Bump install-pinned/uv (#164) #226
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Python checks | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - master | |
| pull_request: | |
| schedule: | |
| - cron: 0 0 * * 1 | |
| workflow_dispatch: | |
| permissions: read-all | |
| jobs: | |
| test: | |
| name: Pytest testing | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| python-version: | |
| - '3.9' | |
| - '3.10' | |
| - '3.11' | |
| - '3.12' | |
| - '3.13' | |
| os: | |
| - ubuntu-latest | |
| - windows-latest | |
| - macos-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a | |
| with: | |
| disable-sudo: false | |
| egress-policy: audit | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| cache: pip | |
| - uses: install-pinned/uv@3863536aec631cbd0a0d99cc91d32d06292bcb93 | |
| - run: uv pip install --system -e .[dev] | |
| - id: cache-pytest | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 | |
| with: | |
| path: .pytest_cache | |
| key: ${{ runner.os }}-pytest-${{ matrix.python-version }}-${{ hashFiles('pyproject.toml') }} | |
| - name: Run pytest (with headless support) | |
| uses: GabrielBB/xvfb-action@5bcda06da84ba084708898801da79736b88e00a9 | |
| env: | |
| COVERAGE_FILE: .coverage.${{ runner.os }}.${{ matrix.python-version }} | |
| with: | |
| run: pytest | |
| - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 | |
| with: | |
| name: coverage-${{ runner.os }}${{ matrix.python-version }} | |
| path: .coverage.${{ runner.os }}.${{ matrix.python-version }} | |
| include-hidden-files: true | |
| ruff-format: | |
| name: Ruff formatting | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| files.pythonhosted.org:443 | |
| github.com:443 | |
| pypi.org:443 | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c | |
| with: | |
| python-version: '3.13' | |
| cache: pip | |
| - uses: install-pinned/uv@3863536aec631cbd0a0d99cc91d32d06292bcb93 | |
| - run: uv pip install --system -e .[dev] | |
| - id: cache-ruff | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 | |
| with: | |
| path: .ruff_cache | |
| key: ${{ runner.os }}-ruff-3.13-${{ hashFiles('pyproject.toml') }} | |
| - id: run-ruff | |
| run: ruff format --diff . | |
| ruff-check: | |
| name: Ruff linting | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| steps: | |
| - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| files.pythonhosted.org:443 | |
| github.com:443 | |
| pypi.org:443 | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c | |
| with: | |
| python-version: '3.13' | |
| cache: pip | |
| - uses: install-pinned/uv@3863536aec631cbd0a0d99cc91d32d06292bcb93 | |
| - run: uv pip install --system -e .[dev] | |
| - id: cache-ruff | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 | |
| with: | |
| path: .ruff_cache | |
| key: ${{ runner.os }}-ruff-3.13-${{ hashFiles('pyproject.toml') }} | |
| - id: run-ruff-sarif | |
| run: | | |
| ruff check --output-format=sarif -o results.sarif . | |
| - uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 | |
| if: ( success() || failure() ) && contains('["success", "failure"]', steps.run-ruff-sarif.outcome) | |
| with: | |
| sarif_file: results.sarif | |
| - id: run-ruff | |
| if: failure() && contains('["failure"]', steps.run-ruff-sarif.outcome) | |
| run: | | |
| ruff check --output-format=github . | |
| mypy: | |
| name: Mypy type checking | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| files.pythonhosted.org:443 | |
| github.com:443 | |
| pypi.org:443 | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c | |
| with: | |
| python-version: '3.13' | |
| cache: pip | |
| - uses: install-pinned/uv@3863536aec631cbd0a0d99cc91d32d06292bcb93 | |
| - run: uv pip install --system -e .[dev] | |
| - id: cache-mypy | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 | |
| with: | |
| path: .mypy_cache | |
| key: ${{ runner.os }}-mypy-3.13-${{ hashFiles('pyproject.toml') }} | |
| - id: run-mypy | |
| run: | | |
| mypy . | |
| bandit: | |
| name: Bandit security | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| steps: | |
| - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| files.pythonhosted.org:443 | |
| github.com:443 | |
| pypi.org:443 | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c | |
| with: | |
| python-version: '3.13' | |
| cache: pip | |
| - uses: install-pinned/uv@3863536aec631cbd0a0d99cc91d32d06292bcb93 | |
| - run: uv pip install --system -e .[dev] | |
| - id: run-bandit-sarif | |
| run: | | |
| bandit --confidence-level 'medium' --format 'sarif' --output 'results.sarif' --recursive 'requestium' | |
| - uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 | |
| if: ( success() || failure() ) && contains('["success", "failure"]', steps.run-bandit-sarif.outcome) | |
| with: | |
| sarif_file: results.sarif | |
| - id: run-bandit | |
| if: failure() && contains('["failure"]', steps.run-bandit-sarif.outcome) | |
| run: | | |
| bandit --confidence-level 'medium' --recursive 'requestium' | |
| coverage: | |
| runs-on: ubuntu-latest | |
| needs: test | |
| permissions: | |
| pull-requests: write | |
| contents: write | |
| steps: | |
| - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| img.shields.io:443 | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 | |
| with: | |
| pattern: coverage-* | |
| merge-multiple: true | |
| - name: Coverage comment | |
| id: coverage_comment | |
| uses: py-cov-action/python-coverage-comment-action@91aaf3b39c7e2331c6bc77767ce017f5160c5f11 | |
| with: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| MERGE_COVERAGE_FILES: true | |
| - name: Store Pull Request comment to be posted | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 | |
| if: steps.coverage_comment.outputs.COMMENT_FILE_WRITTEN == 'true' | |
| with: | |
| name: python-coverage-comment-action | |
| path: python-coverage-comment-action.txt | |
| pre-commit: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - ruff-format | |
| - ruff-check | |
| - bandit | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| files.pythonhosted.org:443 | |
| github.com:443 | |
| proxy.golang.org:443 | |
| pypi.org:443 | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c | |
| with: | |
| python-version: '3.13' | |
| cache: pip | |
| - uses: install-pinned/uv@3863536aec631cbd0a0d99cc91d32d06292bcb93 | |
| - run: uv pip install --system -e .[dev] | |
| - id: cache-pre-commit | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 | |
| with: | |
| path: .pre-commit-cache | |
| key: ${{ runner.os }}-pre-commit-3.13 | |
| - name: Run pre-commit on all files | |
| run: | | |
| pre-commit install | |
| pre-commit run --all-files | |
| env: | |
| PRE_COMMIT_HOME: .pre-commit-cache |