Skip to content

Commit

Permalink
Harden CI
Browse files Browse the repository at this point in the history
  • Loading branch information
hynek committed Nov 2, 2024
1 parent 4580a74 commit 7657eff
Show file tree
Hide file tree
Showing 6 changed files with 74 additions and 14 deletions.
7 changes: 4 additions & 3 deletions .github/workflows/build-docset.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,20 +12,21 @@ env:

permissions: {}


jobs:
docset:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version: "3.x"
- uses: hynek/setup-cached-uv@v2

- run: python -Im pip install tox

- run: python -Im tox run -e docset
- run: uvx --with=tox-uv tox run -e docset

- uses: actions/upload-artifact@v4
with:
Expand Down
13 changes: 10 additions & 3 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ env:

permissions: {}


jobs:
build-package:
name: Build & verify package
Expand All @@ -25,6 +26,7 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false

- uses: hynek/build-and-inspect-python-package@v2
id: baipp
Expand Down Expand Up @@ -59,8 +61,9 @@ jobs:
- uses: hynek/setup-cached-uv@v2

- name: Prepare tox
env:
V: ${{ matrix.python-version }}
run: |
V=${{ matrix.python-version }}
DO_MYPY=1
if [[ "$V" == "3.8" ]]; then
Expand All @@ -73,7 +76,7 @@ jobs:
- run: >
uvx --with=tox-uv
tox run
-e ${{ env.TOX_PYTHON }}-mypy
-e $TOX_PYTHON-mypy
if: env.DO_MYPY == '1'
- name: Remove src to ensure tests run against wheel
Expand All @@ -83,7 +86,7 @@ jobs:
uvx --with=tox-uv
tox run
--installpkg dist/*.whl
-e ${{ env.TOX_PYTHON }}-tests
-e $TOX_PYTHON-tests
- name: Upload coverage data
uses: actions/upload-artifact@v4
Expand Down Expand Up @@ -192,6 +195,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version-file: .python-version-default
Expand All @@ -205,6 +210,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version-file: .python-version-default
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,16 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false

- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}

- name: Autobuild
uses: github/codeql-action/autobuild@v3

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
7 changes: 4 additions & 3 deletions .github/workflows/codspeed.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,15 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version-file: .python-version-default
cache: pip
- run: python -Im pip install tox-uv
- uses: hynek/setup-cached-uv@v2

- name: Run CodSpeed benchmarks
uses: CodSpeedHQ/action@v3
with:
token: ${{ secrets.CODSPEED_TOKEN }}
run: tox run -e codspeed
run: uvx --with tox-uv tox run -e codspeed
18 changes: 13 additions & 5 deletions .github/workflows/pypi-package.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
name: Build & maybe upload PyPI package
name: Build & upload PyPI package

on:
push:
Expand All @@ -10,26 +10,27 @@ on:
- published
workflow_dispatch:

permissions:
attestations: write
contents: read
id-token: write

jobs:
# Always build & lint package.
build-package:
name: Build & verify package
runs-on: ubuntu-latest
permissions:
attestations: write
id-token: write

steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false

- uses: hynek/build-and-inspect-python-package@v2
with:
attest-build-provenance-github: 'true'


# Upload to Test PyPI on every commit on main.
release-test-pypi:
name: Publish in-dev package to test.pypi.org
Expand All @@ -38,6 +39,9 @@ jobs:
runs-on: ubuntu-latest
needs: build-package

permissions:
id-token: write

steps:
- name: Download packages built by build-and-inspect-python-package
uses: actions/download-artifact@v4
Expand All @@ -51,6 +55,7 @@ jobs:
attestations: true
repository-url: https://test.pypi.org/legacy/


# Upload to real PyPI on GitHub Releases.
release-pypi:
name: Publish released package to pypi.org
Expand All @@ -59,6 +64,9 @@ jobs:
runs-on: ubuntu-latest
needs: build-package

permissions:
id-token: write

steps:
- name: Download packages built by build-and-inspect-python-package
uses: actions/download-artifact@v4
Expand Down
38 changes: 38 additions & 0 deletions .github/workflows/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# https://github.com/woodruffw/zizmor
name: Zizmor

on:
push:
branches: ["main"]
pull_request:
branches: ["*"]

permissions:
contents: read


jobs:
zizmor:
name: Zizmor latest via Cargo
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Setup Rust
uses: actions-rust-lang/setup-rust-toolchain@v1
- name: Get zizmor
run: cargo install zizmor
- name: Run zizmor
run: zizmor --format sarif . > results.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
# Path to SARIF file relative to the root of the repository
sarif_file: results.sarif
# Optional category for the results
# Used to differentiate multiple results for one commit
category: zizmor

0 comments on commit 7657eff

Please sign in to comment.