Upgrade quinn-proto version to fix security vulnerability #1240
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Continuous Integration | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| - "releases/*" | |
| jobs: | |
| # Build and test the project | |
| build-lint-test: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| python: ["3.8", "3.12"] | |
| os: [ubuntu-latest, ubuntu-arm, macos-intel, macos-arm, windows-latest] | |
| include: | |
| - os: ubuntu-latest | |
| python: "3.12" | |
| docsTarget: true | |
| cloudTestTarget: true | |
| - os: ubuntu-latest | |
| python: "3.8" | |
| protoCheckTarget: true | |
| - os: ubuntu-arm | |
| runsOn: ubuntu-24.04-arm64-2-core | |
| - os: macos-intel | |
| runsOn: macos-12 | |
| - os: macos-arm | |
| runsOn: macos-14 | |
| # macOS ARM 3.8 does not have an available Python build at | |
| # https://raw.githubusercontent.com/actions/python-versions/main/versions-manifest.json. | |
| # See https://github.com/actions/setup-python/issues/808 and | |
| # https://github.com/actions/python-versions/pull/259. | |
| exclude: | |
| - os: macos-arm | |
| python: "3.8" | |
| runs-on: ${{ matrix.runsOn || matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| with: | |
| workspaces: temporalio/bridge -> target | |
| - uses: actions/setup-python@v5 | |
| with: | |
| # Pinning due to failed Windows builds on 3.12.5 https://github.com/temporalio/sdk-python/issues/637 | |
| python-version: ${{ matrix.python == '3.12' && '3.12.4' || matrix.python }} | |
| - uses: arduino/setup-protoc@v3 | |
| with: | |
| # TODO(cretz): Can upgrade proto when https://github.com/arduino/setup-protoc/issues/99 fixed | |
| version: "23.x" | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| # Using fixed Poetry version until | |
| # https://github.com/python-poetry/poetry/issues/7611 and | |
| # https://github.com/python-poetry/poetry/pull/7694 are fixed | |
| - run: python -m pip install --upgrade wheel "poetry==1.3.2" poethepoet | |
| - run: poetry install --no-root --all-extras | |
| - run: poe lint | |
| - run: poe build-develop | |
| - run: mkdir junit-xml | |
| - run: poe test -s -o log_cli_level=DEBUG --junit-xml=junit-xml/${{ matrix.python }}--${{ matrix.os }}.xml | |
| # Time skipping doesn't yet support ARM | |
| - if: ${{ !endsWith(matrix.os, '-arm') }} | |
| run: poe test -s -o log_cli_level=DEBUG --workflow-environment time-skipping --junit-xml=junit-xml/${{ matrix.python }}--${{ matrix.os }}--time-skipping.xml | |
| # Check cloud if proper target and not on fork | |
| - if: ${{ matrix.cloudTestTarget && (github.event.pull_request.head.repo.full_name == '' || github.event.pull_request.head.repo.full_name == 'temporalio/sdk-python') }} | |
| run: poe test -s -o log_cli_level=DEBUG -k test_cloud_client --junit-xml=junit-xml/${{ matrix.python }}--${{ matrix.os }}--cloud.xml | |
| env: | |
| TEMPORAL_CLIENT_CLOUD_API_KEY: ${{ secrets.TEMPORAL_CLIENT_CLOUD_API_KEY }} | |
| TEMPORAL_CLIENT_CLOUD_API_VERSION: 2024-05-13-00 | |
| TEMPORAL_CLIENT_CLOUD_NAMESPACE: sdk-ci.a2dd6 | |
| - name: "Upload junit-xml artifacts" | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: junit-xml--${{github.run_id}}--${{github.run_attempt}}--${{ matrix.python }}--${{ matrix.os }} | |
| path: junit-xml | |
| retention-days: 14 | |
| # Confirm protos are already generated properly with older protobuf | |
| # library and run test with that older version. We must downgrade protobuf | |
| # so we can generate 3.x and 4.x compatible API. We have to use older | |
| # Python to run this check because the grpcio-tools version we use | |
| # is <= 3.10. | |
| - name: Check generated protos and test protobuf 3.x | |
| if: ${{ matrix.protoCheckTarget }} | |
| env: | |
| TEMPORAL_TEST_PROTO3: 1 | |
| run: | | |
| poetry add "protobuf<4" | |
| poe gen-protos | |
| poe format | |
| [[ -z $(git status --porcelain temporalio) ]] || (git diff temporalio; echo "Protos changed"; exit 1) | |
| poe test -s -o log_cli_level=DEBUG | |
| # Do docs stuff (only on one host) | |
| - name: Build API docs | |
| if: ${{ matrix.docsTarget }} | |
| run: poe gen-docs | |
| - name: Deploy prod API docs | |
| if: ${{ github.ref == 'refs/heads/main' && matrix.docsTarget }} | |
| run: npx vercel deploy build/apidocs -t ${{ secrets.VERCEL_TOKEN }} --name python --scope temporal --prod --yes | |
| # Confirm README ToC is generated properly | |
| - uses: actions/setup-node@v4 | |
| - name: Check generated README ToC | |
| if: ${{ matrix.docsTarget }} | |
| run: | | |
| npx doctoc README.md | |
| [[ -z $(git status --porcelain README.md) ]] || (git diff README.md; echo "README changed"; exit 1) | |
| # Runs the sdk features repo tests with this repo's current SDK code | |
| features-tests: | |
| uses: temporalio/features/.github/workflows/python.yaml@main | |
| with: | |
| python-repo-path: ${{github.event.pull_request.head.repo.full_name}} | |
| version: ${{github.event.pull_request.head.ref}} | |
| version-is-repo-ref: true | |
| features-repo-ref: python-update-updates |