Skip to content

Security policy

Security policy #1417

Workflow file for this run

name: "xscen Testing Suite"
on:
push:
branches:
- main
paths-ignore:
- .cruft.json
- CHANGES.rst
- README.rst
- pyproject.toml
- setup.cfg
- setup.py
- xscen/__init__.py
pull_request:
concurrency:
# For a given workflow, if we push to the same branch, cancel all previous builds on that branch except on main.
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
permissions:
contents: read
jobs:
lint:
name: Lint (Python${{ matrix.python-version }})
runs-on: ubuntu-latest
strategy:
matrix:
python-version:
- "3.x"
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
files.pythonhosted.org:443
github.com:443
pypi.org:443
- uses: actions/[email protected]
- uses: actions/[email protected]
with:
python-version: "3.x"
- name: Install tox
run: |
python -m pip install tox
- name: Run linting suite
run: |
python -m tox -e lint
test-pypi:
name: Test with Python${{ matrix.python-version }} (PyPI/tox)
needs: lint
runs-on: ubuntu-latest
env:
COVERALLS_PARALLEL: true
COVERALLS_SERVICE_NAME: github
esmf-version: 8.4.2
strategy:
matrix:
include:
- python-version: "3.9"
tox-build: "py39-coveralls"
- python-version: "3.10"
tox-build: "py310-coveralls"
- python-version: "3.11"
tox-build: "py311-coveralls"
# - python-version: "3.12"
# tox-build: "py312-esmpy-coveralls"
defaults:
run:
shell: bash -l {0}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- uses: actions/[email protected]
- name: Setup Conda (Micromamba) with Python ${{ matrix.python-version }}
uses: mamba-org/[email protected]
with:
cache-downloads: true
environment-name: xscen-pypi
create-args: >-
esmf=${{ env.esmf-version }}
mamba
python=${{ matrix.python-version }}
tox
- name: Test with tox
run: |
python -m tox -e ${{ matrix.tox-build }}
env:
ESMF_VERSION: ${{ env.esmf-version }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COVERALLS_FLAG_NAME: run-Python${{ matrix.python-version }}
# - name: Compile language catalogs
# run: |
# make translate
# - name: Install esmpy
# run: |
# pip install git+https://github.com/esmf-org/esmf.git@v${{ matrix.esmf-version }}#subdirectory=src/addon/esmpy
# - name: Install xscen
# run: |
# pip install --editable ".[dev]"
# - name: Check versions
# run: |
# pip list
# pip check
# - name: Test with pytest
# run: |
# pytest tests
# - name: Report coverage
# run: |
# coveralls
# env:
# ESMF_VERSION: ${{ matrix.esmf-version }}
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# COVERALLS_FLAG_NAME: run-Python${{ matrix.python-version }}
# COVERALLS_PARALLEL: true
# COVERALLS_SERVICE_NAME: github
test-conda:
name: Test with Python${{ matrix.python-version }} (Anaconda)
needs: lint
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.9", "3.10", "3.11"]
defaults:
run:
shell: bash -l {0}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- uses: actions/[email protected]
- name: Setup Conda (Micromamba) with Python ${{ matrix.python-version }}
uses: mamba-org/[email protected]
with:
cache-downloads: true
environment-file: environment-dev.yml
create-args: >-
mamba
python=${{ matrix.python-version }}
- name: Downgrade intake-esm
if: matrix.python-version == '3.9'
run: |
micromamba install -y -c conda-forge intake-esm=2023.11.10
- name: Conda and Mamba versions
run: |
mamba --version
echo "micromamba $(micromamba --version)"
- name: Compile catalogs and install xscen
run: |
make translate
python -m pip install --no-deps .
- name: Check versions
run: |
conda list
python -m pip check || true
- name: Test with pytest
run: |
python -m pytest --cov xscen
- name: Report coverage
run: |
python -m coveralls
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COVERALLS_FLAG_NAME: run-Python${{ matrix.python-version }}-conda
COVERALLS_PARALLEL: true
COVERALLS_SERVICE_NAME: github
finish:
needs:
- test-pypi
- test-conda
runs-on: ubuntu-latest
container: python:3-slim
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
gress-policy: audit
- name: Coveralls Finished
run: |
python -m pip install --upgrade coveralls
python -m coveralls --finish
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COVERALLS_SERVICE_NAME: github