Bump step-security/harden-runner from 2.6.1 to 2.10.2 #2289
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Docs: https://docs.github.com/en/actions | |
name: CI/CD | |
on: | |
push: | |
branches: ["master"] | |
pull_request: | |
branches: ["master"] | |
jobs: | |
lint: | |
name: Linters | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
disable-file-monitoring: true | |
egress-policy: audit | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.12" | |
- name: System Python Information | |
uses: twisted/python-info-action@v1 | |
- name: Set up Tox environment | |
run: | | |
pip install tox | |
tox run -e lint --notest | |
- name: Tox Python Information | |
uses: twisted/python-info-action@v1 | |
with: | |
python-path: .tox/lint/*/python | |
- name: Run Linters | |
run: tox run -e lint | |
mypy: | |
name: Mypy (static type checker) | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
disable-file-monitoring: true | |
egress-policy: audit | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.12" | |
- name: System Python Information | |
uses: twisted/python-info-action@v1 | |
- name: Set up Tox environment | |
run: | | |
pip install tox | |
tox run -e mypy --notest | |
- name: Tox Python Information | |
uses: twisted/python-info-action@v1 | |
with: | |
python-path: .tox/mypy/*/python | |
- name: Run Mypy | |
run: tox run -e mypy | |
docs: | |
name: Build documentation | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
disable-file-monitoring: true | |
egress-policy: audit | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.12" | |
- name: System Python Information | |
uses: twisted/python-info-action@v1 | |
- name: Set up Tox environment | |
run: | | |
pip install tox | |
tox run -e docs --notest | |
- name: Tox Python Information | |
uses: twisted/python-info-action@v1 | |
with: | |
python-path: .tox/docs/*/python | |
- name: Build documentation | |
run: tox run -e docs | |
packaging: | |
name: Packaging | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
egress-policy: audit | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.12" | |
- name: System Python Information | |
uses: twisted/python-info-action@v1 | |
- name: Set up Tox environment | |
run: | | |
pip install tox | |
tox run -e packaging --notest | |
- name: Tox Python Information | |
uses: twisted/python-info-action@v1 | |
with: | |
python-path: .tox/packaging/*/python | |
- name: Check packaging | |
run: tox run -e packaging | |
unit: | |
name: "Py:${{ matrix.python-version }} - ${{ matrix.os }}" | |
needs: [lint, mypy, docs, packaging] | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 30 | |
continue-on-error: ${{ matrix.optional }} | |
strategy: | |
matrix: | |
os: ["ubuntu-latest"] | |
python-version: ["3.9", "3.10", "3.11", "pypy-3.9"] | |
tox-prefix: ["test"] | |
optional: [false] | |
include: | |
# Test Python 3.12 with coverage | |
- os: "ubuntu-latest" | |
python-version: "3.12" | |
optional: false | |
tox-prefix: "coverage" | |
# # Test Python 3.13 but allow it to fail | |
# - os: "ubuntu-latest" | |
# python-version: "3.13.0-rc.1" | |
# optional: true | |
# tox-prefix: "test" | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
egress-policy: audit | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 2 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: System Python Information | |
uses: twisted/python-info-action@v1 | |
- name: Translate Python version to Tox environment | |
shell: python | |
run: | | |
from os import environ | |
from pathlib import Path | |
py = "${{ matrix.python-version }}" | |
py = "".join(py.split(".")[:2]) # Combine major/minor, toss rest | |
py = py.replace("pypy-", "py") # For Pypy: have a litte less py | |
env = f"${{ matrix.tox-prefix }}-py{py}" | |
print(f"TOX_ENV={env}") | |
p = Path(environ["GITHUB_ENV"]) | |
f = p.open(mode="a") | |
f.write(f"TOX_ENV={env}\n") | |
- name: Set up Tox environment | |
run: | | |
pip install tox | |
tox run -e ${TOX_ENV} --notest | |
- name: Tox Python Information | |
uses: twisted/python-info-action@v1 | |
with: | |
python-path: .tox/${TOX_ENV}/*/python | |
- name: Run unit tests | |
run: tox run -e ${TOX_ENV} | |
- name: Upload Trial log artifact | |
if: ${{ failure() }} | |
uses: actions/upload-artifact@v3 | |
with: | |
name: trial | |
path: .tox/${TOX_ENV}/log/trial.log | |
# Use the latest supported Python version for combining coverage to | |
# prevent parsing errors in older versions when looking at modern code. | |
- uses: "actions/setup-python@v5" | |
if: ${{ matrix.tox-prefix == 'coverage' }} | |
with: | |
python-version: "3.12" | |
- name: "Upload coverage to Codecov" | |
uses: "codecov/[email protected]" | |
if: ${{ matrix.tox-prefix == 'coverage' }} | |
with: | |
files: .tox/coverage.xml | |
env_vars: GITHUB_REF,GITHUB_COMMIT,GITHUB_USER,GITHUB_WORKFLOW | |
fail_ci_if_error: true | |
env: | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
GITHUB_REF: ${{ github.ref }} | |
GITHUB_COMMIT: ${{ github.sha }} | |
GITHUB_USER: ${{ github.actor }} | |
GITHUB_WORKFLOW: ${{ github.workflow }} |