Skip to content

Commit

Permalink
use hashes for dependencies, use app for bumpversion commits (#381)
Browse files Browse the repository at this point in the history 
## Overview

Changes:

* Added support for Birdhouse Helper Bot (bumpversion)
* CI Actions and Python dependencies are now pinned to hashes
* Permissions have been set for all workflows
* Pinned `cf-xarray` below v0.9.3 (breakages)
* Reformatted and renamed `CHANGES.rst` to `CHANGELOG.rst`.
  • Loading branch information
@Zeitsperre
Zeitsperre authored Jul 23, 2024
2 parents 8b90cad + 8ffa459 commit 6f34139
Show file tree
Hide file tree
Showing 13 changed files with 388 additions and 126 deletions.
48 changes: 27 additions & 21 deletions .github/workflows/bump-version-tag.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ on:
- .github/*/*.yml
- AUTHORS.rst
- CHANGES.rst
- CI/*.in
- CI/*.txt
- Dockerfile
- Makefile
- docker-compose.yml
Expand All @@ -18,6 +20,7 @@ on:
- docs/*/*.rst
- docs/Makefile
- docs/_static/*
- environment.yml
- environment-docs.yml
- finch/__version__.py
- requirements*.txt
Expand All @@ -33,44 +36,48 @@ jobs:
runs-on: ubuntu-latest
permissions:
actions: read
contents: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
pypi.org:443
- uses: actions/checkout@v4
- name: Generate App Token
id: token_generator
uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
with:
persist-credentials: false
- uses: actions/setup-python@v5
app-id: ${{ secrets.BIRDHOUSE_HELPER_BOT_ID }}
private-key: ${{ secrets.BIRDHOUSE_HELPER_BOT_KEY }}
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
token: ${{ steps.token_generator.outputs.token }}
- name: Set up Python3
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
with:
python-version: "3.x"
- name: Config Commit Bot
run: |
git config --local user.email "bumpversion[bot]@ouranos.ca"
git config --local user.name "bumpversion[bot]"
- name: Import GPG Key
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
with:
gpg_private_key: ${{ secrets.BIRDHOUSE_HELPER_BOT_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.BIRDHOUSE_HELPER_BOT_GPG_PRIVATE_KEY_PASSWORD }}
git_user_signingkey: true
git_commit_gpgsign: true
trust_level: 5
- name: Current Version
run: |
CURRENT_VERSION="$(grep -E '__version__' finch/__version__.py | cut -d ' ' -f3)"
echo "current_version=${CURRENT_VERSION}"
echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_ENV
- name: Bump Version
if: ${{ github.event.inputs.tag == 'false' }}
- name: Install CI libraries
run: |
pip install bump-my-version
echo "running `bump-my-version bump --no-tag ${{ github.event.inputs.bumpversion }}`"
NEW_VERSION="$(grep -E '__version__' finch/__version__.py | cut -d ' ' -f3)"
echo "new_version=${NEW_VERSION}"
- name: Install bump-my-version
run: |
python -m pip install bump-my-version>=0.18.3
python -m pip install -r --require-hashes CI/requirements_ci.txt
- name: Conditional Bump
id: bump
run: |
if [[ ${{ env.CURRENT_VERSION }} =~ -dev(\.\d+)? ]]; then
echo "Development version (ends in 'dev(\.\d+)?'), bumping 'build' version"
Expand All @@ -79,12 +86,11 @@ jobs:
echo "Version is stable, bumping 'patch' version"
bump-my-version bump patch
fi
NEW_VERSION="$(grep -E '__version__' finch/__version__.py | cut -d ' ' -f3)"
NEW_VERSION="$(grep -E '__version__' finch/__version__.py | cut -d ' ' -f3)"
echo "new_version=${NEW_VERSION}"
echo "NEW_VERSION=${NEW_VERSION}" >> $GITHUB_ENV
- name: Push Changes
uses: ad-m/github-push-action@master
uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0
with:
force: false
github_token: ${{ secrets.BUMPVERSION_TOKEN }}
branch: ${{ github.ref }}
27 changes: 23 additions & 4 deletions .github/workflows/docker-testing.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,32 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

permissions:
contents: read

jobs:
build:
name: Build and Test Docker image
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: docker/build-push-action@v6
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
auth.docker.io:443
conda.anaconda.org:443
github.com:443
production.cloudflare.docker.com:443
pypi.org:443
registry-1.docker.io:443
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
- name: Build Docker image (no push)
uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1
with:
context: .
file: "Dockerfile"
Expand All @@ -27,7 +45,8 @@ jobs:
cache-from: type=gha
cache-to: type=gha,mode=max
push: false
- uses: addnab/docker-run-action@v3
- name: Run Docker image
uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3
with:
image: localfinch:latest
options: -p 5000:5000
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/label.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,9 @@ permissions:

jobs:
label:
name: Label
runs-on: ubuntu-latest
permissions:
checks: write
contents: read
pull-requests: write
steps:
- name: Harden Runner
Expand All @@ -34,6 +33,7 @@ jobs:
egress-policy: block
allowed-endpoints: >
api.github.com:443
- uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
- name: Labeler
uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
36 changes: 24 additions & 12 deletions .github/workflows/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,21 +11,30 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

permissions:
contents: read

jobs:
lint:
name: Code linting
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set up Python${{ matrix.python-version }}
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
with:
python-version: "3.8"
- name: Install flake8
python-version: "3.x"
- name: Install CI libraries
run: |
python -m pip install flake8
python -m pip install --require-hashes -r CI/requirements_ci.txt
- name: Run linting suite
run: |
flake8
python -m flake8
conda:
name: Build ⚙️ and test 🧪
Expand All @@ -38,19 +47,22 @@ jobs:
matrix:
python-version: ["3.8", "3.9", "3.10", "3.11"]
steps:
- uses: actions/checkout@v4
- name: Setup conda and environment
uses: mamba-org/setup-micromamba@v1
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Conda (Micromamba) with Python${{ matrix.python-version }}
uses: mamba-org/setup-micromamba@f8b8a1e23a26f60a44c853292711bacfd3eac822 # v1.9.0
with:
cache-downloads: true
cache-environment: true
environment-file: environment.yml
create-args: >-
conda
python=${{ matrix.python-version }}
- name: Conda and Mamba versions
- name: Mamba version
run: |
conda --version
echo "micromamba: $(micromamba --version)"
- name: Install finch-wps
run: |
Expand Down
Loading

0 comments on commit 6f34139

Please sign in to comment.