This demo covers setting up local automation for consistency checks, CI pipelines, and static code analysis.
- Set up pre-commit hooks for local automation
- Understand CI/CD pipelines for centralized checks
- Use static code analysis tools to catch issues early
Pre-commit runs checks automatically before each commit, catching issues early.
- Consistency: Everyone runs the same checks
- Speed: Catch issues before pushing
- Automation: No manual formatting needed
- Integration: Works with any Git workflow
# Install pre-commit
pip install pre-commit
# Install hooks in your repo (creates .git/hooks/pre-commit)
pre-commit install
# Run all hooks manually
pre-commit run --all-files
# Run a specific hook
pre-commit run ruff --all-filesSee the example configuration: pre-commit-config.yaml.example
The root .pre-commit-config.yaml in this repo is a working example you can copy.
repos:
# Ruff - Fast Python linter and formatter
- repo: https://github.com/astral-sh/ruff-pre-commit
rev: v0.4.4
hooks:
- id: ruff
args: [--fix, --exit-non-zero-on-fix]
- id: ruff-format
# General file checks
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-yaml
- id: check-json
- id: detect-private-key- You run
git commit - Pre-commit intercepts the commit
- Each hook runs on staged files
- If any hook fails, the commit is blocked
- Fix the issues and try again
Continuous Integration (CI) runs checks automatically on every push and pull request.
See: ci-pipeline.yml
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- run: pip install ruff
- run: ruff check .
- run: ruff format --check .
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- run: pip install pytest pytest-cov
- run: pytest --cov --cov-report=xml| Concept | Description |
|---|---|
| Trigger | When the pipeline runs (push, PR, schedule) |
| Job | A set of steps that run on a runner |
| Step | Individual commands or actions |
| Runner | The machine that executes jobs |
Static analysis examines code without running it to find bugs, security issues, and style problems.
# Find issues
ruff check .
# Show all issues including fixable ones
ruff check --output-format=full .
# Auto-fix issues
ruff check --fix .Ruff includes security rules (from flake8-bandit):
# Check for security issues specifically
ruff check --select S .See security_issues.py for examples of code that static analysis can catch:
- Hardcoded passwords
- SQL injection vulnerabilities
- Insecure random number generation
- Use of
eval()andexec()
# Find security issues in the demo file
ruff check demos/03-collaboration/security_issues.py --select S# Check types
mypy src/
# Strict mode
mypy --strict src/┌─────────────┐ ┌──────────────┐ ┌─────────────┐
│ Write │───▶│ Pre-commit │───▶│ Commit │
│ Code │ │ Checks │ │ Success │
└─────────────┘ └──────────────┘ └─────────────┘
│
▼ (if fails)
┌──────────────┐
│ Fix Issues │
└──────────────┘
┌─────────────┐ ┌──────────────┐ ┌─────────────┐
│ Push │───▶│ CI Pipeline │───▶│ Deploy │
│ to Git │ │ (Lint/Test) │ │ (if pass) │
└─────────────┘ └──────────────┘ └─────────────┘
│
▼ (if fails)
┌──────────────┐
│ Block Merge │
└──────────────┘
| File | Description |
|---|---|
| pre-commit-config.yaml.example | Sample pre-commit configuration |
| ci-pipeline.yml | Sample GitHub Actions workflow |
| security_issues.py | Code with security issues for demo |
- Automate locally - Pre-commit catches issues before they're committed
- Automate centrally - CI ensures nothing gets merged without passing checks
- Use static analysis - Find bugs without running code
- Security matters - Tools can catch common vulnerabilities
- Consistency is key - Same checks locally and in CI