Skip to content

Commit

Permalink
Chore: Update DevOps tooling from central repository [skip ci]
Browse files Browse the repository at this point in the history
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
  • Loading branch information
ModeSevenIndustrialSolutions authored and github-actions[bot] committed Jul 29, 2024
1 parent f1db3d2 commit 1e882bf
Show file tree
Hide file tree
Showing 7 changed files with 174 additions and 58 deletions.
38 changes: 25 additions & 13 deletions .github/workflows/builds.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,22 +10,34 @@ on:
- "*"
- "!update-devops-tooling"

env:
package-path: "dist/"

jobs:
parse-project-metadata:
name: "Determine Python versions"
# yamllint disable-line rule:line-length
uses: os-climate/devops-reusable-workflows/.github/workflows/pyproject-toml-fetch-matrix.yaml@main
get-python-versions:
name: "Validate Python project"
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.parse-project-metadata.outputs.python-matrix-versions }}

steps:
- uses: actions/checkout@v4

test-builds:
name: "Build: Python"
needs: [parse-project-metadata]
- name: "Parse: pyproject.toml"
id: parse-project-metadata
# yamllint disable-line rule:line-length
uses: os-climate/devops-reusable-workflows/.github/actions/python-versions-matrix@main

builds:
name: "Python builds"
needs: [get-python-versions]
runs-on: "ubuntu-latest"
continue-on-error: true
# Don't run when pull request is merged
if: github.event.pull_request.merged == false
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.parse-project-metadata.outputs.matrix) }}
matrix: ${{ fromJson(needs.get-python-versions.outputs.matrix) }}

steps:
- name: "Populate environment variables"
Expand Down Expand Up @@ -81,8 +93,8 @@ jobs:
python -m build
fi
- name: "Validating Artefacts with Twine"
run: |
echo "Validating artefacts with: twine check dist/*"
pip install --upgrade twine
twine check dist/*
- name: "Validate Artefacts with Twine"
id: twine-check-artefacts
env:
package-path: ${{ env.package-path }}
uses: os-climate/devops-reusable-workflows/.github/actions/twine-check-artefacts@main
83 changes: 83 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "🔐 CodeQL"

on:
push:
branches: [ "main", "gh-pages", "master" ]
pull_request:
branches: [ "main", "gh-pages", "master" ]
schedule:
- cron: '39 20 * * 6'

jobs:
analyze:
name: Analyze (${{ matrix.language }})
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners (GitHub.com only)
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
# required for all workflows
security-events: write

# required to fetch internal or private CodeQL packs
packages: read

# only required for workflows in private repositories
actions: read
contents: read

strategy:
fail-fast: false
matrix:
include:
- language: python
build-mode: none
# CodeQL supports the following values keywords for 'language':
# 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'

steps:
- name: Checkout repository
uses: actions/checkout@v4

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.

# If the analyze step fails for one of the languages you are analyzing with
# "We were unable to automatically build your code", modify the matrix above
# to set the build mode to "manual" for that language. Then modify this step
# to build your code.
- if: matrix.build-mode == 'manual'
shell: bash
run: |
echo 'If you are using a "manual" build mode for one or more of the' \
'languages you are analyzing, replace this with the commands to build' \
'your code, for example:'
echo ' make bootstrap'
echo ' make release'
exit 1
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
2 changes: 1 addition & 1 deletion .github/workflows/notebooks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
needs: [validate-notebook-tests]
if: needs.validate-notebook-tests.outputs.proceed == 'true'
# yamllint disable-line rule:line-length
uses: os-climate/devops-reusable-workflows/.github/workflows/pyproject-toml-fetch-matrix.yaml@main
uses: os-climate/devops-reusable-workflows/.github/workflows/python-versions-matrix.yaml@main

notebook-tests:
name: "Test Jupyter Notebooks"
Expand Down
45 changes: 23 additions & 22 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
@@ -1,17 +1,13 @@
---
name: "🐍📦 Production build and release"
name: "🐍📦 Old Production build and release"

# GitHub/PyPI trusted publisher documentation:
# https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/

# yamllint disable-line rule:truthy
on:
# workflow_dispatch:
push:
# Only invoked on release tag pushes
branches:
- 'main'
- 'master'
tags:
- 'v*.*.*'

Expand All @@ -28,8 +24,9 @@ jobs:
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-latest
permissions:
# IMPORTANT: mandatory for Sigstore
contents: write
id-token: write

steps:
### BUILDING ###

Expand All @@ -44,10 +41,20 @@ jobs:
- name: "Setup PDM for build commands"
uses: pdm-project/setup-pdm@v4

- name: "Fetch current semantic tag"
id: fetch-tags
# yamllint disable-line rule:line-length
uses: os-climate/devops-reusable-workflows/.github/actions/latest-semantic-tag@main

- name: "Update version from tags for production release"
run: |
echo "Github versioning: ${{ github.ref_name }}"
scripts/release-versioning.sh
echo "Github tag/versioning: ${{ github.ref_name }}"
if (grep 'dynamic = \[\"version\"\]' pyproject.toml > /dev/null); then
echo "Proceeding build with dynamic versioning"
else
echo "Using legacy script to bump release version"
scripts/release-versioning.sh
fi
- name: "Build with PDM backend"
run: |
Expand All @@ -56,7 +63,8 @@ jobs:
### SIGNING ###

- name: "Sign packages with Sigstore"
uses: sigstore/gh-action-sigstore-python@v2
# Use new action
uses: sigstore/[email protected]
with:
inputs: >-
./dist/*.tar.gz
Expand All @@ -72,8 +80,6 @@ jobs:

github:
name: "📦 Publish to GitHub"
# Only publish on tag pushes
if: startsWith(github.ref, 'refs/tags/')
needs:
- build
runs-on: ubuntu-latest
Expand All @@ -94,20 +100,17 @@ jobs:
token: ${{ secrets.GITHUB_TOKEN }}
prerelease: false
tag_name: ${{ github.ref_name }}
name: "Test/Development Build \
${{ github.ref_name }}"
name: ${{ github.ref_name }}"
# body_path: ${{ github.workspace }}/CHANGELOG.rst
files: |
dist/*.tar.gz
dist/*.whl
dist/*.sigstore
dist/*.sigstore*
### PUBLISH PYPI TEST ###

testpypi:
name: "📦 Publish to PyPi Test"
# Only publish on tag pushes
if: startsWith(github.ref, 'refs/tags/')
name: "📦 Test publishing to PyPI"
needs:
- build
runs-on: ubuntu-latest
Expand All @@ -128,9 +131,9 @@ jobs:
if [ -f dist/buildvars.txt ]; then
rm dist/buildvars.txt
fi
rm dist/*.sigstore
rm dist/*.sigstore*
- name: Publish distribution to Test PyPI
- name: "Test publishing to PyPI"
uses: pypa/gh-action-pypi-publish@release/v1
with:
repository-url: https://test.pypi.org/legacy/
Expand All @@ -140,8 +143,6 @@ jobs:

pypi:
name: "📦 Publish to PyPi"
# Only publish on tag pushes
if: startsWith(github.ref, 'refs/tags/')
needs:
- testpypi
runs-on: ubuntu-latest
Expand All @@ -162,7 +163,7 @@ jobs:
if [ -f dist/buildvars.txt ]; then
rm dist/buildvars.txt
fi
rm dist/*.sigstore
rm dist/*.sigstore*
- name: "Setup PDM for build commands"
uses: pdm-project/setup-pdm@v4
Expand Down
26 changes: 17 additions & 9 deletions .github/workflows/security.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,21 +16,29 @@ on:
- "!update-devops-tooling"

jobs:
get-python-versions:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.parse-project-metadata.outputs.python-matrix-versions }}

steps:
- uses: actions/checkout@v4

parse-project-metadata:
name: "Determine Python versions"
# yamllint disable-line rule:line-length
uses: os-climate/devops-reusable-workflows/.github/workflows/pyproject-toml-fetch-matrix.yaml@main
- name: "Populate environment variables"
id: parse-project-metadata
# yamllint disable-line rule:line-length
uses: os-climate/devops-reusable-workflows/.github/actions/python-versions-matrix@main

build:
name: "Audit Python dependencies"
needs: [parse-project-metadata]
runs-on: ubuntu-latest
builds:
name: "Python builds"
needs: [get-python-versions]
runs-on: "ubuntu-latest"
continue-on-error: true
# Don't run when pull request is merged
if: github.event.pull_request.merged == false
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.parse-project-metadata.outputs.matrix) }}
matrix: ${{ fromJson(needs.get-python-versions.outputs.matrix) }}

steps:
- name: "Checkout repository"
Expand Down
19 changes: 13 additions & 6 deletions .github/workflows/testing.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,21 +11,28 @@ on:
- "!update-devops-tooling"

jobs:
get-python-versions:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.parse-project-metadata.outputs.python-matrix-versions }}

steps:
- uses: actions/checkout@v4

parse-project-metadata:
name: "Determine Python versions"
# yamllint disable-line rule:line-length
uses: os-climate/devops-reusable-workflows/.github/workflows/pyproject-toml-fetch-matrix.yaml@main
- name: "Populate environment variables"
id: parse-project-metadata
# yamllint disable-line rule:line-length
uses: os-climate/devops-reusable-workflows/.github/actions/python-versions-matrix@main

testing:
name: "Run unit tests"
needs: [parse-project-metadata]
needs: [get-python-versions]
runs-on: ubuntu-latest
# Don't run when pull request is merged
if: github.event.pull_request.merged == false
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.parse-project-metadata.outputs.matrix) }}
matrix: ${{ fromJson(needs.get-python-versions.outputs.matrix) }}

steps:
- name: "Checkout repository"
Expand Down
Loading

0 comments on commit 1e882bf

Please sign in to comment.