more auto local runner #26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Quality | |
| on: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| inputs: | |
| push: | |
| description: Save the lock file? | |
| default: false | |
| type: boolean | |
| tag: | |
| description: Tag to push | |
| required: false | |
| type: string | |
| codescan: | |
| description: Perform code scan? | |
| default: true | |
| type: boolean | |
| workflow_call: | |
| inputs: | |
| push: | |
| description: Save the lock file? | |
| default: true | |
| type: boolean | |
| tag: | |
| description: Tag to push | |
| required: false | |
| type: string | |
| codescan: | |
| description: Perform code scan? | |
| default: true | |
| type: boolean | |
| secrets: | |
| PYPI_API_TOKEN: | |
| description: PyPi token | |
| required: true | |
| GH_APP_KEY: | |
| description: GitHub App private key | |
| required: true | |
| jobs: | |
| quality: | |
| name: Quality | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| steps: | |
| - name: Setup | |
| id: setup | |
| uses: duplocloud/duploctl/.github/actions/setup@main | |
| with: | |
| ref: ${{ inputs.tag }} | |
| install: "--editable ." | |
| app-id: ${{ vars.GH_APP_ID }} | |
| private-key: ${{ secrets.GH_APP_KEY }} | |
| - name: Freeze Requirements | |
| run: pip freeze --exclude-editable > requirements.txt | |
| - name: Install Test Dependencies | |
| run: pip install .[test] | |
| - name: Pip Audit | |
| uses: pypa/[email protected] | |
| with: | |
| inputs: requirements.txt | |
| # do linting | |
| # stop the build if there are Python syntax errors or undefined names | |
| # ruff --format=github --select=E9,F63,F7,F82 --target-version=py37 . | |
| - name: Lint with ruff | |
| run: ruff check ./src | |
| # Now do codequality checks with CodeQL | |
| - name: Initialize CodeQL | |
| # if codescan is true or it is the default branch | |
| if: inputs.codescan || github.ref == 'refs/heads/main' | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: python | |
| build-mode: none | |
| # token: ${{ steps.setup.outputs.token }} | |
| - name: Perform CodeQL Analysis | |
| id: analysis | |
| if: inputs.codescan || github.ref == 'refs/heads/main' | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:python" | |
| # token: ${{ steps.setup.outputs.token }} | |
| - name: Save Lock File | |
| uses: actions/upload-artifact@v4 | |
| if: inputs.push | |
| with: | |
| name: requirements.lock | |
| path: requirements.txt | |
| - name: Save Sarif File | |
| if: inputs.push && (inputs.codescan || github.ref == 'refs/heads/main') | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sarif | |
| path: ${{ steps.analysis.outputs.sarif-output }} |