Adopting grype security scan #3356
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build | |
on: # cf. https://github.community/t/how-to-trigger-an-action-on-push-or-pull-request-but-not-both/16662 | |
push: | |
branches: | |
- master | |
pull_request: | |
branches: | |
- master | |
jobs: | |
test: | |
strategy: | |
matrix: | |
python-version: ['3.8', '3.9', '3.10', '3.11', '3.12'] | |
platform: [ubuntu-latest, windows-latest] | |
runs-on: ${{ matrix.platform }} | |
steps: | |
- name: Checkout ποΈ | |
uses: actions/checkout@v3 | |
- name: Set up Python ${{ matrix.python-version }} π§ | |
uses: actions/setup-python@v4 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Install system dependencies βοΈ | |
if: matrix.platform == 'ubuntu-latest' | |
run: sudo apt-get update --allow-releaseinfo-change && sudo apt-get install ghostscript libjpeg-dev | |
- name: Install qpdf βοΈ | |
if: matrix.platform == 'ubuntu-latest' && matrix.python-version != '3.9' | |
# We run the unit tests WITHOUT qpdf for a single parallel execution / Python version: | |
run: sudo apt-get update --allow-releaseinfo-change && sudo apt-get install qpdf | |
- name: Install Python dependencies βοΈ | |
run: | | |
python -m pip install --upgrade pip setuptools wheel | |
pip install --upgrade . -r test/requirements.txt -r docs/requirements.txt -r contributors/requirements.txt | |
- name: Statically checking code π | |
if: matrix.python-version == '3.12' && matrix.platform == 'ubuntu-latest' | |
run: | | |
pylint fpdf test tutorial/tuto*.py | |
bandit -c .banditrc.yml -r contributors/ fpdf/ tutorial/ | |
semgrep scan --config auto --error --strict --exclude-rule=python.lang.security.insecure-hash-function.insecure-hash-function fpdf | |
- name: Scan current project | |
if: matrix.python-version == '3.12' && matrix.platform == 'ubuntu-latest' | |
uses: anchore/scan-action@v3 | |
with: | |
path: "." | |
fail-build: true | |
- name: Ensure code has been autoformatted with black ποΈ | |
if: matrix.python-version == '3.12' && matrix.platform == 'ubuntu-latest' | |
run: black --check . | |
- name: Checking all PDF samples β | |
if: matrix.python-version == '3.12' && matrix.platform == 'ubuntu-latest' | |
run: | | |
# Using qpdf | |
find . -name '*.pdf' | xargs -n 1 sh -c 'qpdf --check --password=fpdf2 $0 || exit 255' | |
export PYTHONPATH=$PWD | |
# Using VeraPDF: | |
scripts/install-verapdf.sh | |
scripts/verapdf.py --process-all-test-pdf-files | |
scripts/verapdf.py --print-aggregated-report | |
# Using Datalogics PDF Checker: | |
scripts/install-pdfchecker.sh | |
scripts/pdfchecker.py --process-all-test-pdf-files | |
scripts/pdfchecker.py --print-aggregated-report | |
- name: Running tests β | |
env: | |
CHECK_EXEC_TIME: ${{ matrix.python-version == '3.9' && 'test-enabled' || '' }} | |
CHECK_RSS_MEMORY: ${{ matrix.python-version == '3.12' && 'test-enabled' || '' }} | |
run: | | |
# Ensuring there is no `generate=True` left remaining in calls to assert_pdf_equal: | |
grep -IRF generate=True test/ && exit 1 | |
# Executing all tests: | |
pytest -vv --trace-memory-usage | |
- name: Uploading coverage report to codecov.io β | |
if: matrix.python-version == '3.12' && matrix.platform == 'ubuntu-latest' | |
run: bash <(curl -s https://codecov.io/bash) | |
- name: Generating HTML documentation ποΈ | |
# As build_contributors_html_page.py can hang due to GitHub rate-limiting, | |
# we only execute this on master for now. And it should always be executed for one Python version only. | |
if: github.ref == 'refs/heads/master' && matrix.python-version == '3.12' && matrix.platform == 'ubuntu-latest' | |
env: | |
# Needed by contributors/build_contributors_html_page.py: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
mkdir -p public/ | |
# Setting PDF manual version: | |
sed -i "s/author:.*/author: v$(python setup.py -V 2>/dev/null)/" mkdocs.yml | |
cp tutorial/notebook.ipynb docs/ | |
mkdocs build | |
pdoc --html -o public/ fpdf --config "git_link_template='https://github.com/py-pdf/fpdf2/blob/{commit}/{path}#L{start_line}-L{end_line}'" | |
scripts/add_pdoc_to_search_index.py | |
cd contributors/ && PYTHONUNBUFFERED=1 ./build_contributors_html_page.py py-pdf/fpdf2 | |
cp -t ../public/ contributors.html contributors-map-small.png | |
- name: Deploy documentation π | |
# GitHub Pages deployment should not be done for all Python versions, | |
# otherwise commits will conflict on the gh-pages branch: | |
if: github.ref == 'refs/heads/master' && matrix.python-version == '3.12' && matrix.platform == 'ubuntu-latest' | |
uses: peaceiris/actions-gh-pages@v3 | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
publish_dir: public/ | |
publish: | |
if: github.ref == 'refs/heads/master' | |
runs-on: ubuntu-latest | |
environment: | |
name: pypi | |
url: https://pypi.org/p/fpdf2 | |
permissions: | |
# Trusted publishing configured there: https://pypi.org/manage/project/fpdf2/settings/publishing/ | |
id-token: write | |
steps: | |
- name: Checkout ποΈ | |
uses: actions/checkout@v3 | |
- name: Set up Python 3.12 π§ | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.12' | |
- name: Building distributions for Pypi ποΈ | |
id: build | |
run: | | |
echo Versions already released on Pypi: $(curl -Ls 'https://pypi.org/pypi/fpdf2/json' | jq -r '.releases|keys[]') | |
pip install --upgrade setuptools twine wheel . | |
echo Current code version: $(python setup.py -V) | |
# Checking if current code version has already been released: | |
if ! curl -Ls 'https://pypi.org/pypi/fpdf2/json' | jq -r '.releases|keys[]' | grep "^$(python setup.py -V)\$"; then echo publish=yes >> "$GITHUB_OUTPUT"; python setup.py sdist bdist_wheel; twine check dist/*; fi | |
- name: Publish package distributions to PyPI π | |
if: steps.build.outputs.publish == 'yes' | |
uses: pypa/gh-action-pypi-publish@release/v1 | |
# Doc: https://github.com/marketplace/actions/pypi-publish | |
with: | |
print-hash: true | |
- name: Generate & release sigstore signatures π | |
if: steps.build.outputs.publish == 'yes' | |
uses: sigstore/[email protected] | |
# Doc: https://github.com/marketplace/actions/gh-action-sigstore-python | |
with: | |
inputs: ./dist/*.tar.gz ./dist/*.whl | |
# For this setting to work, this pipeline should be triggered by a "release" event: | |
release-signing-artifacts: true |