CI: Restrict default permissions on GitHub Actions workflows #9032
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: pytest | |
on: | |
push: | |
branches: | |
- main | |
- releasebranch_* | |
pull_request: | |
permissions: {} | |
jobs: | |
pytest: | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}-${{ | |
matrix.os }}-${{ matrix.python-version }} | |
cancel-in-progress: true | |
strategy: | |
matrix: | |
os: | |
- ubuntu-22.04 | |
python-version: | |
- '3.9' | |
- '3.12' | |
- '3.13' | |
fail-fast: true | |
runs-on: ${{ matrix.os }} | |
env: | |
FORCE_COLOR: 1 # for software including pip: https://force-color.org/ | |
CLICOLOR_FORCE: 1 # for other software including ninja: https://bixense.com/clicolors/ | |
PYTHONWARNINGS: always | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Set up Python | |
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 | |
with: | |
python-version: ${{ matrix.python-version }} | |
cache: pip | |
allow-prereleases: true | |
- name: Install non-Python dependencies | |
run: | | |
sudo apt-get update -y | |
sudo apt-get install -y wget git gawk findutils | |
xargs -a <(awk '! /^ *(#|$)/' ".github/workflows/apt.txt") -r -- \ | |
sudo apt-get install -y --no-install-recommends --no-install-suggests | |
- uses: rui314/setup-mold@8ec40be1d14871f7ce8fbf273c4b33f3ff75f1d1 # v1 | |
- name: Install Python dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install -r .github/workflows/python_requirements.txt | |
pip install -r .github/workflows/optional_requirements.txt | |
pip install pytest pytest-timeout pytest-github-actions-annotate-failures pytest-xdist pytest-cov | |
- name: Create installation directory | |
run: | | |
mkdir $HOME/install | |
- name: Set number of cores for compilation | |
run: | | |
echo "MAKEFLAGS=-j$(nproc)" >> $GITHUB_ENV | |
- name: Build | |
run: .github/workflows/build_${{ matrix.os }}.sh $HOME/install | |
- name: Add the bin directory to PATH | |
run: | | |
echo "$HOME/install/bin" >> $GITHUB_PATH | |
- name: Print installed versions | |
if: always() | |
run: .github/workflows/print_versions.sh | |
- name: Test executing of the grass command | |
run: .github/workflows/test_simple.sh | |
- name: Run pytest with multiple workers in parallel | |
run: | | |
export PYTHONPATH=`grass --config python_path`:$PYTHONPATH | |
export LD_LIBRARY_PATH=$(grass --config path)/lib:$LD_LIBRARY_PATH | |
export INITIAL_GISBASE="$(grass --config path)" | |
export INITIAL_PWD="${PWD}" | |
pytest --verbose --color=yes --durations=0 --durations-min=0.5 \ | |
--numprocesses auto \ | |
--cov \ | |
--cov-context=test \ | |
-ra . \ | |
-m 'not needs_solo_run' | |
- name: Run pytest with a single worker (for tests marked with needs_solo_run) | |
run: | | |
export PYTHONPATH=`grass --config python_path`:$PYTHONPATH | |
export LD_LIBRARY_PATH=$(grass --config path)/lib:$LD_LIBRARY_PATH | |
export INITIAL_GISBASE="$(grass --config path)" | |
export INITIAL_PWD="${PWD}" | |
pytest --verbose --color=yes --durations=0 --durations-min=0.5 \ | |
--cov \ | |
--cov-context=test \ | |
--cov-append \ | |
-ra . \ | |
-m 'needs_solo_run' | |
- name: Fix non-standard installed script paths in coverage data | |
run: | | |
export PYTHONPATH=`grass --config python_path`:$PYTHONPATH | |
export LD_LIBRARY_PATH=$(grass --config path)/lib:$LD_LIBRARY_PATH | |
export INITIAL_GISBASE="$(grass --config path)" | |
export INITIAL_PWD="${PWD}" | |
python utils/coverage_mapper.py | |
coverage combine | |
coverage html | |
- name: Upload coverage reports to Codecov | |
uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2 | |
with: | |
verbose: true | |
flags: pytest-python-${{ matrix.python-version }} | |
name: pytest-python-${{ matrix.python-version }} | |
token: ${{ secrets.CODECOV_TOKEN }} | |
- name: Make python-only code coverage test report available | |
if: ${{ !cancelled() }} | |
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 | |
with: | |
name: python-codecoverage-report-${{ matrix.os }}-${{ matrix.python-version }} | |
path: coverage_html_report | |
retention-days: 1 | |
pytest-success: | |
name: pytest Result | |
needs: | |
- pytest | |
if: ${{ always() }} | |
uses: ./.github/workflows/verify-success.yml | |
with: | |
needs_context: ${{ toJson(needs) }} |