From b7c234973c1100ff57fd05e5a90bdf3b66dcd5cc Mon Sep 17 00:00:00 2001 From: Alyssa Coghlan Date: Tue, 29 Oct 2024 11:58:16 +1000 Subject: [PATCH] Don't cache git credentials in workflows Includes a small update to the launch modules in the sample project so the PR generation for output updates is tested with the updated workflow. Addresses initial manual workflow scan for #50 --- .github/workflows/docs.yml | 2 ++ .github/workflows/publish.yml | 2 ++ .github/workflows/test.yml | 5 +++++ .github/workflows/update-expected-output.yml | 3 +++ tests/sample_project/launch_modules/scipy_client/cli.py | 7 +++++++ tests/sample_project/launch_modules/scipy_import.py | 6 ++++++ tests/sample_project/launch_modules/sklearn_import.py | 7 +++++++ 7 files changed, 32 insertions(+) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 9730b9a..066e238 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -31,6 +31,8 @@ jobs: # for latest versions if the standard actions start emitting warnings steps: - uses: actions/checkout@v4 + with: + persist-credentials: false # sphinx-action uses docker under the hood and doesn't play nice with the # dependency caching, so it may be better to switch to using `tox -e docs` diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index b286532..e2f79f3 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -15,6 +15,8 @@ jobs: id-token: write steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: pdm-project/setup-pdm@v4 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 57a5a95..73c891f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -48,6 +48,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Capture timestamp for debugging artifacts id: timestamp @@ -149,6 +151,9 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false + - uses: actions/setup-python@v5 with: # Use latest Python, so it understands all syntax. diff --git a/.github/workflows/update-expected-output.yml b/.github/workflows/update-expected-output.yml index fda9fcf..89cce83 100644 --- a/.github/workflows/update-expected-output.yml +++ b/.github/workflows/update-expected-output.yml @@ -65,6 +65,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 @@ -183,6 +185,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} + persist-credentials: false - name: Download all updated output files uses: actions/download-artifact@v4 diff --git a/tests/sample_project/launch_modules/scipy_client/cli.py b/tests/sample_project/launch_modules/scipy_client/cli.py index a48054b..2274de6 100644 --- a/tests/sample_project/launch_modules/scipy_client/cli.py +++ b/tests/sample_project/launch_modules/scipy_client/cli.py @@ -1,5 +1,6 @@ """Sample CLI helper module importing scipy and httpx""" +import numpy import scipy import httpx @@ -11,4 +12,10 @@ def main(): for disallowed in ("pip", "sklearn"): if find_spec(disallowed): raise RuntimeError(f"Should not be able to import {disallowed!r}!") + + for module in (numpy, scipy, httpx): + # This is just here to allow the launch modules to pass lint checks + assert module.__spec__ is not None + assert find_spec(module.__spec__.name) is not None + print("Environment launch module executed successfully") diff --git a/tests/sample_project/launch_modules/scipy_import.py b/tests/sample_project/launch_modules/scipy_import.py index 17ae63d..0a8c190 100644 --- a/tests/sample_project/launch_modules/scipy_import.py +++ b/tests/sample_project/launch_modules/scipy_import.py @@ -1,5 +1,6 @@ """Sample launch module importing scipy""" +import numpy import scipy if __name__ == "__main__": @@ -10,4 +11,9 @@ if find_spec(disallowed): raise RuntimeError(f"Should not be able to import {disallowed!r}!") + for module in (numpy, scipy): + # This is just here to allow the launch modules to pass lint checks + assert module.__spec__ is not None + assert find_spec(module.__spec__.name) is not None + print("Environment launch module executed successfully") diff --git a/tests/sample_project/launch_modules/sklearn_import.py b/tests/sample_project/launch_modules/sklearn_import.py index 2196c19..510919a 100644 --- a/tests/sample_project/launch_modules/sklearn_import.py +++ b/tests/sample_project/launch_modules/sklearn_import.py @@ -1,5 +1,7 @@ """Sample launch module importing sklearn""" +import numpy +import scipy import sklearn if __name__ == "__main__": @@ -10,4 +12,9 @@ if find_spec(disallowed): raise RuntimeError(f"Should not be able to import {disallowed!r}!") + for module in (numpy, scipy, sklearn): + # This is just here to allow the launch modules to pass lint checks + assert module.__spec__ is not None + assert find_spec(module.__spec__.name) is not None + print("Environment launch module executed successfully")