tox.ini - caldera - Git at Google

 # tox (https://tox.readthedocs.io/) is a tool for running tests
 # in multiple virtualenvs. This configuration file will run the
 # test suite on all supported python versions. To use it, "pip install tox"
 # and then run "tox" from this directory.

 [tox]
 skipsdist = True
 envlist =
     py{310,311,312,313}
     style
     coverage
     safety
     bandit
 skip_missing_interpreters = true

 [testenv]
 description = run tests
 deps =
     -rrequirements.txt
     virtualenv!=20.0.22
     pre-commit
     pytest
     pytest-asyncio==0.26.0
     pytest-aiohttp
     coverage
 allowlist_externals = mkdir
 commands =
     mkdir -p plugins/magma/dist/assets
     coverage run -p -m pytest --tb=short --asyncio-mode=auto tests -vv

 [testenv:style]
 deps = pre-commit
 skip_install = true
 commands =
     pre-commit run --all-files --show-diff-on-failure

 [testenv:coverage]
 deps =
     coverage
 skip_install = true
 commands =
     coverage combine
     coverage html
     coverage report

 [testenv:coverage-ci]
 deps =
     coveralls
     coverage
 skip_install = true
 commands =
     coverage combine
     coverage xml
     coverage report

 [testenv:safety]
 # Dependency vulnerability scan. Env name kept as "safety" so branch
 # protection contexts (`build (3.13, safety)`) don't need a coordinated
 # update; underlying tool is pip-audit (PyPA, no API key, free).
 #
 # `safety check` was deprecated 2024-06; the pyup.io account/scan
 # replacement was not worth the new secret + auth integration when
 # Dependabot, GitGuardian, and SonarCloud already cover supply chain.
 #
 # Legacy pyup ignores (39642 reportlab, 39659 aiohttp) are obsolete
 # now that aiohttp>=3.13 and reportlab>=4.0 are pinned. Add
 # `--ignore-vuln GHSA-...` here if a real exemption is needed later.
 deps =
     pip-audit
 skip_install = true
 commands =
     pip-audit -r requirements.txt
     pip-audit -r requirements-dev.txt

 [testenv:bandit]
 deps =
     bandit
 skip_install = true
 commands =
     bandit -r app -ll --exclude=tests/ --skip=B303
	# tox (https://tox.readthedocs.io/) is a tool for running tests
	# in multiple virtualenvs. This configuration file will run the
	# test suite on all supported python versions. To use it, "pip install tox"
	# and then run "tox" from this directory.

	[tox]
	skipsdist = True
	envlist =
	py{310,311,312,313}
	style
	coverage
	safety
	bandit
	skip_missing_interpreters = true

	[testenv]
	description = run tests
	deps =
	-rrequirements.txt
	virtualenv!=20.0.22
	pre-commit
	pytest
	pytest-asyncio==0.26.0
	pytest-aiohttp
	coverage
	allowlist_externals = mkdir
	commands =
	mkdir -p plugins/magma/dist/assets
	coverage run -p -m pytest --tb=short --asyncio-mode=auto tests -vv

	[testenv:style]
	deps = pre-commit
	skip_install = true
	commands =
	pre-commit run --all-files --show-diff-on-failure

	[testenv:coverage]
	deps =
	coverage
	skip_install = true
	commands =
	coverage combine
	coverage html
	coverage report

	[testenv:coverage-ci]
	deps =
	coveralls
	coverage
	skip_install = true
	commands =
	coverage combine
	coverage xml
	coverage report

	[testenv:safety]
	# Dependency vulnerability scan. Env name kept as "safety" so branch
	# protection contexts (`build (3.13, safety)`) don't need a coordinated
	# update; underlying tool is pip-audit (PyPA, no API key, free).
	#
	# `safety check` was deprecated 2024-06; the pyup.io account/scan
	# replacement was not worth the new secret + auth integration when
	# Dependabot, GitGuardian, and SonarCloud already cover supply chain.
	#
	# Legacy pyup ignores (39642 reportlab, 39659 aiohttp) are obsolete
	# now that aiohttp>=3.13 and reportlab>=4.0 are pinned. Add
	# `--ignore-vuln GHSA-...` here if a real exemption is needed later.
	deps =
	pip-audit
	skip_install = true
	commands =
	pip-audit -r requirements.txt
	pip-audit -r requirements-dev.txt

	[testenv:bandit]
	deps =
	bandit
	skip_install = true
	commands =
	bandit -r app -ll --exclude=tests/ --skip=B303