Skip to content

Commit

Permalink
Thank you Doctor Zizmor!
Browse files Browse the repository at this point in the history
  • Loading branch information
hynek committed Oct 31, 2024
1 parent 0b36cd0 commit 071b5ad
Show file tree
Hide file tree
Showing 4 changed files with 74 additions and 24 deletions.
35 changes: 22 additions & 13 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,11 @@ name: CI
on:
push:
branches: [main]
tags: ["*"]
pull_request:
workflow_dispatch:

env:
FORCE_COLOR: "1" # Make tools pretty.
FORCE_COLOR: "1" # Make tools pretty.
PIP_DISABLE_PIP_VERSION_CHECK: "1"
PIP_NO_PYTHON_VERSION_WARNING: "1"

Expand Down Expand Up @@ -39,6 +38,7 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false

- uses: hynek/build-and-inspect-python-package@v2
id: baipp
Expand All @@ -53,11 +53,16 @@ jobs:
name: Tests & Mypy API on ${{ matrix.python-version }}
runs-on: ubuntu-latest
needs: build-package

strategy:
fail-fast: false
matrix:
# Created by the build-and-inspect-python-package action above.
python-version: ${{ fromJson(needs.build-package.outputs.python-versions) }}

env:
PYTHON: ${{ matrix.python-version }}

steps:
- name: Download pre-built packages
uses: actions/download-artifact@v4
Expand All @@ -75,10 +80,9 @@ jobs:

- name: Run tests
run: >
uvx --with tox-uv
tox run
uvx --with tox-uv tox run
--installpkg dist/*.whl
-f py$(echo ${{ matrix.python-version }} | tr -d .)
-f py${PYTHON//./}
- name: Upload coverage data
uses: actions/upload-artifact@v4
Expand All @@ -90,32 +94,35 @@ jobs:

- name: Check public API with Mypy
run: >
uvx --with tox-uv
tox run
uvx --with tox-uv tox run
--installpkg dist/*.whl
-e mypy-api
coverage:
name: Ensure 100% test coverage
needs: tests
runs-on: ubuntu-latest
needs: tests
if: always()

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version-file: .python-version-default
- uses: hynek/setup-cached-uv@v2

- uses: actions/download-artifact@v4
- name: Download coverage data
uses: actions/download-artifact@v4
with:
pattern: coverage-data-*
merge-multiple: true

- name: Combine coverage & fail if it's <100%
- name: Combine coverage and fail if it's <100%.
run: |
uv tool install coverage[toml]
uv tool install coverage
coverage combine
coverage html --skip-covered --skip-empty
Expand Down Expand Up @@ -166,6 +173,8 @@ jobs:

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-python@v5
with:
python-version-file: .python-version-default
Expand Down Expand Up @@ -208,10 +217,10 @@ jobs:

needs:
- coverage
- docs
- install-dev
- lint
- mypy-pkg
- docs
- install-dev

runs-on: ubuntu-latest

Expand Down
6 changes: 2 additions & 4 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,6 @@
name: CodeQL

on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: "41 3 * * 6"

Expand All @@ -29,6 +25,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false

- name: Initialize CodeQL
uses: github/codeql-action/init@v3
Expand Down
20 changes: 13 additions & 7 deletions .github/workflows/pypi-package.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
name: Build & maybe upload PyPI package
name: Build & upload PyPI package

on:
push:
Expand All @@ -10,21 +10,21 @@ on:
- published
workflow_dispatch:

permissions:
attestations: write
contents: read
id-token: write

jobs:
# Always build & lint package.
build-package:
name: Build & verify package
runs-on: ubuntu-latest
permissions:
attestations: write
id-token: write

steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false

- uses: hynek/build-and-inspect-python-package@v2
with:
Expand All @@ -34,10 +34,13 @@ jobs:
release-test-pypi:
name: Publish in-dev package to test.pypi.org
environment: release-test-pypi
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
if: github.repository_owner == 'pyca' && github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
needs: build-package

permissions:
id-token: write

steps:
- name: Download packages built by build-and-inspect-python-package
uses: actions/download-artifact@v4
Expand All @@ -54,10 +57,13 @@ jobs:
release-pypi:
name: Publish released package to pypi.org
environment: release-pypi
if: github.event.action == 'published'
if: github.repository_owner == 'pyca' && github.event.action == 'published'
runs-on: ubuntu-latest
needs: build-package

permissions:
id-token: write

steps:
- name: Download packages built by build-and-inspect-python-package
uses: actions/download-artifact@v4
Expand Down
37 changes: 37 additions & 0 deletions .github/workflows/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# https://github.com/woodruffw/zizmor
name: GitHub Actions Security Analysis with Zizmor

on:
push:
branches: ["main"]
pull_request:
branches: ["*"]

permissions:
contents: read

jobs:
zizmor:
name: Zizmor latest via Cargo
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Setup Rust
uses: actions-rust-lang/setup-rust-toolchain@v1
- name: Get zizmor
run: cargo install zizmor
- name: Run zizmor
run: zizmor --format sarif . > results.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
# Path to SARIF file relative to the root of the repository
sarif_file: results.sarif
# Optional category for the results
# Used to differentiate multiple results for one commit
category: zizmor

0 comments on commit 071b5ad

Please sign in to comment.