ci(backport): Update CI permissions changes (#2505)

matthewfeickert · web-flow · commit 7d2b257e7a0d · 2024-05-30T14:39:22.000-05:00
* Backport: - PR #2363 - PR #2479 - PR #2481 - PR #2483 - PR #2489
diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
@@ -33,8 +33,13 @@ on:
         description: 'Perform a dry run to check'
         default: true
 
+permissions:
+  contents: read
+
 jobs:
   bump-version:
+    permissions:
+      contents: write  # for Git to git push
     runs-on: ubuntu-latest
     if: github.repository == 'scikit-hep/pyhf'
 
diff --git a/.github/workflows/ci-windows.yml b/.github/workflows/ci-windows.yml
@@ -0,0 +1,50 @@
+name: CI on Windows
+
+on:
+  # Run daily at 1:23 UTC
+  schedule:
+  - cron:  '23 1 * * *'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [windows-latest]
+        python-version: ['3.9', '3.10', '3.11', '3.12']
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ matrix.python-version }}
+
+    - name: Install dependencies
+      run: |
+        python -m pip install uv
+        uv pip install --system --upgrade pip setuptools wheel
+        uv pip install --system --upgrade '.[all,test]'
+
+    - name: List installed Python packages
+      run: python -m pip list
+
+    - name: Test with pytest and coverage
+      # FIXME: ignore tests/test_scripts.py as runner breaks on Windows currently
+      run: |
+        coverage run --module pytest --ignore tests/test_scripts.py --ignore tests/contrib --ignore tests/benchmarks --ignore tests/test_notebooks.py
+
+    - name: Coverage report for core project
+      run: |
+        coverage report
+        coverage xml
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,6 +15,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
 
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -15,8 +15,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
     name: Analyze
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/dependencies-head.yml b/.github/workflows/dependencies-head.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   release-candidates:
 
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -20,9 +20,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   docker:
     name: Build, test, and publish Docker images to Docker Hub
+    permissions:
+      contents: read
+      packages: write  # for docker to push to registry
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -14,6 +14,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build docs
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -8,6 +8,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   lint:
 
diff --git a/.github/workflows/lower-bound-requirements.yml b/.github/workflows/lower-bound-requirements.yml
@@ -6,6 +6,9 @@ on:
   - cron:  '1 0 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
 
@@ -26,7 +29,7 @@ jobs:
 
     - name: Install dependencies and force lowest bound
       run: |
-        python -m pip install --upgrade pip setuptools wheel
+        python -m pip install --upgrade pip 'setuptools<70.0.0' wheel
         python -m pip --no-cache-dir install --constraint tests/constraints.txt .[test]
 
     - name: List installed Python packages
diff --git a/.github/workflows/merged.yml b/.github/workflows/merged.yml
@@ -5,6 +5,9 @@ on:
     types: [closed]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   binder:
     name: Trigger Binder build
diff --git a/.github/workflows/notebooks.yml b/.github/workflows/notebooks.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
 
@@ -41,4 +44,4 @@ jobs:
         # Override the ini option for filterwarnings with an empty list to disable error
         # on filterwarnings as testing for notebooks to run with the latest API, not if
         # Jupyter infrastructure is warning free.
-        pytest --override-ini filterwarnings= tests/test_notebooks.py
+        pytest --verbose --override-ini filterwarnings= tests/test_notebooks.py
diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
@@ -25,14 +25,16 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build Python distribution
     runs-on: ubuntu-latest
     permissions:
       id-token: write
       attestations: write
-      contents: read
 
     steps:
     - uses: actions/checkout@v4
diff --git a/.github/workflows/release_tests.yml b/.github/workflows/release_tests.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   pypi_release:
@@ -45,6 +48,10 @@ jobs:
 
     - name: Canary test public API
       run: |
+        # Override the ini option for filterwarnings with an empty list to disable error on filterwarnings
+        # as testing the latest release API still works, not the release is warning free.
+        # Though still show warnings by setting warning control to 'default'.
+        export PYTHONWARNINGS='default'
         pytest tests/test_public_api.py
 
       # FIXME: c.f. https://github.com/proycon/codemetapy/issues/24
diff --git a/.github/workflows/semantic-pr-check.yml b/.github/workflows/semantic-pr-check.yml
@@ -11,9 +11,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   main:
 
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
     name: Validate PR title
     runs-on: ubuntu-latest
 
