Bump slsa-framework/slsa-github-generator from 1.10.0 to 2.0.0 #298
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI pipeline | |
on: | |
push: | |
branches: [ master, "release/*", "maintenance/*", "ci/*" ] | |
pull_request: | |
branches: [ master ] | |
workflow_call: | |
secrets: | |
CODECOV_TOKEN: | |
required: true | |
outputs: | |
hashes: | |
description: "Hashes of the artifacts that were built" | |
value: ${{ jobs.build.outputs.hashes }} | |
workflow_dispatch: {} | |
permissions: | |
actions: read | |
contents: read | |
env: | |
MAIN_PYTHON_VERSION: "3.10" | |
PDFTOPPM_PATH: /usr/bin/pdftoppm | |
IM_COMPARE_PATH: /usr/bin/compare | |
SOFTHSM2_CONF: /tmp/softhsm2.conf | |
SOFTHSM2_MODULE_PATH: /usr/lib/softhsm/libsofthsm2.so | |
CERTOMANCER_CONFIG_PATH: pyhanko_tests/data/crypto/certomancer.yml | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
outputs: | |
hashes: ${{ steps.artifact-hashes.outputs.hashes }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ env.MAIN_PYTHON_VERSION }} | |
- name: Install build tools | |
run: pip install --upgrade build setuptools pip wheel | |
- name: Build release artifacts | |
run: python -m build | |
- name: Record release artifact hashes | |
id: artifact-hashes | |
run: cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> "$GITHUB_OUTPUT" | |
- name: Upload dist artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: pyhanko-dist | |
path: dist/ | |
pytest-coverage: | |
runs-on: ubuntu-latest | |
needs: build | |
strategy: | |
matrix: | |
python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Download dist artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: pyhanko-dist | |
path: dist/ | |
- uses: ./.github/actions/test-job-setup | |
- name: Test with pytest | |
run: python -m pytest --cov=./ --cov-report=xml:python-${{ matrix.python-version }}-coverage.xml | |
env: | |
PKCS11_TEST_MODULE: ${{ env.SOFTHSM2_MODULE_PATH }} | |
- name: Stash coverage report | |
uses: actions/upload-artifact@v4 | |
with: | |
name: coverage-${{ strategy.job-index }} | |
path: "*-coverage.xml" | |
live-integration-tests: | |
runs-on: ubuntu-latest | |
needs: build | |
strategy: | |
matrix: | |
python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Download dist artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: pyhanko-dist | |
path: dist/ | |
- uses: ./.github/actions/test-job-setup | |
with: | |
dependency-group: live-test | |
- name: Start Certomancer Animator daemon | |
run: | | |
certomancer --service-url-prefix http://localhost:9000 \ | |
--config "$CERTOMANCER_CONFIG_PATH" animate & | |
- name: Start CSC dummy server | |
run: | | |
certomancer-csc "$CERTOMANCER_CONFIG_PATH" 8999 2 & | |
- name: Test with pytest | |
run: | | |
python -m pytest --cov=./ --cov-report=xml:python-${{ matrix.python-version }}-live-coverage.xml \ | |
pyhanko_tests/with_live_certomancer.py \ | |
pyhanko_tests/with_live_csc_dummy.py | |
env: | |
LIVE_CERTOMANCER_HOST_URL: http://localhost:9000 | |
LIVE_CSC_SCAL2_HOST_URL: http://localhost:8999 | |
- name: Stash coverage report | |
uses: actions/upload-artifact@v4 | |
with: | |
name: coverage-live-${{ strategy.job-index }} | |
path: "*-coverage.xml" | |
smoke-tests: | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ env.MAIN_PYTHON_VERSION }} | |
- name: Download dist artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: pyhanko-dist | |
path: dist/ | |
- uses: ./.github/actions/test-job-setup | |
with: | |
dependency-group: testing-basic | |
- name: Run smoke tests that should pass without optional dependencies | |
# We run a couple of the "bread and butter" test modules, and the full CLI test suite except for | |
# the PKCS#11 parts | |
run: | | |
python -m pytest \ | |
pyhanko_tests/test_signing.py pyhanko_tests/test_diff_analysis.py pyhanko_tests/test_crypt.py \ | |
pyhanko_tests/test_cms.py pyhanko_tests/cli_tests/*.py | |
codecov-upload: | |
permissions: | |
actions: write | |
contents: read | |
runs-on: ubuntu-latest | |
needs: [pytest-coverage,live-integration-tests] | |
steps: | |
# checkout necessary to ensure the uploaded report contains the correct paths | |
- uses: actions/checkout@v4 | |
- name: Retrieve coverage reports | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: coverage-* | |
path: ./reports/ | |
- name: Upload all coverage reports to Codecov | |
uses: codecov/codecov-action@v4 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
directory: ./reports/ | |
flags: unittests | |
env_vars: OS,PYTHON | |
name: codecov-umbrella | |
- name: Clean up coverage reports | |
continue-on-error: true | |
uses: GeekyEggo/delete-artifact@v5 | |
with: | |
name: coverage-* |