mypy, ty for types, ruff for docs #155
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI Pipeline | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| branches: | |
| - main | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| codestyle: | |
| name: codestyle check/linting (${{ matrix.tool }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| tool: [ruff, ty] | |
| steps: | |
| - name: checkout code | |
| uses: actions/checkout@v4 | |
| - name: set up python 3.11 | |
| uses: actions/setup-python@v3 | |
| with: | |
| python-version: 3.11 | |
| - name: install ruff | |
| if: matrix.tool == 'ruff' | |
| run: pip install ruff==0.14.2 | |
| - name: run ruff linter src directory | |
| if: matrix.tool == 'ruff' | |
| run: ruff check hololinked | |
| - name: run ruff linter tests directory | |
| if: matrix.tool == 'ruff' | |
| run: ruff check tests/*.py tests/things/*.py tests/helper-scripts/*.py | |
| - name: install ty | |
| if: matrix.tool == 'ty' | |
| run: pip install ty==0.0.24 | |
| - name: run ty type checker | |
| if: matrix.tool == 'ty' | |
| run: ty check hololinked | |
| scan: | |
| name: security scan (${{ matrix.tool }}) | |
| runs-on: ubuntu-latest | |
| needs: codestyle | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| tool: [bandit, gitleaks] | |
| steps: | |
| - name: checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| # ---------------- Bandit branch ---------------- | |
| - name: set up python 3.11 | |
| if: matrix.tool == 'bandit' | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.11" | |
| - name: install bandit | |
| if: matrix.tool == 'bandit' | |
| run: pip install bandit | |
| - name: run bandit scan | |
| if: matrix.tool == 'bandit' | |
| run: | | |
| bandit -c pyproject.toml -r hololinked/ -b .bandit-baseline.json | |
| # this is the step that will fail the job if new issues are found | |
| - name: generate JSON report | |
| if: matrix.tool == 'bandit' | |
| run: | | |
| echo "Rerunning to generate bandit report in JSON format..." | |
| bandit -c pyproject.toml -r hololinked/ -f json -b .bandit-baseline.json -o bandit-report.json | |
| - name: upload bandit report artifact | |
| if: matrix.tool == 'bandit' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: bandit-security-scan-report | |
| path: bandit-report.json | |
| - name: display existing issues, which have already been accounted | |
| if: matrix.tool == 'bandit' | |
| run: | | |
| echo "Rerunning to display existing issues which are included in the baseline..." | |
| bandit -c pyproject.toml -r hololinked/ || true | |
| # ---------------- Gitleaks branch ---------------- | |
| - name: run gitleaks scan on commits | |
| if: matrix.tool == 'gitleaks' | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | |
| - name: run gitleaks scan on repo folder | |
| if: matrix.tool == 'gitleaks' | |
| run: | | |
| docker run --rm -v ${{ github.workspace }}:/hololinked zricethezav/gitleaks:latest \ | |
| dir hololinked/hololinked --verbose --log-level trace | |
| docker run --rm -v ${{ github.workspace }}:/hololinked zricethezav/gitleaks:latest \ | |
| dir hololinked/.github --verbose --log-level trace | |
| test: | |
| name: unit-integration tests | |
| needs: scan | |
| strategy: | |
| matrix: | |
| include: | |
| - os: windows-latest | |
| python-version: 3.11 | |
| - os: windows-latest | |
| python-version: 3.12 | |
| - os: windows-latest | |
| python-version: 3.13 | |
| # - os: macos-latest | |
| # python-version: 3.11 | |
| - os: ubuntu-latest | |
| python-version: 3.11 | |
| - os: ubuntu-latest | |
| python-version: 3.12 | |
| - os: ubuntu-latest | |
| python-version: 3.13 | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| - name: unpack MQTT certificates (linux) | |
| if: runner.os != 'Windows' | |
| run: | | |
| echo "${{ secrets.MQTT_TEST_CREDENTIALS }}" | base64 -d > certs.tar.gz | |
| tar xzf certs.tar.gz | |
| ls -la daq-system-infrastructure/certs | |
| ls -la daq-system-infrastructure/conf | |
| - name: unpack MQTT certificates (windows) | |
| if: runner.os == 'Windows' | |
| run: | | |
| $mqttCerts = "${{ secrets.MQTT_TEST_CREDENTIALS }}" | |
| [System.IO.File]::WriteAllBytes("certs.tar.gz", [System.Convert]::FromBase64String($mqttCerts)) | |
| tar xzf certs.tar.gz | |
| dir daq-system-infrastructure\certs | |
| dir daq-system-infrastructure\conf | |
| - name: set up python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v3 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: install uv (linux/macOS) | |
| if: runner.os != 'Windows' | |
| run: curl -LsSf https://astral.sh/uv/install.sh | sh | |
| - name: install uv (windows) | |
| if: runner.os == 'Windows' | |
| run: | | |
| python -m pip install uv | |
| - name: install dependencies (linux/macOS) | |
| if: runner.os != 'Windows' | |
| run: | | |
| uv venv .venv | |
| source .venv/bin/activate | |
| uv sync --group test --group dev | |
| mv tests/patches/testcontainers/mqtt/__init__.py .venv/lib/python*/site-packages/testcontainers/mqtt/__init__.py | |
| - name: install dependencies (windows) | |
| if: runner.os == 'Windows' | |
| run: | | |
| uv venv .venv | |
| .venv\Scripts\activate | |
| uv sync --group test --group dev | |
| copy tests\patches\testcontainers\mqtt\__init__.py .venv\Lib\site-packages\testcontainers\mqtt\__init__.py | |
| - name: run unit tests (linux/macOS) | |
| if: runner.os != 'Windows' && matrix.python-version != 3.13 | |
| env: | |
| OIDC_TEST_CONFIG_1_B64: ${{ secrets.OIDC_TEST_CONFIG_1_B64 }} | |
| run: | | |
| source .venv/bin/activate | |
| pytest -s -v | |
| - name: run unit tests (Windows) | |
| if: runner.os == 'Windows' | |
| env: | |
| OIDC_TEST_CONFIG_1_B64: ${{ secrets.OIDC_TEST_CONFIG_1_B64 }} | |
| run: | | |
| .venv\Scripts\activate | |
| pytest -s -v --ignore=tests\test_16_protocols_mqtt.py | |
| - name: run unit tests and generate coverage report (linux/macOS python 3.13) | |
| if: runner.os != 'Windows' && matrix.python-version == 3.13 | |
| env: | |
| OIDC_TEST_CONFIG_1_B64: ${{ secrets.OIDC_TEST_CONFIG_1_B64 }} | |
| run: | | |
| source .venv/bin/activate | |
| pytest -s -v --cov=hololinked --cov-report=xml:coverage.xml | |
| - name: upload coverage report as artifact | |
| uses: actions/upload-artifact@v4 | |
| if: runner.os != 'Windows' && matrix.python-version == 3.13 | |
| with: | |
| name: coverage-report-ubuntu-latest-py3.13 | |
| path: coverage.xml | |
| if-no-files-found: warn | |
| publish_coverage: | |
| name: publish coverage | |
| needs: test | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' | |
| steps: | |
| - name: checkout code | |
| uses: actions/checkout@v4 | |
| - name: download coverage artifact | |
| id: dl | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: coverage-report-ubuntu-latest-py3.13 | |
| path: . | |
| continue-on-error: true | |
| - name: upload coverage to codecov | |
| if: steps.dl.outcome == 'success' | |
| uses: codecov/codecov-action@v4 | |
| env: | |
| CI: true | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| files: coverage.xml | |
| fail_ci_if_error: true | |
| slug: hololinked-dev/hololinked | |
| - name: skip note (no artifact found) | |
| if: steps.dl.outcome != 'success' | |
| run: echo "No coverage artifact present; skipping codecov upload." |