Skip to content

ci: switch to ubuntu-latest & revised matrixes #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
danielbrunt57 wants to merge 7 commits into from
Closed

ci: switch to ubuntu-latest & revised matrixes #32

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
9bf9a86
Refactor pull-test.yml using `ubuntu-latest` & revised matrixes
danielbrunt57 Jan 28, 2026
619f862
Remove invalid build: key so the job parses.
danielbrunt57 Jan 28, 2026
365ec81
Upgrade codecov-action from v1 to v5
danielbrunt57 Jan 28, 2026
ec6eb0b
Add legacy checks for branch protection in workflow
danielbrunt57 Jan 28, 2026
ef25a08
Update markdown link checker action in workflow
danielbrunt57 Jan 28, 2026
8a57fee
Remove '--exclude-mail' from pull-test.yml
danielbrunt57 Jan 28, 2026
ce29ca3
Update comment for build (3.9) job
danielbrunt57 Jan 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
105 changes: 97 additions & 8 deletions .github/workflows/pull-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,41 +1,130 @@
# Runs tests via tox
# Runs on pull requests to main
name: Test on pull request
# Runs on pull requests to main/master
# Full Python matrix runs on push to main/master
name: Test

on:
pull_request:
branches:
- main
- master
push:
branches:
- main
- master

jobs:
build:
runs-on: ubuntu-20.04
pr:
# Pull requests: fast feedback on latest Python only
name: PR (Python 3.12)
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
strategy:
max-parallel: 3
max-parallel: 1
matrix:
python-version:
- "3.12"

steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: "Set up Python ${{ matrix.python-version }}"
uses: actions/setup-python@v5
with:
python-version: "${{ matrix.python-version }}"

- name: Install build meta-dependencies
run: |
pip install tox poetry tox-gh-actions

- name: Test with tox
run: |
tox

# - name: Coveralls Python
# uses: AndreMiras/coveralls-python-action@v20201129
# with:
# #github-token: #${{ secrets.GITHUB_TOKEN }}
# github-token: ${{ secrets.COVERALLS_REPO_TOKEN }}

- uses: codecov/codecov-action@v5
with:
token: ${{ secrets.CODECOV_TOKEN }}
verbose: true # optional (default = false)
Comment on lines +53 to +56
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

Codecov v5 action authentication token requirements github actions

💡 Result:

  • Default (token-based auth): codecov/codecov-action@v5 can authenticate uploads with a Codecov upload token provided either as with: token: ... or env: CODECOV_TOKEN: .... (github.com)
  • When a token is required (per Codecov):
    • Private repos: token always required. (docs.codecov.com)
    • Public repos: token is required for protected-branch uploads unless your Codecov org has disabled token authentication for public repositories. (docs.codecov.com)
    • Public repos, “unprotected” (e.g., fork-prefixed) branches: token not required. (docs.codecov.com)
  • Tokenless option 1 (OIDC): Set use_oidc: true; any provided token is ignored, and your workflow/job must grant permissions: id-token: write. (github.com)
  • Tokenless option 2 (org setting for public repos): In Codecov org settings (“Global Upload Token”), admins can set tokens to Not required for public repos (available with action > v5.0). (docs.codecov.com)

Citations:

🌐 Web query:

GitHub Actions secrets forked pull requests external contributors

💡 Result:

  • Forked PRs (external contributors) don’t get your repo secrets. Workflows triggered by pull_request from forks run with no access to repository secrets, and the provided GITHUB_TOKEN is read-only. [1]
  • You may also need to manually approve runs. For public repos, GitHub can require maintainer approval before running workflows for some outside contributors (by default, first-time contributors), configurable under Settings → Actions → General → “Approval for running fork pull request workflows from contributors.” [2]
  • How to approve a pending run: maintainers with write access can review the PR (especially any .github/workflows/ changes) and click “Approve workflows to run.” Runs awaiting approval for >30 days are deleted. [3]
  • If you need secrets on PRs, use pull_request_target very carefully. pull_request_target runs in the context of the base repo and can access secrets, but it’s risky if you run untrusted fork code (e.g., by checking out the fork and executing it). Also, enterprise policies note pull_request_target runs regardless of fork-approval settings. [4]
  • Private/internal repos can be configured to allow more—but it’s dangerous. Admin policies can allow fork PR workflows to receive write tokens and even secrets, and/or require approval first. [4]
  • Dependabot PRs are treated like forks. Their workflow runs get a read-only GITHUB_TOKEN and no secrets. [5]

Sources:
[1] https://github.blog/security/supply-chain-security/four-tips-to-keep-your-github-actions-workflows-secure/
[2] https://docs.github.com/en/enterprise-cloud%40latest/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository
[3] https://docs.github.com/en/actions/how-tos/managing-workflow-runs-and-deployments/managing-workflow-runs/approving-workflow-runs-from-public-forks
[4] https://docs.github.com/github-ae%40latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise
[5] https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

🌐 Web query:

Codecov tokenless upload OIDC github actions

💡 Result:

Tokenless vs OIDC (GitHub Actions + Codecov)

1) “Tokenless upload” (no CODECOV_TOKEN)
Codecov will accept uploads without a token only when either:

  • the repo is public and your Codecov org has disabled token authentication for public repositories, or
  • the repo is public and the upload is for a commit on an “unprotected” branch (e.g. forkname:main). [2]

2) OIDC (no Codecov upload token, but still authenticated)
With the official Codecov GitHub Action, you can authenticate uploads using GitHub OIDC by setting use_oidc: true and granting id-token: write. Any token you pass will be ignored. [1]

permissions:
  contents: read
  id-token: write

steps:
  - uses: actions/checkout@v4
  - uses: codecov/codecov-action@v5
    with:
      use_oidc: true
      # files: ./coverage.xml   # optional

Note: Codecov Action v4 does not support tokenless uploading (it’s a breaking change in v4). [1]

Sources: [1] [2]

Guard Codecov upload for private repos or when secrets are unavailable.

Forked PRs don't receive repository secrets, so ${{ secrets.CODECOV_TOKEN }} is empty for external contributors. This matters only if your repo is private (token always required) or if Codecov requires tokens for protected branches in your org settings. Public repos with fork branches don't require a token. To avoid failures across all scenarios, add a conditional guard:

🔧 Suggested guard 
-      - uses: codecov/codecov-action@v5
+      - name: Upload coverage to Codecov
+        if: ${{ secrets.CODECOV_TOKEN != '' }}
+        uses: codecov/codecov-action@v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           verbose: true # optional (default = false)

Alternatively, use OIDC (use_oidc: true) if your Codecov account supports it.

🤖 Prompt for AI Agents 
In @.github/workflows/pull-test.yml around lines 53 - 56, The Codecov action
invocation (codecov/codecov-action@v5) uses the secrets.CODECOV_TOKEN unguarded
which causes CI failures for forked PRs or when the secret is missing; update
the workflow step to conditionally run or provide the token only when the secret
is present (e.g., guard on github.repository_owner ==
github.event.pull_request.head.repo.owner or check if secrets.CODECOV_TOKEN) or
enable OIDC by setting use_oidc: true so uploads succeed without the secret;
modify the step that references token: ${{ secrets.CODECOV_TOKEN }} (and add
use_oidc: true as an alternative) so the action is skipped or uses OIDC when the
token is unavailable.


main:
# Pushes to main/master: full Python matrix
name: Main/Master (Python matrix)
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')
runs-on: ubuntu-latest
strategy:
max-parallel: 1
matrix:
python-version:
- "3.10"
- "3.11"
- "3.12"

steps:
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: "Set up Python ${{ matrix.python-version }}"
uses: actions/setup-python@v2
uses: actions/setup-python@v5
with:
python-version: "${{ matrix.python-version }}"

- name: Install build meta-dependencies
run: |
pip install tox poetry tox-gh-actions

- name: Test with tox
run: |
tox

# - name: Coveralls Python
# uses: AndreMiras/coveralls-python-action@v20201129
# with:
# #github-token: #${{ secrets.GITHUB_TOKEN }}
# github-token: ${{ secrets.COVERALLS_REPO_TOKEN }}
- uses: codecov/codecov-action@v1

- uses: codecov/codecov-action@v5
with:
token: ${{ secrets.CODECOV_TOKEN }}
verbose: true # optional (default = false)

# Legacy required check for branch protection.
# NOTE: This does NOT run Python 3.9 tests; it exists only because branch protection
# requires a status check named "build (3.9)". Remove once branch protection is updated.
build_39:
name: build (3.9)
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Compatibility status
run: |
echo "Legacy required check for branch protection."

# Legacy required checks for branch protection
markdown_link_check:
name: markdown-link-check
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v4

- name: Check markdown links
uses: lycheeverse/lychee-action@v2
with:
args: >
--verbose
--no-progress
--accept 200,206,429
--timeout 20
--max-concurrency 8
"**/*.md"