chore(tools): rename run-static-checks to run-linter-checks, add run-tox-tests

markuslf · markuslf · commit b41aca16d3b6 · 2026-04-13T18:24:12.000+02:00
- Rename `tools/run-static-checks` -&gt; `tools/run-linter-checks` so the
  tools/run-* naming is consistent with run-unit-tests and
  run-container-tests, and the name describes what the tool does
  (linting + security + dead-code) rather than the generic
  "static analysis".
- Drop pylint from the default run. Its metric-based checks
  (R0801 duplicate lines, R09xx complexity) produce thousands of
  false positives on a repo of look-alike check plugins, and
  silencing them with a disable list would go against the house rule
  of running pylint without `--disable`. Pylint stays available for
  targeted single-file audits.
- Print a clear `&lt;analyzer&gt;: all checks passed` / `issues found`
  summary line after each analyzer so bandit and vulture no longer
  exit silently on a clean run.
- Add `tools/run-tox-tests` as a thin wrapper around `tox`. Same
  naming convention as the other run-* tools, and forwards all
  arguments to tox. Use `tools/run-unit-tests` for the currently
  activated venv, `tools/run-tox-tests` for the multi-Python
  matrix (py39 ... py314).
diff --git a/tools/run-linter-checks b/tools/run-linter-checks
@@ -6,20 +6,27 @@
 #          https://www.linuxfabrik.ch/
 # License: The Unlicense, see LICENSE file.
 
-"""Run static analysis (ruff, pylint, bandit, vulture) over the whole repo.
+"""Run lint and security checks (ruff, bandit, vulture) over the whole repo.
 
 Pre-commit hooks only run on staged files. This script sweeps every plugin
 script, every tool, and every file under lib/ so that long-standing issues
 cannot hide simply because nobody has touched the file in a while.
 
+pylint is intentionally NOT invoked here. Its metric-based checks
+(R0801 duplicate lines, R09xx complexity, etc.) produce thousands of
+false positives across a collection of check plugins that all share
+the same boilerplate, and suppressing the noise with a disable list
+would go against the house rule of running pylint without `--disable`.
+Run pylint by hand when you want to audit a single plugin.
+
 Plugin scripts use a shebang instead of a `.py` extension, so the script
 discovers them by `#!/usr/bin/env python` header and passes them explicitly
 to each analyzer.
 
 Usage:
-    tools/run-static-checks                 # run all analyzers
-    tools/run-static-checks --only=ruff     # run only ruff
-    tools/run-static-checks --only=ruff,bandit
+    tools/run-linter-checks                 # run all analyzers
+    tools/run-linter-checks --only=ruff     # run only ruff
+    tools/run-linter-checks --only=ruff,bandit
 """
 
 import argparse
@@ -66,14 +73,24 @@ def run(analyzer, argv):
     except FileNotFoundError:
         print(f'{analyzer}: not installed, skipping')
         return 0
+    # Normalize the end-of-run signal so every analyzer prints a clear
+    # pass/fail summary line. ruff prints "All checks passed!" itself,
+    # bandit and vulture stay silent on a clean run - which is confusing.
+    if result.returncode == 0:
+        print(f'{analyzer}: all checks passed', flush=True)
+    else:
+        print(
+            f'{analyzer}: issues found (exit {result.returncode})',
+            flush=True,
+        )
     return result.returncode
 
 
 def main():
     parser = argparse.ArgumentParser(description=__doc__)
     parser.add_argument(
         '--only',
-        help='Comma-separated list of analyzers to run (ruff, pylint, bandit, vulture)',
+        help='Comma-separated list of analyzers to run (ruff, bandit, vulture)',
         default='',
     )
     args = parser.parse_args()
@@ -91,9 +108,6 @@ def main():
     if selected is None or 'ruff' in selected:
         exit_code |= run('ruff', ['ruff', 'check', '--no-fix', *python_files])
 
-    if selected is None or 'pylint' in selected:
-        exit_code |= run('pylint', ['pylint', *python_files])
-
     if selected is None or 'bandit' in selected:
         exit_code |= run(
             'bandit',
diff --git a/tools/run-tox-tests b/tools/run-tox-tests
@@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8; py-indent-offset: 4 -*-
+#
+# Author:  Linuxfabrik GmbH, Zurich, Switzerland
+# Contact: info (at) linuxfabrik (dot) ch
+#          https://www.linuxfabrik.ch/
+# License: The Unlicense, see LICENSE file.
+
+"""Run unit tests across every supported Python version via tox.
+
+This is a thin wrapper around `tox` that lives in `tools/` so the
+same `tools/run-*` naming convention used for unit, container and
+linter checks applies to the cross-Python-version test run as well.
+
+The actual Python matrix (py39 ... py314) and the list of plugins
+each env depends on live in the repo's `tox.ini`. Any command-line
+arguments to this script are passed straight through to tox. A few
+common invocations:
+
+    tools/run-tox-tests                  # run the full matrix
+    tools/run-tox-tests -e py39          # only python 3.9
+    tools/run-tox-tests -e py312 -- procs scanrootkit
+                                         # only python 3.12, only
+                                         # two plugins (forwarded
+                                         # to tools/run-unit-tests
+                                         # via {posargs})
+
+Use `tools/run-unit-tests` directly for the single-interpreter case
+against the currently activated venv; use this wrapper when you
+want the multi-Python sweep that catches interpreter-specific bugs.
+"""
+
+import os
+import subprocess
+import sys
+
+REPO_ROOT = os.path.abspath(os.path.join(os.path.dirname(__file__), '..'))
+
+
+def main():
+    try:
+        result = subprocess.run(['tox', *sys.argv[1:]], cwd=REPO_ROOT, check=False)
+    except FileNotFoundError:
+        print(
+            'tox is not installed. Install it with `pip install tox` '
+            '(or your distribution package).',
+            file=sys.stderr,
+        )
+        return 1
+    return result.returncode
+
+
+if __name__ == '__main__':
+    sys.exit(main())
