MAINT - CI improvements (security and maintenance) #2077
Conversation
trallard
added
kind: maintenance
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Coverage report
This PR does not seem to contain any modification to coverable code. |
| runs-on: ubuntu-latest | ||
| needs: [build-package] | ||
| permissions: | ||
| id-token: write # needed for PyPI upload | ||
| environment: |
There was a problem hiding this comment.
Double-checking that this GitHub Environment is required on the Trusted Publisher in PyPI?
There was a problem hiding this comment.
I added it to my checklist so I remember to add it
There was a problem hiding this comment.
Double-checking that this GitHub Environment is required on the Trusted Publisher in PyPI?
did this get done @trallard? If so please resolve the conversation.
There was a problem hiding this comment.
Nope, since I did not know when we would merge this I did not want to enforce the env just in case we needed to do a release before this was merged (so the release would have failed).
Will do this change when we merge this PR.
my fixes to STB were done in May and August of 2023, and the most recent release was March 2023. So we do still need the pin (or to install from tip of
I don't remember creating it. But it might have been me. Are we pushing nightlies to the scientific python channel or something, is that what it's used for? |
|
@drammock yes we are using the Scientific Python channel so I am pretty confident it was you then.
ha! I can do both, use |
|
Ok I have removed Windows from the a11y CI as there were some failures that I am not sure are true accessibility fails but something else. Since this PR has been opened for a while it might be best to investigate these separately and re-add them, but for now we have a better matrix for a11y tests. @drammock could you give this PR a last check and see if we can merge? |
|
Note that the I could not find a 1:1 alternative so I am not sure if the best option is to download and add the logo or something else. |
Fixed in #2141. According to Docker docs, the plain logo without wordmark is intended to replace the previous "stacked" logo+wordmark. |
| runs-on: ubuntu-latest | ||
| needs: [build-package] | ||
| permissions: | ||
| id-token: write # needed for PyPI upload | ||
| environment: |
There was a problem hiding this comment.
Double-checking that this GitHub Environment is required on the Trusted Publisher in PyPI?
did this get done @trallard? If so please resolve the conversation.
Co-authored-by: Daniel McCloy <[email protected]>
- addresses the missing Docker logo discovered in #2077 (comment) (stores SVG in our repo) - updates GitBook logo (stores SVG in our repo) - updates metaflow and mkdocs material URLs - adds some basic CSS to that gallery grid (otherwise docker logo has no padding around it, violates their brand guidelines) Co-authored-by: Tania Allard <[email protected]>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| - name: "Get PST version" | ||
| run: | | ||
| python -Im pip install -e . | ||
| # Get the version of the package | ||
| PST_VERSION=$(python -c "import pydata_sphinx_theme; print(pydata_sphinx_theme.__version__)") | ||
| echo "PST_VERSION=$PST_VERSION" >> $GITHUB_ENV | ||
|
|
||
| # Run tests on the built package (which will be later uploaded to PyPI) | ||
| - name: "Install PST from wheel and test" | ||
| env: | ||
| BAIPP_DIST: ${{ steps.baipp.outputs.dist }} | ||
| PST_VERSION: ${{ env.PST_VERSION }} | ||
| run: | | ||
| # calling with --installpkg so we can use the already built package | ||
| tox run -e py312-tests-no-cov \ | ||
| --installpkg "${BAIPP_DIST}"/pydata_sphinx_theme-"${PST_VERSION}"-py3-none-any.whl \ | ||
| -- --deselect tests/test_build.py::test_translations |
There was a problem hiding this comment.
Added this extra test run. This would have caught the issues reported in #2090 for example
|
I have noticed some flaky accessibility tests re tab traps (notebooks), I wonder if https://github.com/pydata/pydata-sphinx-theme/actions/runs/13659445744/job/38186908516#step:4:672 is related to #2139 (comment) at all @gabalafou |
| # needed for the coverage action | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| # calls our docs workflow (build docs, check broken links, lighthouse) | ||
| # calls our docs workflow (build docs, check broken links, lighthouse) |
There was a problem hiding this comment.
this indentation looks wrong, but I'll assume it was a linter autofix and not bother trying to put it back. Intent is pretty clear either way.
|
Final update I just updated the environment in PyPI so this will be the one used when doing the release (via trusted publisher) |
This follows #2077 as our actions and workflows needed re-pinning after merging this branch. Included: - **:pushpin: Pin our actions to a concrete SHA** - **:construction_worker: Add test to publish workflow**
- addresses the missing Docker logo discovered in pydata#2077 (comment) (stores SVG in our repo) - updates GitBook logo (stores SVG in our repo) - updates metaflow and mkdocs material URLs - adds some basic CSS to that gallery grid (otherwise docker logo has no padding around it, violates their brand guidelines) Co-authored-by: Tania Allard <[email protected]>
I thought I would do some winter/summer cleaning (depending on your location) βπ. This PR adds several improvements/updates to our CI with a focus on improving the contributor experience and security Details below: ## π Security focused - Use SHA for third-party actions and our internal action for development setup - Replace potentially [dangerous trigger `workflow_run`](https://woodruffw.github.io/zizmor/audits/#dangerous-triggers) for `workflow_call` and use as a reusable workflow - Create and use a dedicated environment for releases: - [x] Created a `pst-release` environment in the repo (restricted to `main` only) - [x] Use `pst-release` for our `release-PST` step in `publish.yml` - [ ] Add `pst-release` as the default env in PyPI - Add a `zizmor.yml` workflow to run static analysis on our GH workflows - Add explicit `persist-credentials: false` to relevant actions (where we do not need further git operations) ## π©π½βπ€ Contributor experience - Prevent the `pre-release.yml` workflow from running in repos not under the `pydata` org (forks) - Our CI workflow has grown significantly with the various tests and checks. This PR splits it into: - `CI.yml`: pytest, a11y-tests, profiling, coverage - `docs.yml`: docs-related checks like building across OSes and Python and Sphinx versions, check for broken links (new, note that I had to fix some broken links to get this in π and there seem to be still some others to fix) - Add `tox run -e docs-linkcheck` to check for broken links in our docs - Add workflow to add a link to the RTD docs preview in PRs. ## π§° Maintenance - Adds Python `3.13` to our testing matrices (`3.12` is left as the `default` until we are confident all is ok with `3.13`) - Add an explicit `ubuntu-22.04` target as `ubuntu-latest` will soon be `24.04` (being rolled out right now) -> I think I might actually have explicit versions on both and only change to latest (or not) when the rollout is completed ---- ## Questions / notes - @drammock, we have `"sphinx-theme-builder @ https://github.com/pradyunsg/sphinx-theme-builder/archive/87214d0671c943992c05e3db01dca997e156e8d6.zip",` in our `project. tool` and `tox.ini`. I do not believe this pin is needed anymore, so I would like to remove it, too. WDYT? - @drammock did you create the token for Anaconda.org? I would like to make this an environment secret (vs a repository secret as it is right now) - Also, while adding a new environment, I noticed a `github-pages` environment that I do not think we are using, so I'd like to delete it. - Finally, I deleted a leftover `PYPI_TOKEN,` which should have been removed when we changed to trusted publishers. Closes pydata#2095 --------- Co-authored-by: Daniel McCloy <[email protected]>
This follows pydata#2077 as our actions and workflows needed re-pinning after merging this branch. Included: - **:pushpin: Pin our actions to a concrete SHA** - **:construction_worker: Add test to publish workflow**
This is a follow-up to #2077. This PR fixes action permissions to call reusable workflows in our release workflow. I also pinned the SHA for a workflow I missed in a previous review.
I thought I would do some winter/summer cleaning (depending on your location) βπ.
This PR adds several improvements/updates to our CI with a focus on improving the contributor experience and security
Details below:
π Security focused
workflow_runforworkflow_calland use as a reusable workflowpst-releaseenvironment in the repo (restricted tomainonly)pst-releasefor ourrelease-PSTstep inpublish.ymlpst-releaseas the default env in PyPIzizmor.ymlworkflow to run static analysis on our GH workflowspersist-credentials: falseto relevant actions (where we do not need further git operations)π©π½βπ€ Contributor experience
pre-release.ymlworkflow from running in repos not under thepydataorg (forks)CI.yml: pytest, a11y-tests, profiling, coveragedocs.yml: docs-related checks like building across OSes and Python and Sphinx versions, check for broken links (new, note that I had to fix some broken links to get this in π and there seem to be still some others to fix)tox run -e docs-linkcheckto check for broken links in our docsπ§° Maintenance
3.13to our testing matrices (3.12is left as thedefaultuntil we are confident all is ok with3.13)ubuntu-22.04target asubuntu-latestwill soon be24.04(being rolled out right now) -> I think I might actually have explicit versions on both and only change to latest (or not) when the rollout is completedQuestions / notes
"sphinx-theme-builder @ https://github.com/pradyunsg/sphinx-theme-builder/archive/87214d0671c943992c05e3db01dca997e156e8d6.zip",in ourproject. toolandtox.ini. I do not believe this pin is needed anymore, so I would like to remove it, too. WDYT?github-pagesenvironment that I do not think we are using, so I'd like to delete it.PYPI_TOKEN,which should have been removed when we changed to trusted publishers.Closes #2095