-
Notifications
You must be signed in to change notification settings - Fork 2
225 lines (195 loc) · 6.46 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
name: Continuous Integration
on:
push:
branches: [main, master]
pull_request:
jobs:
lints:
name: Run linters
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
checks: write
pull-requests: write
contents: read
steps:
- uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v2
with:
version: "0.4.20"
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: "3.10"
- name: Cache pre-commit
uses: actions/cache@v3
with:
path: ~/.cache/pre-commit
key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}
- name: Install Dependencies
run: source ./setup_dev_env.sh
- name: Run pre-commit checks
run: |
source .venv/bin/activate
pre-commit run --all-files --show-diff-on-failure --color always
- name: Run ruff formatter
run: uvx ruff format --check
- name: Run ruff linter
run: uvx ruff check
- name: Run mypy
run: uv run mypy .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2
with:
scan-type: "fs"
ignore-unfixed: true
exit-code: 0 # change if you want to fail build on vulnerabilities
severity: "CRITICAL,HIGH,MEDIUM"
format: "table"
output: "trivy-scanning-results.txt"
- name: Format trivy message
run: |
echo "Trivy scanning results." >> trivy.txt
cat trivy-scanning-results.txt >> trivy.txt
- name: Add trivy report to PR
uses: thollander/actions-comment-pull-request@v2
continue-on-error: true
if: ${{ github.event_name == 'pull_request' }}
with:
filePath: trivy.txt
reactions: ""
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
comment_tag: trivy
- name: Check licenses
run: |
source .venv/bin/activate
./check_licenses.sh
- name: Generate pip freeze
run: |
source .venv/bin/activate
pip freeze > requirements-freeze.txt
- name: Publish Artefacts
uses: actions/upload-artifact@v3
if: always()
continue-on-error: true
with:
name: results
path: |
requirements-freeze.txt
licenses.txt
trivy-scanning-results.txt
retention-days: 30
- name: Publish Test Report
uses: actions/upload-artifact@v3
if: always()
continue-on-error: true
with:
name: test-report
path: report.xml
retention-days: 10
- name: Validate package build
run: |
source .venv/bin/activate
for dir in packages/*/; do uv build "$dir" --out-dir dist; done
- name: Publish Package
uses: actions/upload-artifact@v3
continue-on-error: true
if: success()
with:
name: packages
path: dist/**
retention-days: 3
tests:
name: Run tests
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
checks: write
pull-requests: write
contents: write # required for advanced coverage reporting (to keep branch)
strategy:
fail-fast: false # do not stop all jobs if one fails
matrix:
python-version: ["3.10", "3.11", "3.12", "3.13"]
steps:
- uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v2
with:
version: "0.4.20"
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
- name: Cache Dependencies
uses: actions/cache@v3
with:
path: ~/.cache/uv
key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Install Dependencies
run: source ./setup_dev_env.sh
- name: Run Tests With Coverage
run: |
# run with coverage to not execute tests twice
source .venv/bin/activate
coverage run -m pytest -v -p no:warnings --junitxml=report.xml
coverage report
coverage xml
- name: Test Report
uses: mikepenz/action-junit-report@v4
continue-on-error: true
if: always()
with:
report_paths: 'report.xml'
- name: Publish Test Report
uses: actions/upload-artifact@v3
continue-on-error: true
if: always()
with:
name: test-report
path: report.xml
retention-days: 10
# simpler version for code coverage reporting
# - name: Produce Coverage report
# uses: 5monkeys/cobertura-action@v13
# continue-on-error: true
# with:
# path: coverage.xml
# minimum_coverage: 70
# fail_below_threshold: false
# more complex version for better coverage reporting
- name: Produce the coverage report
uses: insightsengineering/coverage-action@v2
continue-on-error: true
with:
# Path to the Cobertura XML report.
path: coverage.xml
# Minimum total coverage, if you want to the
# workflow to enforce it as a standard.
# This has no effect if the `fail` arg is set to `false`.
threshold: 60
# Fail the workflow if the minimum code coverage
# reuqirements are not satisfied.
fail: false
# Publish the rendered output as a PR comment
publish: true
# Create a coverage diff report.
diff: true
# Branch to diff against.
# Compare the current coverage to the coverage
# determined on this branch.
diff-branch: ${{ github.event.repository.default_branch }}
# make report togglable
togglable-report: true
# This is where the coverage reports for the
# `diff-branch` are stored.
# Branch is created if it doesn't already exist'.
diff-storage: _xml_coverage_reports
# A custom title that can be added to the code
# coverage summary in the PR comment.
coverage-summary-title: "Code Coverage Summary"