Skip to content

[StepSecurity] Apply security best practices #5696

[StepSecurity] Apply security best practices

[StepSecurity] Apply security best practices #5696

Workflow file for this run

name: xclim Testing Suite
on:
push:
branches:
- master
paths-ignore:
- CHANGES.rst
- README.rst
- pyproject.toml
- xclim/__init__.py
pull_request:
types:
- opened
- reopened
- synchronize
pull_request_review:
types:
- submitted
env:
XCLIM_TESTDATA_BRANCH: v2023.12.14
concurrency:
# For a given workflow, if we push to the same branch, cancel all previous builds on that branch except on master.
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
permissions:
contents: read
pull-requests: read
jobs:
lint:
name: Black (Python${{ matrix.python-version }})
runs-on: ubuntu-latest
if: |
((github.event_name == 'pull_request') && (github.event.action != 'labeled')) ||
(github.event.review.state == 'approved') ||
(github.event_name == 'push')
strategy:
matrix:
python-version:
- "3.8"
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
files.pythonhosted.org:443
github.com:443
pypi.org:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Python${{ matrix.python-version }}
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: ${{ matrix.python-version }}
- name: Install pylint and tox
run: pip install pylint tox~=4.0
- name: Run pylint
run: |
python -m pylint --rcfile=pylintrc --disable=import-error --exit-zero xclim
- name: Run linting suite
run: |
python -m tox -e lint
test-py39:
name: test-${{ matrix.tox-env }} (Python${{ matrix.python-version }})
needs: lint
if: |
(github.event_name == 'pull_request') && !contains(github.event.pull_request.labels.*.name, 'approved')
runs-on: ubuntu-latest
strategy:
matrix:
include:
- tox-env: "py39" # "py39-coverage"
python-version: "3.9"
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
files.pythonhosted.org:443
github.com:443
pypi.org:443
raw.githubusercontent.com:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Python${{ matrix.python-version }}
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: ${{ matrix.python-version }}
- name: Install tox
run: |
python -m pip install tox~=4.0
- name: Test with tox
run: |
python -m tox -e ${{ matrix.tox-env }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# COVERALLS_FLAG_NAME: run-{{ matrix.tox-env }}
# COVERALLS_SERVICE_NAME: github
test-pypi:
needs: lint
name: test-${{ matrix.tox-env }} (Python${{ matrix.python-version }})
if: |
contains(github.event.pull_request.labels.*.name, 'approved') ||
(github.event.review.state == 'approved') ||
(github.event_name == 'push')
runs-on: ubuntu-latest
strategy:
matrix:
include:
- tox-env: py38-coverage-eofs
python-version: "3.8"
markers: -m 'not slow'
- tox-env: py39-coverage-sbck-eofs
python-version: "3.9"
markers: -m 'not slow'
- tox-env: py310-coverage # No markers -- includes slow tests
python-version: "3.10"
- tox-env: py311-coverage-sbck
python-version: "3.11"
markers: -m 'not slow'
- tox-env: notebooks_doctests
python-version: "3.10"
- tox-env: offline-prefetch
python-version: "3.11"
markers: -m 'not slow and not requires_internet'
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
azure.archive.ubuntu.com:80
coveralls.io:443
esm.ubuntu.com:443
files.pythonhosted.org:443
github.com:443
motd.ubuntu.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
pypi.org:443
raw.githubusercontent.com:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install Eigen3
if: contains(matrix.tox-env, 'sbck')
run: |
sudo apt-get update
sudo apt-get install libeigen3-dev
- name: Set up Python${{ matrix.python-version }}
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: ${{ matrix.python-version }}
- name: Install tox
run: |
python -m pip install tox~=4.0
- name: Test with tox
run: |
python -m tox -e ${{ matrix.tox-env }} -- ${{ matrix.markers }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COVERALLS_FLAG_NAME: run-{{ matrix.tox-env }}
COVERALLS_PARALLEL: true
COVERALLS_SERVICE_NAME: github
test-conda:
needs: lint
name: test-conda-${{ matrix.tox-env }} (Python${{ matrix.python-version }})
if: |
contains(github.event.pull_request.labels.*.name, 'approved') ||
(github.event.review.state == 'approved') ||
(github.event_name == 'push')
runs-on: ubuntu-latest
strategy:
matrix:
include:
- tox-env: py310
python-version: "3.10"
defaults:
run:
shell: bash -l {0}
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
conda.anaconda.org:443
coveralls.io:443
dap.service.does.not.exist:443
files.pythonhosted.org:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443
raw.githubusercontent.com:443
repo.anaconda.com:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Conda (Micromamba) with Python${{ matrix.python-version }}
uses: mamba-org/setup-micromamba@e820223f89c8720d6c740ca154a7adf32fcd278a # v1.7.3
with:
cache-downloads: true
cache-environment: true
environment-file: environment.yml
create-args: >-
conda
python=${{ matrix.python-version }}
- name: Conda and Mamba versions
run: |
conda --version
echo "micromamba: $(micromamba --version)"
- name: Install xclim
run: |
python -m pip install --no-user --editable .
- name: Check versions
run: |
conda list
xclim show_version_info
python -m pip check || true
- name: Test with pytest
run: |
python -m pytest --numprocesses=logical --durations=10 --cov=xclim --cov-report=term-missing
# - name: Install tox
# shell: bash -l {0}
# run: |
# mamba install -n xclim39 tox tox-conda
# - name: Test
# shell: bash -l {0}
# run: |
# conda activate xclim39
# tox -e opt-slow
# env:
# CONDA_EXE: mamba
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Report coverage
run: |
pip install --upgrade coveralls
coveralls
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COVERALLS_FLAG_NAME: run-{{ matrix.tox-env }}-opt-slow
COVERALLS_PARALLEL: true
COVERALLS_SERVICE_NAME: github
finish:
needs:
- test-pypi
- test-conda
runs-on: ubuntu-latest
container: python:3-slim
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: Coveralls Finished
run: |
python -m pip install --upgrade coveralls
python -m coveralls --finish
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COVERALLS_SERVICE_NAME: github