# tox (https://tox.readthedocs.io/) is a tool for running tests

# in multiple virtualenvs. This configuration file will run the

# test suite on all supported python versions. To use it, "pip install tox"

# and then run "tox" from this directory.

[tox]

skipsdist = True

envlist =

py{310,311,312,313}

style

coverage

safety

bandit

skip_missing_interpreters = true

[testenv]

description = run tests

deps =

-rrequirements.txt

virtualenv!=20.0.22

pre-commit

pytest

pytest-asyncio==0.26.0

pytest-aiohttp

coverage

allowlist_externals = mkdir

commands =

mkdir -p plugins/magma/dist/assets

coverage run -p -m pytest --tb=short --asyncio-mode=auto tests -vv

[testenv:style]

deps = pre-commit

skip_install = true

commands =

pre-commit run --all-files --show-diff-on-failure

[testenv:coverage]

deps =

coverage

skip_install = true

commands =

coverage combine

coverage html

coverage report

[testenv:coverage-ci]

deps =

coveralls

coverage

skip_install = true

commands =

coverage combine

coverage xml

coverage report

[testenv:safety]

# Dependency vulnerability scan. Env name kept as "safety" so branch

# protection contexts (`build (3.13, safety)`) don't need a coordinated

# update; underlying tool is pip-audit (PyPA, no API key, free).

#

# `safety check` was deprecated 2024-06; the pyup.io account/scan

# replacement was not worth the new secret + auth integration when

# Dependabot, GitGuardian, and SonarCloud already cover supply chain.

#

# Legacy pyup ignores (39642 reportlab, 39659 aiohttp) are obsolete

# now that aiohttp>=3.13 and reportlab>=4.0 are pinned. Add

# `--ignore-vuln GHSA-...` here if a real exemption is needed later.

deps =

pip-audit

skip_install = true

commands =

pip-audit -r requirements.txt

pip-audit -r requirements-dev.txt

[testenv:bandit]

deps =

bandit

skip_install = true

commands =

bandit -r app -ll --exclude=tests/ --skip=B303