Skip to content

Actions security

Actions security #417

Workflow file for this run

---
name: CI
on:
push:
branches: ["main", "master", "ci-testing-*"]
pull_request:
branches: ["main", "master"]
schedule:
- cron: "0 6 * * MON" # Every Monday morning
workflow_dispatch:
jobs:
tests:
name: "Python ${{ matrix.python-version }} / ${{ matrix.os }}"
runs-on: "${{ matrix.os }}"
env:
USING_COVERAGE: "3.8,3.9,3.10,3.11,3.12"
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
python-version:
- "3.8"
- "3.9"
- "3.10"
- "3.11"
- "3.12"
- "pypy3.9"
exclude:
- os: macos-latest
python-version: pypy3.9
steps:
- uses: actions/checkout@v4
with:
# We want our tags here
fetch-depth: 0
persist-credentials: false
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
allow-prereleases: true
- name: Install the latest version of uv
id: setup-uv
uses: astral-sh/setup-uv@v3
with:
enable-cache: true
- name: "Run tox targets for ${{ matrix.python-version }}"
run: uvx --with tox-uv tox -e py
# env:
# TOX_GH_MAJOR_MINOR: ${{ matrix.python-version }}
# run: uvx --with tox-uv --with tox-gh tox
- name: Upload coverage data
uses: actions/upload-artifact@v4
with:
name: coverage-data-${{ matrix.python-version }}-${{ matrix.os }}
path: ".coverage*"
if-no-files-found: ignore
include-hidden-files: true
coverage:
needs:
- tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install the latest version of uv
id: setup-uv
uses: astral-sh/setup-uv@v3
with:
enable-cache: true
- name: Download coverage data
uses: actions/download-artifact@v4
with:
pattern: coverage-data-*
merge-multiple: true
- name: Combine coverage
run: |
uvx --with coverage[toml] coverage combine
# ignore-errors is so that we don't gag on missing code in .tox environments
- name: Generate the HTML report
run: uvx --with coverage[toml] coverage html --skip-covered --skip-empty --ignore-errors
- name: Upload the HTML report
uses: actions/upload-artifact@v4
with:
name: html-report
path: htmlcov
# ignore-errors is so that we don't gag on missing code in .tox environments
- name: Enforce the coverage
run: uvx --with coverage[toml] coverage report --ignore-errors --fail-under 95
package:
name: "Build & verify package"
runs-on: "ubuntu-latest"
steps:
- uses: actions/checkout@v4
with:
# We want our tags here
fetch-depth: 0
persist-credentials: false
- uses: hynek/build-and-inspect-python-package@v2
install-dev:
strategy:
matrix:
os: ["ubuntu-latest", "windows-latest", "macos-latest"]
name: "Verify dev env / ${{ matrix.os }}"
runs-on: "${{ matrix.os }}"
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install the latest version of uv
id: setup-uv
uses: astral-sh/setup-uv@v3
with:
enable-cache: true
- name: "Install in dev mode"
run: |
uv venv
uv pip install -e .[dev]
- name: "Import package"
run: "uv run python -c 'import hamcrest; print(hamcrest.__version__)'"