Bump step-security/harden-runner from 2.9.1 to 2.10.1 #7635
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Testing | |
on: | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- CHANGELOG.rst | |
- README.rst | |
- pyproject.toml | |
- xclim/__init__.py | |
pull_request: | |
types: | |
- opened | |
- reopened | |
- synchronize | |
pull_request_review: | |
types: | |
- submitted | |
env: | |
XCLIM_TESTDATA_BRANCH: v2024.8.23 | |
concurrency: | |
# For a given workflow, if we push to the same branch, cancel all previous builds on that branch except on main. | |
group: "${{ github.workflow }}-${{ github.ref }}" | |
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} | |
permissions: | |
contents: read | |
pull-requests: read | |
jobs: | |
lint: | |
name: Lint (Python${{ matrix.python-version }}) | |
runs-on: ubuntu-latest | |
if: | | |
(github.event.action != 'labeled') || | |
(github.event.review.state == 'approved') || | |
(github.event_name == 'push') | |
strategy: | |
matrix: | |
python-version: | |
- "3.9" | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
- name: Checkout Repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Set up Python${{ matrix.python-version }} | |
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Install CI libraries | |
run: | | |
python -m pip install --require-hashes -r CI/requirements_ci.txt | |
- name: Run pylint | |
run: | | |
python -m pylint --rcfile=.pylintrc.toml --disable=import-error --exit-zero xclim | |
- name: Run linting suite | |
run: | | |
python -m tox -e lint | |
test-preliminary: | |
name: Python${{ matrix.python-version }} (ubuntu-latest) | |
needs: lint | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
python-version: | |
- "3.9" | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
dap.service.does.not.exist:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
raw.githubusercontent.com:443 | |
- name: Checkout Repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Set up Python${{ matrix.python-version }} | |
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Install CI libraries | |
run: | | |
python -m pip install --require-hashes -r CI/requirements_ci.txt | |
- name: Test with tox | |
run: | | |
python -m tox -- -m 'not slow' | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
COVERALLS_PARALLEL: true | |
test-pypi: | |
needs: lint | |
name: Python${{ matrix.python-version }} (${{ matrix.os }}, ${{ matrix.tox-env }}) | |
if: | | |
contains(github.event.pull_request.labels.*.name, 'approved') || | |
(github.event.review.state == 'approved') || | |
(github.event_name == 'push') | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 20 | |
strategy: | |
matrix: | |
include: | |
# Linux builds | |
- os: ubuntu-latest | |
markers: -m 'not slow' | |
python-version: "3.10" | |
tox-env: standard | |
- os: ubuntu-latest | |
markers: -m 'not slow' | |
python-version: "3.11" | |
tox-env: standard | |
- os: ubuntu-latest | |
markers: -m 'not slow' | |
python-version: "3.12" | |
tox-env: standard | |
# Windows builds | |
- os: windows-latest | |
markers: -m 'not slow' | |
python-version: "3.9" | |
tox-env: py39-coverage-prefetch # Test data prefetch is needed for Windows | |
# macOS builds | |
- os: macos-latest | |
python-version: "3.10" | |
markers: '' # Slow tests | |
tox-env: py310-coverage-extras | |
# Specialized tests | |
- os: ubuntu-latest | |
markers: -m 'not requires_internet and not slow' | |
python-version: "3.9" | |
tox-env: py39-coverage-offline-prefetch | |
- os: ubuntu-latest | |
markers: '' | |
python-version: "3.10" | |
tox-env: notebooks | |
- os: ubuntu-latest | |
markers: '' | |
python-version: "3.12" | |
tox-env: doctests | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
azure.archive.ubuntu.com:80 | |
coveralls.io:443 | |
dap.service.does.not.exist:443 | |
esm.ubuntu.com:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
motd.ubuntu.com:443 | |
packages.microsoft.com:443 | |
ppa.launchpadcontent.net:443 | |
pypi.org:443 | |
raw.githubusercontent.com:443 | |
- name: Checkout Repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Install Eigen3 (SBCK) | |
if: ${{ matrix.python-version == '3.11' }} | |
run: | | |
sudo apt-get update | |
sudo apt-get install libeigen3-dev | |
- name: Set up Python${{ matrix.python-version }} | |
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Install CI libraries | |
run: | | |
python -m pip install --require-hashes -r CI/requirements_ci.txt | |
- name: Test with tox | |
if: ${{ matrix.tox-env == 'standard' }} | |
run: | | |
python -m tox -- ${{ matrix.markers }}; | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
COVERALLS_FLAG_NAME: run-${{ matrix.python-version }}-${{ matrix.os }}-${{ matrix.tox-env }} | |
COVERALLS_PARALLEL: true | |
- name: Test with tox (specialized tests) | |
if: ${{ matrix.tox-env != 'standard' }} | |
run: | | |
python -m tox -e ${{ matrix.tox-env }} -- ${{ matrix.markers }}; | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
COVERALLS_FLAG_NAME: run-${{ matrix.python-version }}-${{ matrix.os }}-${{ matrix.tox-env }} | |
COVERALLS_PARALLEL: true | |
test-conda: | |
needs: lint | |
name: Python${{ matrix.python-version }} (${{ matrix.os }}, conda) | |
if: | | |
contains(github.event.pull_request.labels.*.name, 'approved') || | |
(github.event.review.state == 'approved') || | |
(github.event_name == 'push') | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: [ ubuntu-latest ] | |
python-version: [ "3.9", "3.12" ] | |
defaults: | |
run: | |
shell: bash -l {0} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
conda.anaconda.org:443 | |
coveralls.io:443 | |
dap.service.does.not.exist:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
pypi.org:443 | |
raw.githubusercontent.com:443 | |
repo.anaconda.com:443 | |
- name: Checkout Repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Setup Conda (Micromamba) with Python${{ matrix.python-version }} | |
uses: mamba-org/setup-micromamba@f8b8a1e23a26f60a44c853292711bacfd3eac822 # v1.9.0 | |
with: | |
cache-downloads: true | |
cache-environment: true | |
environment-file: environment.yml | |
create-args: >- | |
python=${{ matrix.python-version }} | |
- name: Micromamba version | |
run: | | |
echo "micromamba: $(micromamba --version)" | |
- name: Install xclim | |
run: | | |
python -m pip install --no-user --editable . | |
- name: Check versions | |
run: | | |
micromamba list | |
xclim show_version_info | |
python -m pip check || true | |
- name: Test with pytest | |
run: | | |
python -m pytest --numprocesses=logical --durations=10 --cov=xclim --cov-report=term-missing | |
# - name: Install tox | |
# shell: bash -l {0} | |
# run: | | |
# mamba install -n xclim39 tox tox-conda | |
# - name: Test | |
# shell: bash -l {0} | |
# run: | | |
# conda activate xclim39 | |
# tox -e opt-slow | |
# env: | |
# CONDA_EXE: mamba | |
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Report coverage | |
run: | | |
coveralls | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
COVERALLS_FLAG_NAME: run-{{ matrix.python-version }}-conda | |
COVERALLS_PARALLEL: true | |
finish: | |
needs: | |
- test-preliminary | |
- test-pypi | |
- test-conda | |
runs-on: ubuntu-latest | |
container: python:3-slim | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
sparse-checkout: | | |
CI/requirements_ci.txt | |
- name: Install CI libraries | |
run: | | |
python -m pip install --require-hashes -r CI/requirements_ci.txt | |
- name: Coveralls finished | |
run: | | |
python -m coveralls --finish | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |