+              fdroid
             makebuildserver
             setup.py
             fdroidserver/*.py
             tests/*.py
-            tests/*.TestCase
-        || set_error
-    - shellcheck --exclude SC2046,SC2090 --severity=warning --color tests/run-tests
-        || set_error
-    - exit $EXITVALUE
+            tests/*.TestCase > pylint-report.json
+  artifacts:
+    reports:
+      codequality: pylint-report.json
 
 
 # Run all the various linters and static analysis tools.

.safety-policy.yml

@@ -23,3 +23,6 @@ security:
     67599:
       reason: Only affects pip when using --extra-index-url, which is never the case in fdroidserver CI.
       expires: '2026-05-31'
+    70612:
+      reason: jinja2 is not used by fdroidserver, nor any dependencies I could find via debtree and pipdeptree.
+      expires: '2026-05-31'

gradlew-fdroid

@@ -200,6 +200,7 @@ get_sha() {
         '8.5')    echo '9d926787066a081739e8200858338b4a69e837c3a821a33aca9db09dd4a41026' ;;
         '8.6')    echo '9631d53cf3e74bfa726893aee1f8994fee4e060c401335946dba2156f440f24c' ;;
         '8.7')    echo '544c35d6bd849ae8a5ed0bcea39ba677dc40f49df7d1835561582da2009b961d' ;;
+        '8.8')    echo 'a4b4158601f8636cdeeab09bd76afb640030bb5b144aafe261a5e8af027dc612' ;;
         *) exit 1
     esac
 }
@@ -220,7 +221,7 @@ d_gradle_plugin_ver_k=(8.4 8.3 8.2 8.1 8.0 7.4 7.3 7.2.0 7.1 7.0 4.2 4.1 4.0 3.6
 d_plugin_min_gradle_v=(8.6 8.4 8.2 8.0 8.0 7.5 7.4 7.3.3 7.2 7.0.2 6.7.1 6.5 6.1.1 5.6.4 5.4.1 5.1.1 4.10.1 4.6 4.4 4.1 3.3 2.14.1 2.14.1 2.12 2.12 2.4 2.4 2.3 2.2.1 2.2.1 2.1 2.1 1.12 1.12 1.12 1.11 1.10 1.9 1.8 1.6 1.6 1.4 1.4)
 
 # All gradle versions we know about
-plugin_v=(8.7 8.6 8.5 8.4 8.3 8.2.1 8.2 8.1.1 8.1 8.0.2 8.0.1 8.0 7.6.4 7.6.3 7.6.2 7.6.1 7.6 7.5.1 7.5 7.4.2 7.4.1 7.4 7.3.3 7.3.2 7.3.1 7.3 7.2 7.1.1 7.1 7.0.2 7.0.1 7.0 6.9.4 6.9.3 6.9.2 6.9.1 6.9 6.8.3 6.8.2 6.8.1 6.8 6.7.1 6.7 6.6.1 6.6 6.5.1 6.5 6.4.1 6.4 6.3 6.2.2 6.2.1 6.2 6.1.1 6.1 6.0.1 6.0 5.6.4 5.6.3 5.6.2 5.6.1 5.6 5.5.1 5.5 5.4.1 5.4 5.3.1 5.3 5.2.1 5.2 5.1.1 5.1 5.0 4.10.3 4.10.2 4.10.1 4.10 4.9 4.8.1 4.8 4.7 4.6 4.5.1 4.5 4.4.1 4.4 4.3.1 4.3 4.2.1 4.2 4.1 4.0.2 4.0.1 4.0 3.5.1 3.5 3.4.1 3.4 3.3 3.2.1 3.2 3.1 3.0 2.14.1 2.14 2.13 2.12 2.11 2.10 2.9 2.8 2.7 2.6 2.5 2.4 2.3 2.2.1 2.2 2.1 2.0 1.12 1.11 1.10 1.9 1.8 1.7 1.6 1.5 1.4 1.3 1.2 1.1 1.0 0.9.2 0.9.1 0.9 0.8 0.7)
+plugin_v=(8.8 8.7 8.6 8.5 8.4 8.3 8.2.1 8.2 8.1.1 8.1 8.0.2 8.0.1 8.0 7.6.4 7.6.3 7.6.2 7.6.1 7.6 7.5.1 7.5 7.4.2 7.4.1 7.4 7.3.3 7.3.2 7.3.1 7.3 7.2 7.1.1 7.1 7.0.2 7.0.1 7.0 6.9.4 6.9.3 6.9.2 6.9.1 6.9 6.8.3 6.8.2 6.8.1 6.8 6.7.1 6.7 6.6.1 6.6 6.5.1 6.5 6.4.1 6.4 6.3 6.2.2 6.2.1 6.2 6.1.1 6.1 6.0.1 6.0 5.6.4 5.6.3 5.6.2 5.6.1 5.6 5.5.1 5.5 5.4.1 5.4 5.3.1 5.3 5.2.1 5.2 5.1.1 5.1 5.0 4.10.3 4.10.2 4.10.1 4.10 4.9 4.8.1 4.8 4.7 4.6 4.5.1 4.5 4.4.1 4.4 4.3.1 4.3 4.2.1 4.2 4.1 4.0.2 4.0.1 4.0 3.5.1 3.5 3.4.1 3.4 3.3 3.2.1 3.2 3.1 3.0 2.14.1 2.14 2.13 2.12 2.11 2.10 2.9 2.8 2.7 2.6 2.5 2.4 2.3 2.2.1 2.2 2.1 2.0 1.12 1.11 1.10 1.9 1.8 1.7 1.6 1.5 1.4 1.3 1.2 1.1 1.0 0.9.2 0.9.1 0.9 0.8 0.7)
 
 v_all=${plugin_v[@]}
 

tests/run-tests

@@ -142,7 +142,7 @@ fi
 
 # allow the location of aapt to be overridden
 if [ -z "$aapt" ]; then
-    aapt=`ls -1 $ANDROID_HOME/build-tools/*/aapt 2> /dev/null | sort | tail -1`
+    aapt=$(find "$ANDROID_HOME/build-tools/*/aapt" 2> /dev/null | sort | tail -1)
 fi
 
 # try to use GNU sed on OSX/BSD cuz BSD sed sucks
@@ -745,7 +745,7 @@ if [ -e .git/config ]; then
 
     REPOROOT=`create_test_dir`
     cd $REPOROOT
-    tar xzf `ls -1 $WORKSPACE/dist/fdroidserver-*.tar.gz | sort -n | tail -1`
+    tar xzf "$(find "$WORKSPACE"/dist/fdroidserver-*.tar.gz | sort -n | tail -1)"
     cd $REPOROOT
     # shellcheck disable=SC2211
     ./fdroidserver-*/fdroid init
@@ -1303,7 +1303,7 @@ if which wget; then
     mv $REPOROOT/index-v1.json repo/index-v1.json
 
     port=321${RANDOM:3}
-    test $(printf $port | wc -m) -le 3 && port=52734 # when $RANDOM doesn't work
+    test "${#port}" -le 3 && port=52734 # when $RANDOM doesn't work
     timeout 5m python3 -m http.server $port --bind 127.0.0.1 > $REPOROOT/http.server.log 2>&1 &
     http_server_pid=$!