Adjust role session name #38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- main | |
tags: | |
- "v*" | |
pull_request: | |
branches: | |
- main | |
schedule: | |
# <minute [0,59]> <hour [0,23]> <day of the month [1,31]> | |
# <month of the year [1,12]> <day of the week [0,6]> | |
# https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07 | |
# Run every Monday at 10:24:00 PST | |
# (Since these CRONs are used by a lot of people - | |
# let's be nice to the servers and schedule it _not_ on the hour) | |
- cron: "24 18 * * 1" | |
workflow_dispatch: | |
jobs: | |
# Check that all files listed in manifest make it into build | |
check-manifest: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: "3.x" | |
- run: pip install check-manifest && check-manifest | |
# Check tests pass on multiple Python and OS combinations | |
test: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
python-version: [3.9, "3.10", 3.11] | |
os: [ubuntu-latest, macOS-latest, windows-latest] | |
env: | |
BUCKET_NAME : "bioio-dev-test-resources" | |
AWS_REGION : "us-west-2" | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: aws-actions/configure-aws-credentials@v3 | |
with: | |
role-to-assume: arn:aws:iam::978220035532:role/bioio_github | |
role-session-name: bioio-lif-${{ github.sha }} | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Set up Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- uses: extractions/setup-just@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install Dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install .[test] | |
- uses: actions/cache@v3 | |
id: cache | |
with: | |
path: bioio_lif/tests/resources | |
key: ${{ hashFiles('scripts/TEST_RESOURCES_HASH.txt') }} | |
- name: Download Test Resources | |
if: steps.cache.outputs.cache-hit != 'true' | |
run: | | |
python scripts/download_test_resources.py --debug | |
- name: Run Tests | |
run: just test | |
- name: Upload Codecov | |
uses: codecov/codecov-action@v3 | |
# Check linting, formating, types, etc. | |
lint: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: "3.11" | |
- uses: extractions/setup-just@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install Dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install .[lint] | |
- name: Lint | |
run: just lint | |
# Publish to PyPI if test, lint, and manifest checks passed | |
publish: | |
if: "success() && startsWith(github.ref, 'refs/tags/')" | |
needs: [check-manifest, test, lint] | |
runs-on: ubuntu-latest | |
environment: release | |
permissions: | |
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: "3.11" | |
- name: Install Dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install build wheel | |
- name: Build Package | |
run: | | |
python -m build | |
- name: Publish to PyPI | |
uses: pypa/gh-action-pypi-publish@release/v1 | |
# GitHub does not provide a "all status checks must pass" option | |
# in branch protection settings. Instead, you have to specify exactly | |
# what status checks want to require to pass before merging. However, | |
# naming each individual check would be effectively impossible. | |
# Therefore, by creating this stage in every repo in the org we can | |
# require "Report Result" to pass before merging and this stage can | |
# represent the result of the other checks where it only passes if | |
# all the other checks pass. | |
results: | |
if: ${{ always() && github.event_name == 'pull_request' }} | |
needs: [check-manifest, test, lint] | |
runs-on: ubuntu-latest | |
name: Report Result | |
steps: | |
- run: exit 1 | |
# see https://stackoverflow.com/a/67532120/4907315 | |
if: >- | |
${{ | |
contains(needs.*.result, 'failure') | |
|| contains(needs.*.result, 'cancelled') | |
}} |