Trigger documentation publishing alongside new releases #2724

Workflow file for this run

.github/workflows/python-checks.yml at 90e5dae

	name: Python checks

	on:
	workflow_dispatch:
	pull_request:
	push:
	branches:
	- main
	- major-release
	schedule:
	- cron: 0 0 * * 1

	permissions: read-all

	env:
	CACHE_GLOBS: \|
	**/pyproject.toml
	**/setup.py
	**/uv.lock
	ENDPOINT_WHITELIST: >-
	pypi.org:443
	github.com:443
	releases.astral.sh
	files.pythonhosted.org:443
	*.github.com:443
	*.githubusercontent.com:443

	jobs:
	pytest:
	runs-on: ${{ matrix.os }}

	strategy:
	fail-fast: false
	matrix:
	python-version:
	- '3.10'
	- '3.11'
	- '3.12'
	- '3.13'
	os:
	- ubuntu-latest
	- windows-latest
	- macos-latest
	resolution:
	- highest
	- lowest-direct

	permissions:
	contents: write

	steps:
	- uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d
	with:
	disable-sudo: true
	egress-policy: block
	allowed-endpoints: auth.docker.io:443 ${{ env.ENDPOINT_WHITELIST}}

	- name: determine key for pytest cache
	id: pytest-run-key
	shell: bash
	run: \|
	HASH=${{ hashFiles('pyproject.toml') }}
	VAL="${HASH}-${{ matrix.os }}-${{ matrix.python-version }}-${{ matrix.resolution }}"
	echo "RUN_KEY=$VAL" >> $GITHUB_ENV

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

	- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
	with:
	python-version: ${{ matrix.python-version }}
	activate-environment: true
	cache-dependency-glob: ${{ env.CACHE_GLOBS }}

	- env:
	UV_RESOLUTION: ${{ matrix.resolution }}
	run: >-
	uv sync
	--upgrade
	--no-default-groups
	--group test-coverage
	--all-extras

	- id: cache-pytest
	uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7
	with:
	path: .pytest_cache
	key: pytest-${{ env.RUN_KEY }}

	- env:
	COVERAGE_FILE: .coverage.${{ env.RUN_KEY }}
	run: >-
	pytest
	--failed-first
	--cov=parsons
	--no-cov-on-fail

	- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
	with:
	name: coverage-${{ env.RUN_KEY }}
	path: .coverage.${{ env.RUN_KEY }}
	include-hidden-files: true

	pytest-extras-config:
	runs-on: ubuntu-latest

	outputs:
	extras: ${{ steps.get-extras.outputs.extras }}

	steps:
	- uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d
	with:
	disable-sudo: true
	egress-policy: block
	allowed-endpoints: ${{ env.ENDPOINT_WHITELIST}}

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

	- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
	with:
	python-version: 3.13
	activate-environment: true
	cache-dependency-glob: ${{ env.CACHE_GLOBS }}

	- run: >-
	uv sync
	--upgrade
	--no-default-groups
	--group ci
	--all-extras

	- name: create list of all parsons extras
	id: get-extras
	run: \|
	python -c "
	import json
	from build.util import project_wheel_metadata
	from pathlib import Path

	metadata = project_wheel_metadata(Path('.'))
	extras = metadata.get_all('Provides-Extra') or []

	if 'all' in extras:
	extras.remove('all')

	print(json.dumps(extras))
	" > extras.json
	echo "extras=$(cat extras.json)" >> $GITHUB_OUTPUT

	pytest-extras:
	runs-on: ${{ matrix.os }}

	needs:
	- pytest-extras-config
	- pytest

	strategy:
	fail-fast: false
	matrix:
	extra: ${{ fromJson(needs.pytest-extras-config.outputs.extras) }}
	python-version: ['3.13']
	os: ['ubuntu-latest']
	resolution: ['highest']

	steps:
	- uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d
	with:
	disable-sudo: true
	egress-policy: block
	allowed-endpoints: ${{ env.ENDPOINT_WHITELIST}}

	- name: determine key for pytest cache
	id: pytest-run-key
	shell: bash
	run: \|
	HASH=${{ hashFiles('pyproject.toml') }}
	VAL="${HASH}-${{ matrix.os }}-${{ matrix.python-version }}-${{ matrix.resolution }}"
	echo "RUN_KEY=$VAL" >> $GITHUB_ENV

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

	- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
	with:
	python-version: ${{ matrix.python-version }}
	activate-environment: true
	cache-dependency-glob: ${{ env.CACHE_GLOBS }}

	- env:
	UV_RESOLUTION: ${{ matrix.resolution }}
	run: >-
	uv sync
	--upgrade
	--no-default-groups
	--group test
	--extra ${{ matrix.extra }}

	- id: cache-pytest
	uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7
	with:
	path: .pytest_cache
	key: pytest-${{ env.RUN_KEY }}

	- run: pytest test/test_${{ matrix.extra }}

	ruff-format:
	runs-on: ubuntu-latest

	steps:
	- uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d
	with:
	disable-sudo: true
	egress-policy: block
	allowed-endpoints: ${{ env.ENDPOINT_WHITELIST}}

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

	- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
	with:
	python-version: 3.13
	activate-environment: true
	cache-dependency-glob: ${{ env.CACHE_GLOBS }}

	- run: >-
	uv sync
	--upgrade
	--no-default-groups
	--group lint

	- id: cache-ruff
	uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7
	with:
	path: .ruff_cache
	key: ruff-${{ hashFiles('pyproject.toml') }}

	- id: run-ruff
	run: >-
	ruff format
	--diff
	.

	ruff-check:
	runs-on: ubuntu-latest

	permissions:
	security-events: write

	steps:
	- uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d
	with:
	disable-sudo: true
	egress-policy: block
	allowed-endpoints: ${{ env.ENDPOINT_WHITELIST}}

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

	- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
	with:
	python-version: 3.13
	activate-environment: true
	cache-dependency-glob: ${{ env.CACHE_GLOBS }}

	- run: >-
	uv sync
	--upgrade
	--no-default-groups
	--group lint

	- id: cache-ruff
	uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7
	with:
	path: .ruff_cache
	key: ruff-${{ hashFiles('pyproject.toml') }}

	- id: run-ruff-sarif
	run: >-
	ruff check
	--output-format=sarif
	-o results.sarif
	.

	- uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13
	if: ( success() \|\| failure() ) && contains('["success", "failure"]', steps.run-ruff-sarif.outcome)
	with:
	sarif_file: results.sarif

	- id: run-ruff
	if: failure() && contains('["failure"]', steps.run-ruff-sarif.outcome)
	run: >-
	ruff check
	--output-format=github
	.

	bandit:
	runs-on: ubuntu-latest

	permissions:
	security-events: write

	steps:
	- uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d
	with:
	disable-sudo: true
	egress-policy: block
	allowed-endpoints: ${{ env.ENDPOINT_WHITELIST}}

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

	- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
	with:
	python-version: 3.13
	activate-environment: true
	cache-dependency-glob: ${{ env.CACHE_GLOBS }}

	- run: >-
	uv sync
	--upgrade
	--no-default-groups
	--group security

	- id: run-bandit-sarif
	run: >-
	bandit
	--confidence-level 'medium'
	--severity-level 'medium'
	--recursive 'parsons'
	--format 'sarif'
	--output 'results.sarif'

	- uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13
	if: ( success() \|\| failure() ) && contains('["success", "failure"]', steps.run-bandit-sarif.outcome)
	with:
	sarif_file: results.sarif

	- id: run-bandit
	if: failure() && contains('["failure"]', steps.run-bandit-sarif.outcome)
	run: >-
	bandit
	--confidence-level 'medium'
	--severity-level 'medium'
	--recursive 'parsons'

	coverage:
	runs-on: ubuntu-latest

	needs:
	- pytest

	permissions:
	pull-requests: write
	contents: write

	steps:
	- uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d
	with:
	disable-sudo: true
	egress-policy: block
	allowed-endpoints: img.shields.io:443 ${{ env.ENDPOINT_WHITELIST}}

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

	- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
	with:
	pattern: coverage-*
	merge-multiple: true

	- id: coverage_comment
	uses: py-cov-action/python-coverage-comment-action@7188638f871f721a365d644f505d1ff3df20d683
	with:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	MERGE_COVERAGE_FILES: true

	- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
	if: steps.coverage_comment.outputs.COMMENT_FILE_WRITTEN == 'true'
	with:
	name: python-coverage-comment-action
	path: python-coverage-comment-action.txt

	sphinx-lint:
	runs-on: ubuntu-latest

	steps:
	- uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d
	with:
	disable-sudo: true
	egress-policy: block
	allowed-endpoints: ${{ env.ENDPOINT_WHITELIST}}

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

	- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
	with:
	python-version: 3.13
	activate-environment: true
	cache-dependency-glob: ${{ env.CACHE_GLOBS }}

	- run: >-
	uv sync
	--upgrade
	--no-default-groups
	--group docs

	- run: sphinx-lint docs

	- run: sphinx-lint parsons

	pre-commit:
	runs-on: ubuntu-latest

	needs:
	- bandit
	- ruff-format
	- ruff-check
	- sphinx-lint

	permissions:
	contents: write

	steps:
	- uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d
	with:
	disable-sudo: true
	egress-policy: block
	allowed-endpoints: proxy.golang.org:443 ${{ env.ENDPOINT_WHITELIST}}

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

	- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78
	with:
	python-version: 3.13
	activate-environment: true
	cache-dependency-glob: ${{ env.CACHE_GLOBS }}

	- run: >-
	uv sync
	--upgrade
	--no-default-groups
	--group pre-commit

	- id: cache-pre-commit
	uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7
	with:
	path: .pre-commit-cache
	key: pre-commit-${{ hashFiles('.pre-commit-config.yaml', 'pyproject.toml') }}

	- env:
	PRE_COMMIT_HOME: .pre-commit-cache
	run: >-
	pre-commit run
	--all-files

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trigger documentation publishing alongside new releases #2724

Workflow file

Trigger documentation publishing alongside new releases #2724

Uh oh!

Workflow file for this run