1212
1313permissions : read-all
1414
15+ env :
16+ CACHE_GLOBS : |
17+ **/pyproject.toml
18+ **/requirements*.txt
19+ **/setup.py
20+ **/uv.lock
21+ ENDPOINT_WHITELIST : >-
22+ pypi.org:443
23+ github.com:443
24+ releases.astral.sh
25+ files.pythonhosted.org:443
26+ *.github.com:443
27+ *.githubusercontent.com:443
28+
1529jobs :
1630 pytest :
1731 runs-on : ${{ matrix.os }}
@@ -36,38 +50,49 @@ jobs:
3650 contents : write
3751
3852 steps :
39- - uses : step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e
53+ - uses : step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
4054 with :
4155 disable-sudo : true
42- egress-policy : audit
56+ egress-policy : block
57+ allowed-endpoints : auth.docker.io:443 ${{ env.ENDPOINT_WHITELIST}}
58+
59+ - run : |
60+ echo "\
61+ RUN_KEY=\
62+ ${{ hashFiles('pyproject.toml') }}-\
63+ ${{ matrix.os }}-\
64+ ${{ matrix.python-version }}-\
65+ ${{ matrix.resolution }}\
66+ " >> $GITHUB_ENV
4367
4468uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
4569
46- - uses : actions /setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
70+ - uses : astral-sh /setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098
4771 with :
4872 python-version : ${{ matrix.python-version }}
49- cache : pip
50-
51- - uses : install-pinned/uv@05d9162df91b0a72301801afd144d0b8b525e0b3
73+ activate-environment : true
74+ cache-dependency-glob : ${{ env.CACHE_GLOBS }}
5275
5376 - run : |
54- uv pip install --system --resolution ${{ matrix.resolution }} -e .[all]
55- uv pip install --system --resolution ${{ matrix.resolution }} -r requirements-dev.txt
77+ uv pip install -r requirements-dev.txt
78+ uv pip install .[all]
79+ env:
80+ UV_RESOLUTION: ${{ matrix.resolution }}
5681
5782id : cache-pytest
5883 uses : actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306
5984 with :
6085 path : .pytest_cache
61- key : pytest-${{ matrix.python-version }}-${{ matrix.os }}-${{ matrix.resolution }}-${{ hashFiles('pyproject.toml') }}
86+ key : pytest-${{ env.RUN_KEY }}
6287
6388 - run : pytest
6489 env :
65- COVERAGE_FILE : .coverage.${{ matrix.os }}.${{ matrix.python-version }}.${{ matrix.resolution }}
90+ COVERAGE_FILE : .coverage.${{ env.RUN_KEY }}
6691
67- - uses : actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
92+ - uses : actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
6893 with :
69- name : coverage-${{ matrix.os }}-${{ matrix.python-version }}-${{ matrix.resolution }}
70- path : .coverage.${{ matrix.os }}.${{ matrix.python-version }}.${{ matrix.resolution }}
94+ name : coverage-${{ env.RUN_KEY }}
95+ path : .coverage.${{ env.RUN_KEY }}
7196 include-hidden-files : true
7297
7398 pytest-extras-config :
@@ -77,30 +102,24 @@ jobs:
77102 extras : ${{ steps.get-extras.outputs.extras }}
78103
79104 steps :
80- - uses : step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e
105+ - uses : step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
81106 with :
82107 disable-sudo : true
83108 egress-policy : block
84- allowed-endpoints : >
85- files.pythonhosted.org:443
86- github.com:443
87- pypi.org:443
109+ allowed-endpoints : ${{ env.ENDPOINT_WHITELIST}}
88110
89111 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
90112
91- - uses : actions /setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
113+ - uses : astral-sh /setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098
92114 with :
93115 python-version : 3.13
94- cache : pip
116+ activate-environment : true
117+ cache-dependency-glob : ${{ env.CACHE_GLOBS }}
95118
96- - uses : install-pinned/uv@05d9162df91b0a72301801afd144d0b8b525e0b3
97-
98- - run : uv pip install --system -r requirements-dev.txt
119+ - run : uv pip install -r requirements-dev.txt
99120
100121 - name : get-extras
101122 id : get-extras
102- env :
103- PARSONS_LIMITED_DEPENDENCIES : ' TRUE'
104123 run : |
105124 python -c "
106125 import json
@@ -128,69 +147,56 @@ jobs:
128147 fail-fast : false
129148 matrix :
130149 extra : ${{ fromJson(needs.pytest-extras-config.outputs.extras) }}
131- python-version :
132- - ' 3.13'
133- os :
134- - ubuntu-latest
135- resolution :
136- - highest
150+ python-version : ['3.13']
151+ os : ['ubuntu-latest']
152+ resolution : ['highest']
137153
138154 steps :
139- - uses : step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e
155+ - uses : step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
140156 with :
141157 disable-sudo : true
142158 egress-policy : block
143- allowed-endpoints : >
144- files.pythonhosted.org:443
145- github.com:443
146- pypi.org:443
159+ allowed-endpoints : ${{ env.ENDPOINT_WHITELIST}}
147160
148161 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
149162
150- - uses : actions /setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
163+ - uses : astral-sh /setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098
151164 with :
152165 python-version : ${{ matrix.python-version }}
153- cache : pip
154-
155- - uses : install-pinned/uv@05d9162df91b0a72301801afd144d0b8b525e0b3
166+ activate-environment : true
167+ cache-dependency-glob : ${{ env.CACHE_GLOBS }}
156168
157- - run : uv pip install --system - r requirements-dev.txt
169+ - run : uv pip install -r requirements-dev.txt
158170
159- - run : uv pip install --system .[${{ matrix.extra }}]
160- env :
161- PARSONS_LIMITED_DEPENDENCIES : ' TRUE'
171+ - run : uv pip install .[${{ matrix.extra }}]
162172
163173 - id : cache-pytest
164174 uses : actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306
165175 with :
166176 path : .pytest_cache
167- key : pytest-${{ hashFiles('pyproject.toml') }}-${{ matrix.os }}-${{ matrix.python-version }}-${{ matrix.resolution }}-${{ matrix.extra }}
177+ key : pytest-${{ hashFiles('pyproject.toml') }}-${{ matrix.os }}-${{ matrix.python-version }}-${{ matrix.resolution }}
168178
169179 - run : pytest test/test_${{ matrix.extra }}
170180
171181 ruff-format :
172182 runs-on : ubuntu-latest
173183
174184 steps :
175- - uses : step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e
185+ - uses : step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
176186 with :
177187 disable-sudo : true
178188 egress-policy : block
179- allowed-endpoints : >
180- files.pythonhosted.org:443
181- github.com:443
182- pypi.org:443
189+ allowed-endpoints : ${{ env.ENDPOINT_WHITELIST}}
183190
184191 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
185192
186- - uses : actions /setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
193+ - uses : astral-sh /setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098
187194 with :
188195 python-version : 3.13
189- cache : pip
190-
191- - uses : install-pinned/uv@05d9162df91b0a72301801afd144d0b8b525e0b3
196+ activate-environment : true
197+ cache-dependency-glob : ${{ env.CACHE_GLOBS }}
192198
193- - run : uv pip install --system - r requirements-dev.txt
199+ - run : uv pip install -r requirements-dev.txt
194200
195201 - id : cache-ruff
196202 uses : actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306
@@ -208,26 +214,21 @@ jobs:
208214 security-events : write
209215
210216 steps :
211- - uses : step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e
217+ - uses : step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
212218 with :
213219 disable-sudo : true
214220 egress-policy : block
215- allowed-endpoints : >
216- api.github.com:443
217- files.pythonhosted.org:443
218- github.com:443
219- pypi.org:443
221+ allowed-endpoints : ${{ env.ENDPOINT_WHITELIST}}
220222
221223 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
222224
223- - uses : actions /setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
225+ - uses : astral-sh /setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098
224226 with :
225227 python-version : 3.13
226- cache : pip
227-
228- - uses : install-pinned/uv@05d9162df91b0a72301801afd144d0b8b525e0b3
228+ activate-environment : true
229+ cache-dependency-glob : ${{ env.CACHE_GLOBS }}
229230
230- - run : uv pip install --system - r requirements-dev.txt
231+ - run : uv pip install -r requirements-dev.txt
231232
232233 - id : cache-ruff
233234 uses : actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306
@@ -236,18 +237,16 @@ jobs:
236237 key : ruff-${{ hashFiles('pyproject.toml') }}
237238
238239 - id : run-ruff-sarif
239- run : |
240- ruff check --output-format=sarif -o results.sarif .
240+ run : ruff check --output-format=sarif -o results.sarif .
241241
242- uses : github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e
242+ - uses : github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162
243243 if : ( success() || failure() ) && contains('["success", "failure"]', steps.run-ruff-sarif.outcome)
244244 with :
245245 sarif_file : results.sarif
246246
247247 - id : run-ruff
248248 if : failure() && contains('["failure"]', steps.run-ruff-sarif.outcome)
249- run : |
250- ruff check --output-format=github .
249+ run : ruff check --output-format=github .
251250
252251 bandit :
253252 runs-on : ubuntu-latest
@@ -256,32 +255,27 @@ jobs:
256255 security-events : write
257256
258257 steps :
259- - uses : step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e
258+ - uses : step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
260259 with :
261260 disable-sudo : true
262261 egress-policy : block
263- allowed-endpoints : >
264- api.github.com:443
265- files.pythonhosted.org:443
266- github.com:443
267- pypi.org:443
262+ allowed-endpoints : ${{ env.ENDPOINT_WHITELIST}}
268263
269264 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
270265
271- - uses : actions /setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
266+ - uses : astral-sh /setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098
272267 with :
273268 python-version : 3.13
274- cache : pip
275-
276- - uses : install-pinned/uv@05d9162df91b0a72301801afd144d0b8b525e0b3
269+ activate-environment : true
270+ cache-dependency-glob : ${{ env.CACHE_GLOBS }}
277271
278- - run : uv pip install --system - r requirements-dev.txt
272+ - run : uv pip install -r requirements-dev.txt
279273
280274 - id : run-bandit-sarif
281275 run : |
282276 bandit --confidence-level 'medium' --severity-level 'medium' --recursive 'parsons' --format 'sarif' --output 'results.sarif'
283277
284- uses : github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e
278+ uses : github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162
285279 if : ( success() || failure() ) && contains('["success", "failure"]', steps.run-bandit-sarif.outcome)
286280 with :
287281 sarif_file : results.sarif
@@ -302,18 +296,15 @@ jobs:
302296 contents : write
303297
304298 steps :
305- - uses : step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e
299+ - uses : step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
306300 with :
307301 disable-sudo : true
308302 egress-policy : block
309- allowed-endpoints : >
310- api.github.com:443
311- github.com:443
312- img.shields.io:443
303+ allowed-endpoints : img.shields.io:443 ${{ env.ENDPOINT_WHITELIST}}
313304
314305 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
315306
316- - uses : actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
307+ - uses : actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
317308 with :
318309 pattern : coverage-*
319310 merge-multiple : true
@@ -324,7 +315,7 @@ jobs:
324315 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
325316 MERGE_COVERAGE_FILES : true
326317
327- - uses : actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
318+ - uses : actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
328319 if : steps.coverage_comment.outputs.COMMENT_FILE_WRITTEN == 'true'
329320 with :
330321 name : python-coverage-comment-action
@@ -342,35 +333,26 @@ jobs:
342333 contents : write
343334
344335 steps :
345- - uses : step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e
336+ - uses : step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b
346337 with :
347338 disable-sudo : true
348339 egress-policy : block
349- allowed-endpoints : >
350- files.pythonhosted.org:443
351- github.com:443
352- proxy.golang.org:443
353- pypi.org:443
340+ allowed-endpoints : proxy.golang.org:443 ${{ env.ENDPOINT_WHITELIST}}
354341
355342 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
356343
357- - uses : actions /setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
344+ - uses : astral-sh /setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098
358345 with :
359346 python-version : 3.13
360- cache : pip
347+ activate-environment : true
348+ cache-dependency-glob : ${{ env.CACHE_GLOBS }}
361349
362- - uses : install-pinned/uv@05d9162df91b0a72301801afd144d0b8b525e0b3
363-
364- - run : uv pip install --system -r requirements-dev.txt
350+ - run : uv pip install -r requirements-dev.txt
365351
366352 - id : cache-pre-commit
367353 uses : actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306
368354 with :
369- path : . pre-commit-cache
370- key : pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}-${{ hashFiles('pyproject.toml') }}
355+ path : ~/.cache/ pre-commit
356+ key : pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
371357
372- - run : |
373- pre-commit install
374- pre-commit run --all-files
375- env:
376- PRE_COMMIT_HOME: .pre-commit-cache
358+ - run : pre-commit run --all-files --show-diff-on-failure --color=always
0 commit comments