Fix violations of static analysis for pytests

[jakub-vavra-cz]

Enable static analysis on pushes and pull requests. Fix some isort and typing issues.

Summary by Sourcery

Enable static analysis for the pytest test suite and align test and configuration code with the new linting and typing requirements.

Enhancements:

• Reformat pytest sudo tests and adjust assertions and string concatenations to comply with ruff formatting and style rules.
• Update sudo alias usage in tests to use alias names and string members for better compatibility with static typing and linting.
• Reorder imports in tests to satisfy isort-style ordering enforced by ruff.

Build:

• Configure ruff (lint and format) and mypy in pyproject.toml, including line length, target version, and enabled rule sets, and remove redundant flake8 configuration.

CI:

• Add a static code analysis job to the main CI workflow to run ruff (lint and format) and mypy on the pytest project, including virtualenv setup and dependencies.
• Remove the separate static-code-analysis workflow in favor of the new integrated CI job.

[sourcery-ai]

Reviewer's Guide

Adds a static code analysis job to the main CI workflow, configures Ruff and mypy in pyproject, and adjusts pytest sudo/security tests (including sudo alias usage and assertion formatting) to satisfy Ruff/isort/typing checks while removing the old standalone static-code-analysis workflow.

File-Level Changes

Change	Details	Files
Enable static code analysis (Ruff + mypy) as part of the main CI pipeline.	Add a static-code-analysis job to run on ubuntu-latest with Python 3.x Set up a virtualenv under ./pytest and install test requirements plus ruff and mypy Run ruff check, ruff format --check, and mypy on pytest tests, all guarded with if: always() to report even on failures	.github/workflows/ci.yml
Configure Ruff and update linting configuration for the pytest project.	Add Ruff configuration including line length, target Python version, and excluded paths Configure Ruff lint rules to include pycodestyle, pyflakes, and isort, and enforce from future import annotations as a required import Configure Ruff formatter preferences (quotes and indentation) Remove legacy flake8 configuration now superseded by Ruff	pytest/pyproject.toml
Align sudo alias usage in pytest tests with string-based identifiers expected by static analysis and underlying sudo tooling.	Change sudo user alias definitions to pass user/group names (e.g. u.name, g.name) instead of user/group objects into client.sudoalias.add Change sudo rules to reference user/command/host aliases by their alias names (e.g. 'SUDO_USERS', 'LSHELP', 'TRUSTED', 'RUN_AS') instead of passing alias objects	pytest/tests/test_basic.py
Refactor pytest assertions and imports to satisfy Ruff/isort and style rules without changing test behavior.	Reorder imports so pytest and stdlib imports precede local imports and enforce future import position Collapse multi-line assert calls into single logical lines with the message wrapped in parentheses to conform to line-length and formatting rules Apply similar assertion formatting updates in miscellaneous sudo-related tests	pytest/tests/test_basic.py pytest/tests/test_misc_issues.py pytest/tests/test_sudo.py pytest/tests/test_security.py
Simplify mailer sudoers string construction in the security test to avoid multi-line string concatenation issues flagged by static analysis.	Replace a parenthesized multi-line string concatenation with a single f-string containing embedded newlines for the sudoers configuration	pytest/tests/test_security.py
Remove the old static-code-analysis workflow now that static analysis runs as part of the main CI workflow.	Delete the standalone .github/workflows/static-code-analysis.yml workflow file	.github/workflows/static-code-analysis.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• In the static-code-analysis job, the venv creation and dependency installation logic closely mirrors what you already do in the pytest job; consider refactoring this into a shared reusable step or composite action to avoid duplication and future drift.
• The workflow installs ruff and mypy without version pins, which can cause CI to break when new releases introduce changes; consider pinning these tools in requirements.txt or a separate constraints file for reproducible analysis runs.
• The sudoers string in test_cve__mailer_escalation is now a single f-string with embedded newlines, which is harder to read and edit; consider switching to a multi-line literal (e.g., with textwrap.dedent) to keep each directive on its own line in the source.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In the `static-code-analysis` job, the venv creation and dependency installation logic closely mirrors what you already do in the `pytest` job; consider refactoring this into a shared reusable step or composite action to avoid duplication and future drift.
- The workflow installs `ruff` and `mypy` without version pins, which can cause CI to break when new releases introduce changes; consider pinning these tools in `requirements.txt` or a separate constraints file for reproducible analysis runs.
- The `sudoers` string in `test_cve__mailer_escalation` is now a single f-string with embedded newlines, which is harder to read and edit; consider switching to a multi-line literal (e.g., with `textwrap.dedent`) to keep each directive on its own line in the source.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}