Skip to content

CI: Restrict default permissions on GitHub Actions workflows #9032

CI: Restrict default permissions on GitHub Actions workflows

CI: Restrict default permissions on GitHub Actions workflows #9032

Workflow file for this run

---
name: pytest
on:
push:
branches:
- main
- releasebranch_*
pull_request:
permissions: {}
jobs:
pytest:
concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}-${{
matrix.os }}-${{ matrix.python-version }}
cancel-in-progress: true
strategy:
matrix:
os:
- ubuntu-22.04
python-version:
- '3.9'
- '3.12'
- '3.13'
fail-fast: true
runs-on: ${{ matrix.os }}
env:
FORCE_COLOR: 1 # for software including pip: https://force-color.org/
CLICOLOR_FORCE: 1 # for other software including ninja: https://bixense.com/clicolors/
PYTHONWARNINGS: always
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Python
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: ${{ matrix.python-version }}
cache: pip
allow-prereleases: true
- name: Install non-Python dependencies
run: |
sudo apt-get update -y
sudo apt-get install -y wget git gawk findutils
xargs -a <(awk '! /^ *(#|$)/' ".github/workflows/apt.txt") -r -- \
sudo apt-get install -y --no-install-recommends --no-install-suggests
- uses: rui314/setup-mold@8ec40be1d14871f7ce8fbf273c4b33f3ff75f1d1 # v1
- name: Install Python dependencies
run: |
python -m pip install --upgrade pip
pip install -r .github/workflows/python_requirements.txt
pip install -r .github/workflows/optional_requirements.txt
pip install pytest pytest-timeout pytest-github-actions-annotate-failures pytest-xdist pytest-cov
- name: Create installation directory
run: |
mkdir $HOME/install
- name: Set number of cores for compilation
run: |
echo "MAKEFLAGS=-j$(nproc)" >> $GITHUB_ENV
- name: Build
run: .github/workflows/build_${{ matrix.os }}.sh $HOME/install
- name: Add the bin directory to PATH
run: |
echo "$HOME/install/bin" >> $GITHUB_PATH
- name: Print installed versions
if: always()
run: .github/workflows/print_versions.sh
- name: Test executing of the grass command
run: .github/workflows/test_simple.sh
- name: Run pytest with multiple workers in parallel
run: |
export PYTHONPATH=`grass --config python_path`:$PYTHONPATH
export LD_LIBRARY_PATH=$(grass --config path)/lib:$LD_LIBRARY_PATH
export INITIAL_GISBASE="$(grass --config path)"
export INITIAL_PWD="${PWD}"
pytest --verbose --color=yes --durations=0 --durations-min=0.5 \
--numprocesses auto \
--cov \
--cov-context=test \
-ra . \
-m 'not needs_solo_run'
- name: Run pytest with a single worker (for tests marked with needs_solo_run)
run: |
export PYTHONPATH=`grass --config python_path`:$PYTHONPATH
export LD_LIBRARY_PATH=$(grass --config path)/lib:$LD_LIBRARY_PATH
export INITIAL_GISBASE="$(grass --config path)"
export INITIAL_PWD="${PWD}"
pytest --verbose --color=yes --durations=0 --durations-min=0.5 \
--cov \
--cov-context=test \
--cov-append \
-ra . \
-m 'needs_solo_run'
- name: Fix non-standard installed script paths in coverage data
run: |
export PYTHONPATH=`grass --config python_path`:$PYTHONPATH
export LD_LIBRARY_PATH=$(grass --config path)/lib:$LD_LIBRARY_PATH
export INITIAL_GISBASE="$(grass --config path)"
export INITIAL_PWD="${PWD}"
python utils/coverage_mapper.py
coverage combine
coverage html
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
with:
verbose: true
flags: pytest-python-${{ matrix.python-version }}
name: pytest-python-${{ matrix.python-version }}
token: ${{ secrets.CODECOV_TOKEN }}
- name: Make python-only code coverage test report available
if: ${{ !cancelled() }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: python-codecoverage-report-${{ matrix.os }}-${{ matrix.python-version }}
path: coverage_html_report
retention-days: 1
pytest-success:
name: pytest Result
needs:
- pytest
if: ${{ always() }}
uses: ./.github/workflows/verify-success.yml
with:
needs_context: ${{ toJson(needs) }}