Merge pull request #221 from burningmantech/bump #643
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Docs: https://docs.github.com/en/actions | |
name: CI/CD | |
on: | |
push: | |
branches: ["master"] | |
pull_request: | |
branches: ["master"] | |
jobs: | |
lint: | |
name: Linters | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
disable-file-monitoring: true | |
egress-policy: block | |
allowed-endpoints: > | |
*.github.com:443 | |
*.githubusercontent.com:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.12" | |
- name: Install uv | |
uses: astral-sh/setup-uv@v5 | |
- name: Set up Tox environment | |
run: uvx --with=tox-uv tox run -e lint --notest | |
- name: Run Linters | |
run: uvx --with=tox-uv tox run -e lint | |
env: | |
# no-commit-to-branch always fails in CI, because this pre-commit | |
# is only designed for running locally (i.e. when committing to a | |
# local master branch) | |
SKIP: no-commit-to-branch | |
mypy: | |
name: Mypy (static type checker) | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
disable-file-monitoring: true | |
egress-policy: block | |
allowed-endpoints: > | |
*.github.com:443 | |
*.githubusercontent.com:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.12" | |
- name: Install uv | |
uses: astral-sh/setup-uv@v5 | |
- name: Set up Tox environment | |
run: uvx --with=tox-uv tox run -e mypy --notest | |
- name: Run Mypy | |
run: uvx --with=tox-uv tox run -e mypy | |
packaging: | |
name: Packaging | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
*.github.com:443 | |
*.githubusercontent.com:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.12" | |
- name: Install uv | |
uses: astral-sh/setup-uv@v5 | |
- name: Set up Tox environment | |
run: uvx --with=tox-uv tox run -e packaging --notest | |
- name: Check packaging | |
run: uvx --with=tox-uv tox run -e packaging | |
unit: | |
name: "Py:${{ matrix.python-version }} - ${{ matrix.os }}" | |
# Available versions: | |
# https://github.com/actions/python-versions/blob/main/versions-manifest.json | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 30 | |
continue-on-error: ${{ matrix.optional }} | |
strategy: | |
matrix: | |
os: ["ubuntu-latest"] | |
python-version: ["3.12"] # Versions to test with coverage | |
tox-prefix: ["coverage"] | |
optional: [false] | |
include: | |
# Test next Python version but allow it to fail | |
- os: "ubuntu-latest" | |
python-version: "3.13" | |
optional: true | |
tox-prefix: "test" | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
*.codecov.io:443 | |
*.github.com:443 | |
*.githubusercontent.com:443 | |
codecov.io:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
keybase.io:443 | |
pypi.org:443 | |
storage.googleapis.com:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 2 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Translate Python version to Tox environment | |
shell: python | |
run: | | |
from os import environ | |
from pathlib import Path | |
py = "${{ matrix.python-version }}" | |
py = "".join(py.split(".")[:2]) # Combine major/minor, toss rest | |
py = py.replace("pypy-", "py") # For Pypy: have a litte less py | |
env = f"${{ matrix.tox-prefix }}-py{py}" | |
print(f"TOX_ENV={env}") | |
p = Path(environ["GITHUB_ENV"]) | |
f = p.open(mode="a") | |
f.write(f"TOX_ENV={env}\n") | |
- name: Install uv | |
uses: astral-sh/setup-uv@v5 | |
- name: Set up Tox environment | |
run: uvx --with=tox-uv tox run -e "${TOX_ENV}" --notest | |
- name: Run unit tests | |
id: test | |
run: | | |
status=0 | |
uvx --with=tox-uv tox run -e "${TOX_ENV}" || status=$? | |
if [ ${status} -ne 0 ] && [ "${{ matrix.optional }}" == "true" ]; then | |
echo "::warning::Optional matrix job failed." | |
echo "optional_fail=true" >> "${GITHUB_OUTPUT}" | |
echo "optional_fail_status=${status}" >> "${GITHUB_OUTPUT}" | |
exit 0 # Ignore error here to keep the green checkmark going | |
fi; | |
exit ${status} | |
- name: Upload Trial log artifact | |
if: ${{ failure() || steps.test.outputs.optional_fail == 'true' }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: trial | |
path: .tox/${TOX_ENV}/log/trial.log | |
- name: Add comment if optional job failed; delete otherwise | |
# this step fails on post-merge runs on master, since there's no | |
# PR to comment against. | |
if: ${{ matrix.optional && github.ref != 'refs/heads/master' }} | |
uses: thollander/actions-comment-pull-request@v3 | |
with: | |
# Note: tag must be unique to each matrix case | |
comment-tag: "${{ matrix.python-version }}-${{ matrix.os }}-optional-notice" | |
message: | | |
### ⚠️ Optional matrix job Py:${{ matrix.python-version }} - ${{ matrix.os }} failed ⚠️ | |
- tox prefix: ${{ matrix.tox-prefix }} | |
- exit status: ${{ steps.test.outputs.optional_fail_status }} | |
mode: ${{ steps.test.outputs.optional_fail == 'true' && 'upsert' || 'delete' }} | |
# Use the latest supported Python version for combining coverage to | |
# prevent parsing errors in older versions when looking at modern code. | |
- uses: "actions/setup-python@v5" | |
if: ${{ matrix.tox-prefix == 'coverage' }} | |
with: | |
python-version: "3.12" | |
# - name: "Upload coverage to Codecov" | |
# uses: "codecov/codecov-action@v5" | |
# if: ${{ matrix.tox-prefix == 'coverage' }} | |
# with: | |
# token: ${{ secrets.CODECOV_TOKEN }} | |
# files: .tox/coverage.xml | |
# env_vars: GITHUB_REF,GITHUB_COMMIT,GITHUB_USER,GITHUB_WORKFLOW | |
# fail_ci_if_error: true | |
# env: | |
# GITHUB_REF: ${{ github.ref }} | |
# GITHUB_COMMIT: ${{ github.sha }} | |
# GITHUB_USER: ${{ github.actor }} | |
# GITHUB_WORKFLOW: ${{ github.workflow }} |