-
Notifications
You must be signed in to change notification settings - Fork 685
Tooling, automation and developer experience
Kunal Mehta edited this page Jan 9, 2023
·
30 revisions
Work in progress
This page serves two purposes:
- Describe abstractly what our interactive (CLI) and automated (CI) tools are for across the repositories that compose the SecureDrop project.
- This is in contrast to any given repository's readme, which describes concretely how to use these tools in that context.
- Track (a) inconsistencies to resolve across repositories and (b) new features, goals, or principles to implement.
While some of this material may eventually be reflected in the developer documentation, for now it is a (public) "living document" rather than a releasable documentation artifact.
- It should be easy to run the same thing that CI is running. Conversely, CI runs what you're running locally.
- Standard tooling (e.g. ShellCheck) should be available opportunistically: even if a project has no shell scripts yet, ShellCheck should kick in automatically if it acquires one.
- We're using Make as a command-runner, not for any real build logic.
- Make's main pro is that it's universal, everyone knows "make test", etc. and already has it installed.
- We do use make as a build tool for client localization targets, but that's not necessary.
- We should use tool-specific configuration (e.g. Black, pytest) rather than committing complex command invocations to Make targets.
- Makes it easier for new developers who already have experience using the tool to also use the tool here.
- Helps with other tooling, e.g. IDEs that know how to use the tool in the standard way (e.g. PyCharm can run
blackto autoformat every time you save a file), but won't know about our wrapper that contains our configuration arguments.
Across projects/repositories, we use CI to accomplish the following tasks in the following ways (including the following exceptions/gaps):
| Repository | securedrop |
securedrop-client |
securedrop-proxy |
securedrop-export |
securedrop-log |
securedrop-workstation |
securedrop-updater |
|---|---|---|---|---|---|---|---|
| CI image | debian |
circleci/python:3.7-buster |
debian |
debian |
fedora |
||
| Python version | |||||||
| Runs ShellCheck | yes | yes | |||||
| ...on any and all shell files present, or passes if none | |||||||
| Runs mypy | yes, config partially in shell wrapper | yes, config in Makefile | yes, config in Makefile | no | no | no | |
| ...in strict mode, including Qt | |||||||
| Runs tests via pytest | yes | yes | no, unittest | yes | no, unittest | no, unittest | pytest + xvfb-run |
| Runs Black+isort | yes, config in Makefile | yes | yes, config in Makefile | yes black w/ config in Makefile, no isort | no | yes, black has config in Makefile | |
| Runs flake8 | yes | yes | yes | yes | no | yes | |
| Runs safety | yes, complex Makefile command | yes, complex Makefile command | yes, complex Makefile command | yes, complex Makefile command | yes, complex Makefile command | no (but no prod deps) | |
| Extracts source strings for localization | yes | no | no | no | no | ||
...if babel.cfg is present, otherwise passes |
|||||||
| Caches CI jobs | yes, but inefficiently | ||||||
| CI jobs are grouped in workflows | |||||||
| CI jobs are parameterized in matrices | |||||||
| ... |
Across projects/repositories, we use Makefiles and shell scripts to accomplish the following tasks in the following ways (including the following exceptions/gaps):
| Repository | securedrop |
securedrop-client |
... |
|---|---|---|---|
| Create a Python venv | make venv |
make venv |
|
| Set up Git hooks | make add-hooks |
make hooks |
|
| Run in a development environment | make dev |
./run.sh |
|
| Lint (etc.) | |||
| Run tests | make test |
make test |
|
| ... |
Makefile targets, wrapper scripts and layout of requirements.txt files...
Here's what we have in securedrop-client:
IGNORED_VULNERABILITIES ?= "51668"
.PHONY: safety
safety: ## Runs `safety check` to check python dependencies for vulnerabilities
pip install --upgrade safety && \
for req_file in `find . -type f -wholename '*requirements.txt'`; do \
echo "Checking file $$req_file" \
&& safety check --full-report --ignore $(IGNORED_VULNERABILITIES) -r $$req_file \
&& echo -e '\n' \
|| exit 1; \
done- only client uses "IGNORED_VULNERABILITIES", the other components don't
- A simpler way to write this is
cat requirements/*requirements.txt | safety check --full-report. - Also unclear if safety should be pinned or not.
- Why do we not use the policy file thing? https://docs.pyup.io/docs/safety-20-policy-file What about the new project.json?