Thank you Doctor Zizmor! (#75) #185
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CI | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
workflow_dispatch: | |
env: | |
FORCE_COLOR: "1" # Make tools pretty. | |
PIP_DISABLE_PIP_VERSION_CHECK: "1" | |
PIP_NO_PYTHON_VERSION_WARNING: "1" | |
permissions: {} | |
jobs: | |
lint: | |
name: Run pre-commit | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- uses: actions/setup-python@v5 | |
with: | |
python-version-file: .python-version-default | |
- uses: tox-dev/action-pre-commit-uv@v1 | |
build-package: | |
name: Build & verify package | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
persist-credentials: false | |
- uses: hynek/build-and-inspect-python-package@v2 | |
id: baipp | |
outputs: | |
# Used to define the matrix for tests below. The value is based on | |
# packaging metadata (trove classifiers). | |
python-versions: ${{ steps.baipp.outputs.supported_python_classifiers_json_array }} | |
tests: | |
name: Tests & Mypy API on ${{ matrix.python-version }} | |
runs-on: ubuntu-latest | |
needs: build-package | |
strategy: | |
fail-fast: false | |
matrix: | |
# Created by the build-and-inspect-python-package action above. | |
python-version: ${{ fromJson(needs.build-package.outputs.python-versions) }} | |
env: | |
PYTHON: ${{ matrix.python-version }} | |
steps: | |
- name: Download pre-built packages | |
uses: actions/download-artifact@v4 | |
with: | |
name: Packages | |
path: dist | |
- run: | | |
tar xf dist/*.tar.gz --strip-components=1 | |
rm -rf src | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
allow-prereleases: true | |
- uses: hynek/setup-cached-uv@v2 | |
- name: Run tests | |
run: > | |
uvx --with tox-uv tox run | |
--installpkg dist/*.whl | |
-f py${PYTHON//./} | |
- name: Upload coverage data | |
uses: actions/upload-artifact@v4 | |
with: | |
name: coverage-data-${{ matrix.python-version }} | |
path: .coverage.* | |
include-hidden-files: true | |
if-no-files-found: ignore | |
- name: Check public API with Mypy | |
run: > | |
uvx --with tox-uv tox run | |
--installpkg dist/*.whl | |
-e mypy-api | |
coverage: | |
name: Ensure 100% test coverage | |
runs-on: ubuntu-latest | |
needs: tests | |
if: always() | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- uses: actions/setup-python@v5 | |
with: | |
python-version-file: .python-version-default | |
- uses: hynek/setup-cached-uv@v2 | |
- name: Download coverage data | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: coverage-data-* | |
merge-multiple: true | |
- name: Combine coverage and fail if it's <100%. | |
run: | | |
uv tool install coverage | |
coverage combine | |
coverage html --skip-covered --skip-empty | |
# Report and write to summary. | |
coverage report --format=markdown >> $GITHUB_STEP_SUMMARY | |
# Report again and fail if under 100%. | |
coverage report --fail-under=100 | |
- name: Upload HTML report if check failed. | |
uses: actions/upload-artifact@v4 | |
with: | |
name: html-report | |
path: htmlcov | |
if: ${{ failure() }} | |
mypy-pkg: | |
name: Mypy Codebase | |
runs-on: ubuntu-latest | |
needs: build-package | |
steps: | |
- name: Download pre-built packages | |
uses: actions/download-artifact@v4 | |
with: | |
name: Packages | |
path: dist | |
- run: tar xf dist/*.tar.gz --strip-components=1 | |
- uses: actions/setup-python@v5 | |
with: | |
python-version-file: .python-version-default | |
- uses: hynek/setup-cached-uv@v2 | |
- run: > | |
uvx --with tox-uv | |
tox run -e mypy-pkg | |
install-dev: | |
strategy: | |
matrix: | |
os: [ubuntu-latest, windows-latest, macos-latest] | |
name: Verify dev env | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- uses: actions/setup-python@v5 | |
with: | |
python-version-file: .python-version-default | |
cache: pip | |
- name: Install in dev mode & import | |
run: | | |
python -Im pip install -e .[dev] | |
python -Ic 'import service_identity; print(service_identity.__version__)' | |
python -Ic 'import service_identity.pyopenssl' | |
python -Ic 'import service_identity.cryptography' | |
docs: | |
name: Build docs & run doctests | |
needs: build-package | |
runs-on: ubuntu-latest | |
steps: | |
- name: Download pre-built packages | |
uses: actions/download-artifact@v4 | |
with: | |
name: Packages | |
path: dist | |
- run: tar xf dist/*.tar.gz --strip-components=1 | |
- uses: actions/setup-python@v5 | |
with: | |
# Keep in sync with tox.ini/docs & .readthedocs.yaml | |
python-version: "3.12" | |
- uses: hynek/setup-cached-uv@v2 | |
- run: > | |
uvx --with tox-uv | |
tox run -e docs | |
required-checks-pass: | |
name: Ensure everything required is passing for branch protection | |
if: always() | |
needs: | |
- coverage | |
- lint | |
- mypy-pkg | |
- docs | |
- install-dev | |
runs-on: ubuntu-latest | |
steps: | |
- name: Decide whether the needed jobs succeeded or failed | |
uses: re-actors/alls-green@release/v1 | |
with: | |
jobs: ${{ toJSON(needs) }} |