Fix SonarCloud violations (#136)

Author: Takishima

.github/workflows/draft_release.yml

@@ -13,7 +13,16 @@ jobs:
   new-release:
     name: "Draft a new release"
     runs-on: ubuntu-latest
+    env:
+      RELEASE_TAG: ${{ github.event.inputs.tag }}
     steps:
+      - name: Validate release tag format
+        run: |
+          if ! echo "$RELEASE_TAG" | grep -qE '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "Error: Tag must be in format vXX.YY.ZZ"
+            exit 1
+          fi
+
       - uses: actions/checkout@v4
 
       - name: Setup Python
@@ -26,7 +35,7 @@ jobs:
       - name: Update CHANGELOG
         run: |
           python3 -m pip install mdformat-gfm 'git+https://github.com/Takishima/keepachangelog@v1.0.1'
-          python3 -m keepachangelog release "${{ github.event.inputs.tag }}"
+          python3 -m keepachangelog release "$RELEASE_TAG"
           python3 -m mdformat CHANGELOG.md
 
       - name: Commit changes

.github/workflows/format.yml

@@ -28,16 +28,18 @@ jobs:
           curl -LsSf "${source_url}/${parse_changelog_tag}/parse-changelog-${target}.tar.gz" | tar xzf -
       - name: Extract version from branch name (for release branches)
         if: github.event_name == 'pull_request' && startsWith(github.event.pull_request.head.ref, 'release/')
+        env:
+          BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
         run: |
-          BRANCH_NAME="${{ github.event.pull_request.head.ref }}"
           VERSION=${BRANCH_NAME#release/v}
           echo "RELEASE_VERSION=$VERSION" >> $GITHUB_ENV
           git tag v${RELEASE_VERSION}
 
       - name: Extract version from branch name (for hotfix branches)
         if: github.event_name == 'pull_request'  && startsWith(github.event.pull_request.head.ref, 'hotfix/')
+        env:
+          BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
         run: |
-          BRANCH_NAME="${{ github.event.pull_request.head.ref }}"
           VERSION=${BRANCH_NAME#hotfix/v}
           echo "RELEASE_VERSION=$VERSION" >> $GITHUB_ENV
           git tag v${RELEASE_VERSION}

.github/workflows/publish_release.yml

@@ -39,16 +39,18 @@ jobs:
 
       - name: Extract version from branch name (for release branches)
         if: github.event_name == 'pull_request' && startsWith(github.event.pull_request.head.ref, 'release/')
+        env:
+          BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
         run: |
-          BRANCH_NAME="${{ github.event.pull_request.head.ref }}"
           VERSION=${BRANCH_NAME#release/}
           VERSION=${VERSION#v}
           echo "RELEASE_VERSION=$VERSION" >> $GITHUB_ENV
 
       - name: Extract version from branch name (for hotfix branches)
         if: github.event_name == 'pull_request'  && startsWith(github.event.pull_request.head.ref, 'hotfix/')
+        env:
+          BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
         run: |
-          BRANCH_NAME="${{ github.event.pull_request.head.ref }}"
           VERSION=${BRANCH_NAME#hotfix/}
           VERSION=${VERSION#v}
           echo "RELEASE_VERSION=$VERSION" >> $GITHUB_ENV

.github/workflows/pull_request.yml

@@ -31,8 +31,10 @@ jobs:
           python3 -m pip install 'git+https://github.com/Takishima/pre-commit-changelog-auto-update@v1.0.0'
 
       - name: Run Python script
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
         run: |
-          python3 -m update_changelog --pr-body "${{ github.event.pull_request.body }}"
+          python3 -m update_changelog --pr-body "$PR_BODY"
 
       - name: Commit changes
         id: commit

CHANGELOG.md

@@ -19,6 +19,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Repository
 
+- Fix SonarCloud violations:
+  - Fix return type annotation for `_load_from_toml` method in `_argparse.py`
+  - Reduce cognitive complexity in `_cmake.py` by extracting helper methods
+  - Reduce cognitive complexity in `_cmake_test.py` by extracting test helpers
+  - Fix variable naming conventions in test files
+  - Fix GitHub Actions security issues by using environment variables for user-controlled data
+  - Add input validation for workflow_dispatch parameters
+  - Fix shell script issues in `run_tests.sh` (use `[[` instead of `[`, add return statements)
 - Fixed Windows CI by using pip to install cppcheck (Chocolatey package is broken)
 - Modernize ruff configuration to follow latest guidelines
   - Remove deprecated settings (`target-version`, `ANN101`, `ASYNC1`, etc.)

cmake_pc_hooks/_argparse.py

@@ -293,7 +293,7 @@ def _load_from_toml(  # noqa: PLR0913
         path_must_exist: bool = True,
         section_must_exist: bool = True,
         overridable_keys: set | None = None,
-    ) -> None:
+    ) -> argparse.Namespace:
         """
         Load a TOML file and set the attributes within the argparse namespace object.
 

cmake_pc_hooks/_cmake.py

@@ -298,40 +298,8 @@ def resolve_build_directory(self, build_dir_list=None, *, automatic_discovery=Tr
             self.build_dir,
         )
 
-    def setup_cmake_args(self, cmake_args):  # noqa: C901
-        """
-        Setup CMake arguments.
-
-        Args:
-            cmake_args: Dictionary-like data structure with following keys:
-                - 'defines': list[str]
-                - 'undefined': list[str]
-                - 'errors': list[str]
-                - 'no_errors': list[str]
-                - 'generator': str
-                - 'toolset': str
-                - 'platform': str
-                - 'preset': str
-                - 'cmake': str
-                - 'dev_warnings': bool
-                - 'no_dev_warnings': bool
-                - 'linux': list[str]
-                - 'mac': list[str]
-                - 'win': list[str]
-        """
-        self.source_dir = Path(cmake_args.source_dir).resolve()
-        if cmake_args.cmake:
-            self.command = [Path(cmake_args.cmake).resolve()]
-        self.no_cmake_configure = cmake_args.no_cmake_configure
-
-        self.resolve_build_directory(
-            build_dir_list=cmake_args.build_dir,
-            automatic_discovery=cmake_args.automatic_discovery,
-        )
-
-        if cmake_args.detect_configured_files and self.build_dir:
-            self.cmake_trace_log = self.build_dir / self.DEFAULT_TRACE_LOG
-
+    def _process_keyword_cmake_args(self, cmake_args):
+        """Process keyword-style CMake arguments."""
         keyword_args = {
             'defines': ([], '-D{}'),
             'undefines': ([], '-U{}'),
@@ -352,6 +320,8 @@ def setup_cmake_args(self, cmake_args):  # noqa: C901
                     for element in value:
                         self.cmake_args.append(format_str.format(element))
 
+    def _process_flag_cmake_args(self, cmake_args):
+        """Process flag-style CMake arguments."""
         flag_args = {
             'dev_warnings': (False, '-Wdev'),
             'no_dev_warnings': (False, '-Wno_dev'),
@@ -360,18 +330,58 @@ def setup_cmake_args(self, cmake_args):  # noqa: C901
             if getattr(cmake_args, key, default):
                 self.cmake_args.append(flag_str)
 
-        platform_args = {
+    def _process_platform_cmake_args(self, cmake_args):
+        """Process platform-specific CMake arguments."""
+        platform_args_config = {
             'linux': ([], 'Linux'),
             'mac': ([], 'Darwin'),
             'win': ([], 'Windows'),
         }
 
-        for key, (default, platform_name) in platform_args.items():
-            platform_args = getattr(cmake_args, key, default)
-            if platform.system() == platform_name and platform_args:
-                for arg in platform_args:
+        for key, (default, platform_name) in platform_args_config.items():
+            platform_arg_values = getattr(cmake_args, key, default)
+            if platform.system() == platform_name and platform_arg_values:
+                for arg in platform_arg_values:
                     self.cmake_args.append(arg.strip('"\''))
 
+    def setup_cmake_args(self, cmake_args):
+        """
+        Setup CMake arguments.
+
+        Args:
+            cmake_args: Dictionary-like data structure with following keys:
+                - 'defines': list[str]
+                - 'undefined': list[str]
+                - 'errors': list[str]
+                - 'no_errors': list[str]
+                - 'generator': str
+                - 'toolset': str
+                - 'platform': str
+                - 'preset': str
+                - 'cmake': str
+                - 'dev_warnings': bool
+                - 'no_dev_warnings': bool
+                - 'linux': list[str]
+                - 'mac': list[str]
+                - 'win': list[str]
+        """
+        self.source_dir = Path(cmake_args.source_dir).resolve()
+        if cmake_args.cmake:
+            self.command = [Path(cmake_args.cmake).resolve()]
+        self.no_cmake_configure = cmake_args.no_cmake_configure
+
+        self.resolve_build_directory(
+            build_dir_list=cmake_args.build_dir,
+            automatic_discovery=cmake_args.automatic_discovery,
+        )
+
+        if cmake_args.detect_configured_files and self.build_dir:
+            self.cmake_trace_log = self.build_dir / self.DEFAULT_TRACE_LOG
+
+        self._process_keyword_cmake_args(cmake_args)
+        self._process_flag_cmake_args(cmake_args)
+        self._process_platform_cmake_args(cmake_args)
+
     def configure(self, command, *, clean_build=False):
         """
         Run a CMake configure step (multi-process safe).