diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index e728cd4b7..9c6065d49 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -36,6 +36,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Get changed Docker related files id: changed-files-specific diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index f673be00d..ae6e407d0 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -21,6 +21,9 @@ jobs: steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - name: Set up Docker Buildx uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 - name: Login to GitHub Container Registry @@ -30,10 +33,13 @@ jobs: username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set tag for image + env: + REF_TYPE: ${{ github.ref_type }} + REF_NAME: ${{ github.ref_name }} run: >- echo IMAGE_TAG=$( - [ ${{ github.ref_type }} == 'tag' ] - && echo ${{ github.ref_name }} + [ $REF_TYPE == 'tag' ] + && echo $REF_NAME || echo 'latest' ) >> $GITHUB_ENV diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index 966d76211..872605850 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -10,6 +10,9 @@ on: - pre-commit-ci-update-config # pre-commit.ci always creates a PR pull_request: workflow_call: # a way to embed the main tests + secrets: + CODECOV_TOKEN: + required: true permissions: contents: read @@ -112,6 +115,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: >- Calculate Python interpreter version hash value for use in the cache key @@ -208,6 +212,8 @@ jobs: ) - name: Set the target Git tag id: git-tag + env: + DIST_VERSION: ${{ steps.scm-version.outputs.dist-version }} run: | from os import environ from pathlib import Path @@ -218,13 +224,13 @@ jobs: mode=FILE_APPEND_MODE, ) as outputs_file: print( - "tag=v${{ - steps.scm-version.outputs.dist-version - }}", + f"tag=v{environ['DIST_VERSION'].removeprefix('v')}", file=outputs_file, ) - name: Set the expected dist artifact names id: artifact-name + env: + DIST_VERSION: ${{ steps.scm-version.outputs.dist-version }} run: | from os import environ from pathlib import Path @@ -238,15 +244,11 @@ jobs: mode=FILE_APPEND_MODE, ) as outputs_file: print( - f"sdist={sdist_file_prj_base_name !s}-${{ - steps.scm-version.outputs.dist-version - }}.tar.gz", + f"sdist={sdist_file_prj_base_name !s}-{environ['DIST_VERSION']}.tar.gz", file=outputs_file, ) print( - f"wheel={whl_file_prj_base_name !s}-${{ - steps.scm-version.outputs.dist-version - }}-py3-none-any.whl", + f"wheel={whl_file_prj_base_name !s}-{environ['DIST_VERSION']}-py3-none-any.whl", file=outputs_file, ) @@ -268,7 +270,8 @@ jobs: env: TOXENV: cleanup-dists,build-dists - + SDIST_ARTIFACT_NAME: ${{ needs.pre-setup.outputs.sdist-artifact-name }} + WHEEL_ARTIFACT_NAME: ${{ needs.pre-setup.outputs.wheel-artifact-name }} outputs: dists-base64-hash: ${{ steps.dist-hashes.outputs.combined-hash }} @@ -282,6 +285,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: >- Calculate Python interpreter version hash value @@ -357,19 +361,13 @@ jobs: --quiet - name: Verify that the artifacts with expected names got created run: >- - ls -1 - 'dist/${{ needs.pre-setup.outputs.sdist-artifact-name }}' - 'dist/${{ needs.pre-setup.outputs.wheel-artifact-name }}' + ls -1 "dist/${SDIST_ARTIFACT_NAME}" "dist/${WHEEL_ARTIFACT_NAME}" - name: Generate dist hashes to be used for provenance id: dist-hashes run: >- echo "combined-hash=$( - sha256sum - '${{ needs.pre-setup.outputs.sdist-artifact-name }}' - '${{ needs.pre-setup.outputs.wheel-artifact-name }}' - | base64 -w0 - )" - >> "${GITHUB_OUTPUT}" + sha256sum "$SDIST_ARTIFACT_NAME" "$WHEEL_ARTIFACT_NAME" | base64 -w0 + )" >> $GITHUB_OUTPUT working-directory: dist - name: Store the distribution packages uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 @@ -386,7 +384,7 @@ jobs: retention-days: 30 lint: - name: 🧹 Linters${{ '' }} # nest jobs under the same sidebar category + name: 🧹 Linters${{ '' }} # Group jobs in sidebar # zizmor: ignore[obfuscation] needs: - build - pre-setup # transitive, for accessing settings @@ -444,7 +442,7 @@ jobs: codecov-token: ${{ secrets.CODECOV_TOKEN }} tests: - name: 🧪 Tests${{ '' }} # nest jobs under the same sidebar category + name: 🧪 Tests${{ '' }} # Group jobs in sidebar # zizmor: ignore[obfuscation] needs: - build - pre-setup # transitive, for accessing settings diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 792199c09..fa105c1b8 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -44,6 +44,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index a0fc2f821..b158f07aa 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -22,5 +22,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - name: Dependency Review uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 5c487ccf3..8c76ed8ba 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -1,7 +1,7 @@ name: Validate PR title on: - pull_request_target: + pull_request: types: - opened - edited diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index afad86b56..fbaa235ac 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -14,17 +14,20 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - run: >- git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* - name: Get changed files id: file_changes + env: + BASE_REF: ${{ github.base_ref }} + SHA: ${{ github.sha }} run: | - export DIFF=$(git diff --name-only origin/${{ github.base_ref }} ${{ - github.sha - }}) - echo "Diff between ${{ github.base_ref }} and ${{ github.sha }}" + export DIFF=$(git diff --name-only "origin/$BASE_REF" "$SHA") + echo "Diff between $BASE_REF and $SHA" echo "files=$( echo "$DIFF" | xargs echo )" >> $GITHUB_OUTPUT - name: Install shfmt @@ -48,10 +51,11 @@ jobs: )" > hadolint && chmod +x hadolint && sudo mv hadolint /usr/bin/ - # Needed for pre-commit fix push to succeed + # Needed for pre-commit fix push to succeed - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} # Needed to trigger pre-commit workflow on autofix commit. Guide: # https://web.archive.org/web/20210731173012/https://github.community/t/required-check-is-expected-after-automated-push/187545/ diff --git a/.github/workflows/reusable-tox.yml b/.github/workflows/reusable-tox.yml index 748e97ccb..5ee1edba3 100644 --- a/.github/workflows/reusable-tox.yml +++ b/.github/workflows/reusable-tox.yml @@ -150,9 +150,10 @@ jobs: steps: - name: Export requested job-global environment variables if: inputs.environment-variables != '' + env: + INPUT_ENV_VARS: ${{ inputs.environment-variables }} run: >- - echo '${{ inputs.environment-variables }}' - >> "${GITHUB_ENV}" + echo "$INPUT_ENV_VARS" >> $GITHUB_ENV - name: >- Switch to using Python v${{ inputs.python-version }} @@ -170,6 +171,7 @@ jobs: contains(fromJSON('["pre-commit", "spellcheck-docs"]'), inputs.toxenv) uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: + persist-credentials: false ref: ${{ github.event.inputs.release-committish }} - name: Retrieve the project source from an sdist inside the GHA artifact if: >- @@ -273,18 +275,24 @@ jobs: - name: >- Pre-populate tox envs: `${{ env.TOXENV }}` - run: >- - python -Im - tox - --parallel auto - --parallel-live - --skip-missing-interpreters false - ${{ - inputs.built-wheel-names != '' - && format('--installpkg dist/{0}', inputs.built-wheel-names) - || '' - }} - --notest + shell: bash + env: + INPUT_BUILT_WHEEL_NAMES: ${{ inputs.built-wheel-names }} + run: |- + tox_common_args=( + --parallel auto + --parallel-live + --skip-missing-interpreters false + ) + if [[ $INPUT_BUILT_WHEEL_NAMES ]]; then + python -Im tox "${tox_common_args[@]}" \ + --installpkg "dist/$INPUT_BUILT_WHEEL_NAMES" \ + --notest + else + python -Im tox "${tox_common_args[@]}" \ + --notest + fi + - name: Initialize pre-commit envs if needed if: inputs.toxenv == 'pre-commit' run: >- @@ -301,19 +309,24 @@ jobs: - name: >- Run tox envs: `${{ env.TOXENV }}` id: tox-run - run: >- - python -Im - tox - --parallel auto - --parallel-live - --skip-missing-interpreters false - --skip-pkg-install - --quiet - ${{ - inputs.tox-run-posargs != '' - && format('-- {0}', inputs.tox-run-posargs) - || '' - }} + shell: bash + env: + INPUT_TOX_RUN_POSARGS: ${{ inputs.tox-run-posargs }} + run: |- + tox_common_args=( + --parallel auto + --parallel-live + --skip-missing-interpreters false + --skip-pkg-install + --quiet + ) + if [ -n "$INPUT_TOX_RUN_POSARGS" ]; then + python -Im tox "${tox_common_args[@]}" \ + -- "$INPUT_TOX_RUN_POSARGS" + else + python -Im tox "${tox_common_args[@]}" + fi + # Generate nice SVG image of passed/failed tests in GHA Job Summary - name: Produce markdown test summary from JUnit if: >- @@ -352,13 +365,15 @@ jobs: && steps.tox-run.outputs.test-result-files == '' && steps.tox-run.outputs.codecov-flags != 'MyPy' run: >- - cat code-coverage-results.md >> "${GITHUB_STEP_SUMMARY}" + cat code-coverage-results.md >> "$GITHUB_STEP_SUMMARY" - name: Re-run the failing tests with maximum verbosity if: >- !cancelled() && failure() && inputs.tox-rerun-posargs != '' # `exit 1` makes sure that the job remains red with flaky runs + env: + INPUT_TOX_RERUN_POSARGS: ${{ inputs.tox-rerun-posargs }} run: >- python -Im tox @@ -368,7 +383,7 @@ jobs: -vvvvv --skip-pkg-install -- - ${{ inputs.tox-rerun-posargs }} + $INPUT_TOX_RERUN_POSARGS && exit 1 shell: bash - name: Send coverage data to Codecov diff --git a/.github/workflows/scheduled-runs.yml b/.github/workflows/scheduled-runs.yml index d8915c4b1..ba075e805 100644 --- a/.github/workflows/scheduled-runs.yml +++ b/.github/workflows/scheduled-runs.yml @@ -37,4 +37,5 @@ jobs: main-ci-cd-pipeline: name: ∞ Main CI/CD pipeline uses: ./.github/workflows/ci-cd.yml - secrets: inherit + secrets: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a519084c7..50c91499f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -47,6 +47,12 @@ repos: hooks: - id: gitleaks +# Github Action static analysis tool +- repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.9.0 + hooks: + - id: zizmor + # Dockerfile - repo: https://github.com/hadolint/hadolint rev: v2.13.1-beta