Minimize workflow permissions (#193) #68
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Python SDK cluster management integration tests | |
| permissions: {} | |
| on: | |
| push: | |
| branches: [ main ] | |
| paths: | |
| - 'python/cluster_management/**' | |
| - '.github/workflows/python-cm-integ-tests.yml' | |
| - '.github/workflows/clean-clusters.yml' | |
| pull_request: | |
| branches: [ main ] | |
| paths: | |
| - 'python/cluster_management/**' | |
| - '.github/workflows/python-cm-integ-tests.yml' | |
| - '.github/workflows/clean-clusters.yml' | |
| # Give us a button to allow running the workflow on demand for testing. | |
| workflow_dispatch: | |
| inputs: | |
| tags: | |
| description: 'Manual Workflow Run' | |
| required: false | |
| type: string | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write # required by aws-actions/configure-aws-credentials | |
| concurrency: | |
| # Ensure only 1 job mutates clusters in this account at a time. | |
| group: ${{ github.workflow }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.10' | |
| - name: Cache pip packages | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pip- | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.PYTHON_IAM_ROLE }} | |
| aws-region: us-east-1 | |
| - name: Configure and run integration for cluster management | |
| working-directory: ./python/cluster_management | |
| run: | | |
| python3 -m venv cm-integ | |
| source cm-integ/bin/activate | |
| pip install --upgrade pip | |
| pip install --force-reinstall -r requirements.txt | |
| python3 -c "import boto3; print(boto3.__version__)" | |
| pip install pytest pytest-cov | |
| pip list | |
| echo "$GITHUB_WORKSPACE" >> $GITHUB_PATH | |
| pytest -v test/ | |
| cleanup: | |
| if: always() | |
| needs: test | |
| uses: ./.github/workflows/clean-clusters.yml | |
| with: | |
| aws_region: 'us-east-1' | |
| secrets: | |
| AWS_IAM_ROLE: ${{ secrets.PYTHON_IAM_ROLE }} | |
| permissions: | |
| id-token: write # required by aws-actions/configure-aws-credentials | |
| concurrency: | |
| # Ensure only 1 job mutates clusters in this account at a time. | |
| group: ${{ github.workflow }} |