forked from reingart/pyfpdf
-
Notifications
You must be signed in to change notification settings - Fork 253
138 lines (136 loc) Β· 6.61 KB
/
continuous-integration-workflow.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: build
on: # cf. https://github.community/t/how-to-trigger-an-action-on-push-or-pull-request-but-not-both/16662
push:
branches:
- master
pull_request:
branches:
- master
jobs:
test:
strategy:
matrix:
python-version: ['3.8', '3.9', '3.10', '3.11', '3.12']
platform: [ubuntu-latest, windows-latest]
runs-on: ${{ matrix.platform }}
steps:
- name: Checkout ποΈ
uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }} π§
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
- name: Install system dependencies βοΈ
if: matrix.platform == 'ubuntu-latest'
run: sudo apt-get update --allow-releaseinfo-change && sudo apt-get install ghostscript libjpeg-dev
- name: Install qpdf βοΈ
if: matrix.platform == 'ubuntu-latest' && matrix.python-version != '3.9'
# We run the unit tests WITHOUT qpdf for a single parallel execution / Python version:
run: sudo apt-get update --allow-releaseinfo-change && sudo apt-get install qpdf
- name: Install Python dependencies βοΈ
run: |
python -m pip install --upgrade pip setuptools wheel
pip install --upgrade . -r test/requirements.txt -r docs/requirements.txt -r contributors/requirements.txt
- name: Statically checking code π
if: matrix.python-version == '3.12' && matrix.platform == 'ubuntu-latest'
run: |
pip install --upgrade . -r test/linters-requirements.txt
black --check .
pylint fpdf test tutorial/tuto*.py
bandit -c .banditrc.yml -r contributors/ fpdf/ tutorial/
semgrep scan --config auto --error --strict --exclude-rule=python.lang.security.insecure-hash-function.insecure-hash-function fpdf
- name: Scan current project
if: matrix.python-version == '3.12' && matrix.platform == 'ubuntu-latest'
uses: anchore/scan-action@v3
with:
path: "."
fail-build: true
- name: Checking all PDF samples β
if: matrix.python-version == '3.12' && matrix.platform == 'ubuntu-latest'
run: |
# Using qpdf
find . -name '*.pdf' | xargs -n 1 sh -c 'qpdf --check --password=fpdf2 $0 || exit 255'
export PYTHONPATH=$PWD
# Using VeraPDF:
scripts/install-verapdf.sh
scripts/verapdf.py --process-all-test-pdf-files
scripts/verapdf.py --print-aggregated-report
# Using Datalogics PDF Checker:
scripts/install-pdfchecker.sh
scripts/pdfchecker.py --process-all-test-pdf-files
scripts/pdfchecker.py --print-aggregated-report
- name: Running tests β
env:
CHECK_EXEC_TIME: ${{ matrix.python-version == '3.9' && 'test-enabled' || '' }}
CHECK_RSS_MEMORY: ${{ matrix.python-version == '3.12' && 'test-enabled' || '' }}
run: |
# Ensuring there is no `generate=True` left remaining in calls to assert_pdf_equal:
grep -IRF generate=True test/ && exit 1
# Executing all tests:
pytest -vv --trace-memory-usage
- name: Uploading coverage report to codecov.io β
if: matrix.python-version == '3.12' && matrix.platform == 'ubuntu-latest'
run: bash <(curl -s https://codecov.io/bash)
- name: Generating HTML documentation ποΈ
# As build_contributors_html_page.py can hang due to GitHub rate-limiting,
# we only execute this on master for now. And it should always be executed for one Python version only.
if: github.ref == 'refs/heads/master' && matrix.python-version == '3.12' && matrix.platform == 'ubuntu-latest'
env:
# Needed by contributors/build_contributors_html_page.py:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
mkdir -p public/
# Setting PDF manual version:
sed -i "s/author:.*/author: v$(python setup.py -V 2>/dev/null)/" mkdocs.yml
cp tutorial/notebook.ipynb docs/
mkdocs build
pdoc --html -o public/ fpdf --config "git_link_template='https://github.com/py-pdf/fpdf2/blob/{commit}/{path}#L{start_line}-L{end_line}'"
scripts/add_pdoc_to_search_index.py
cd contributors/ && PYTHONUNBUFFERED=1 ./build_contributors_html_page.py py-pdf/fpdf2
cp -t ../public/ contributors.html contributors-map-small.png
- name: Deploy documentation π
# GitHub Pages deployment should not be done for all Python versions,
# otherwise commits will conflict on the gh-pages branch:
if: github.ref == 'refs/heads/master' && matrix.python-version == '3.12' && matrix.platform == 'ubuntu-latest'
uses: peaceiris/actions-gh-pages@v3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: public/
publish:
if: github.ref == 'refs/heads/master'
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/fpdf2
permissions:
# Trusted publishing configured there: https://pypi.org/manage/project/fpdf2/settings/publishing/
id-token: write
steps:
- name: Checkout ποΈ
uses: actions/checkout@v3
- name: Set up Python 3.12 π§
uses: actions/setup-python@v4
with:
python-version: '3.12'
- name: Building distributions for Pypi ποΈ
id: build
run: |
echo Versions already released on Pypi: $(curl -Ls 'https://pypi.org/pypi/fpdf2/json' | jq -r '.releases|keys[]')
pip install --upgrade setuptools twine wheel .
echo Current code version: $(python setup.py -V)
# Checking if current code version has already been released:
if ! curl -Ls 'https://pypi.org/pypi/fpdf2/json' | jq -r '.releases|keys[]' | grep "^$(python setup.py -V)\$"; then echo publish=yes >> "$GITHUB_OUTPUT"; python setup.py sdist bdist_wheel; twine check dist/*; fi
- name: Publish package distributions to PyPI π
if: steps.build.outputs.publish == 'yes'
uses: pypa/gh-action-pypi-publish@release/v1
# Doc: https://github.com/marketplace/actions/pypi-publish
with:
print-hash: true
- name: Generate & release sigstore signatures π
if: steps.build.outputs.publish == 'yes'
uses: sigstore/[email protected]
# Doc: https://github.com/marketplace/actions/gh-action-sigstore-python
with:
inputs: ./dist/*.tar.gz ./dist/*.whl
# For this setting to work, this pipeline should be triggered by a "release" event:
release-signing-artifacts: true