Run Zizmor with token #992
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CI | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
workflow_dispatch: | |
env: | |
FORCE_COLOR: "1" # Make tools pretty. | |
PIP_DISABLE_PIP_VERSION_CHECK: "1" | |
PIP_NO_PYTHON_VERSION_WARNING: "1" | |
permissions: {} | |
jobs: | |
build-package: | |
name: Build & verify package | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
persist-credentials: false | |
- uses: hynek/build-and-inspect-python-package@v2 | |
id: baipp | |
outputs: | |
# Used to define the matrix for tests below. The value is based on | |
# packaging metadata (trove classifiers). | |
python-versions: ${{ steps.baipp.outputs.supported_python_classifiers_json_array }} | |
tests: | |
name: Tests & Mypy API on ${{ matrix.python-version }} | |
runs-on: ubuntu-latest | |
needs: build-package | |
strategy: | |
fail-fast: false | |
matrix: | |
# Created by the build-and-inspect-python-package action above. | |
python-version: ${{ fromJson(needs.build-package.outputs.python-versions) }} | |
env: | |
PYTHON: ${{ matrix.python-version }} | |
steps: | |
- name: Download pre-built packages | |
uses: actions/download-artifact@v4 | |
with: | |
name: Packages | |
path: dist | |
- run: | | |
tar xf dist/*.tar.gz --strip-components=1 | |
rm -rf src | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
allow-prereleases: true | |
- uses: hynek/setup-cached-uv@v2 | |
- name: Run tests | |
run: > | |
uvx --with tox-uv tox run | |
--installpkg dist/*.whl | |
-f py${PYTHON//./}-tests | |
- name: Upload coverage data | |
uses: actions/upload-artifact@v4 | |
with: | |
name: coverage-data-${{ matrix.python-version }} | |
path: .coverage.* | |
include-hidden-files: true | |
if-no-files-found: ignore | |
- name: Check public API with Mypy | |
run: > | |
uvx --with tox-uv tox run | |
--installpkg dist/*.whl | |
-e py${PYTHON//./}-mypy | |
coverage: | |
name: Ensure 100% test coverage | |
runs-on: ubuntu-latest | |
needs: tests | |
if: always() | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- uses: actions/setup-python@v5 | |
with: | |
python-version-file: .python-version-default | |
- uses: hynek/setup-cached-uv@v2 | |
- name: Download coverage data | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: coverage-data-* | |
merge-multiple: true | |
- name: Combine coverage and fail if it's <100%. | |
run: | | |
uv tool install coverage | |
coverage combine | |
coverage html --skip-covered --skip-empty | |
# Report and write to summary. | |
coverage report --format=markdown >> $GITHUB_STEP_SUMMARY | |
# Report again and fail if under 100%. | |
coverage report --fail-under=100 | |
- name: Upload HTML report if check failed. | |
uses: actions/upload-artifact@v4 | |
with: | |
name: html-report | |
path: htmlcov | |
if: ${{ failure() }} | |
mypy-pkg: | |
name: Mypy Codebase | |
runs-on: ubuntu-latest | |
needs: build-package | |
steps: | |
- name: Download pre-built packages | |
uses: actions/download-artifact@v4 | |
with: | |
name: Packages | |
path: dist | |
- run: tar xf dist/*.tar.gz --strip-components=1 | |
- uses: actions/setup-python@v5 | |
with: | |
python-version-file: .python-version-default | |
- uses: hynek/setup-cached-uv@v2 | |
- run: > | |
uvx --with tox-uv | |
tox run -e mypy-pkg | |
pyright: | |
name: Pyright Codebase | |
runs-on: ubuntu-latest | |
needs: build-package | |
steps: | |
- name: Download pre-built packages | |
uses: actions/download-artifact@v4 | |
with: | |
name: Packages | |
path: dist | |
- run: tar xf dist/*.tar.gz --strip-components=1 | |
- uses: actions/setup-python@v5 | |
with: | |
python-version-file: .python-version-default | |
- uses: hynek/setup-cached-uv@v2 | |
- run: > | |
uvx --with tox-uv | |
tox run -e pyright | |
docs: | |
name: Build docs & run doctests | |
needs: build-package | |
runs-on: ubuntu-latest | |
steps: | |
- name: Download pre-built packages | |
uses: actions/download-artifact@v4 | |
with: | |
name: Packages | |
path: dist | |
- run: tar xf dist/*.tar.gz --strip-components=1 | |
- uses: actions/setup-python@v5 | |
with: | |
# Keep in sync with tox.ini/docs & .readthedocs.yaml | |
python-version: "3.12" | |
- uses: hynek/setup-cached-uv@v2 | |
- run: > | |
uvx --with tox-uv | |
tox run -e docs | |
install-dev: | |
name: Verify dev env | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: [ubuntu-latest, windows-latest] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- uses: actions/setup-python@v5 | |
with: | |
python-version-file: .python-version-default | |
- uses: hynek/setup-cached-uv@v2 | |
- run: uv venv | |
- run: uv pip install -e .[dev] | |
- run: .venv/bin/python -Ic 'import structlog; print(structlog.__version__)' | |
if: runner.os != 'Windows' | |
- run: .\.venv\Scripts\python.exe -Ic 'import structlog; print(structlog.__version__)' | |
if: runner.os == 'Windows' | |
required-checks-pass: | |
name: Ensure everything required is passing for branch protection | |
if: always() | |
needs: | |
- coverage | |
- install-dev | |
- mypy-pkg | |
- pyright | |
- docs | |
runs-on: ubuntu-latest | |
steps: | |
- name: Decide whether the needed jobs succeeded or failed | |
uses: re-actors/alls-green@release/v1 | |
with: | |
jobs: ${{ toJSON(needs) }} | |
colors: | |
name: Visual check for color settings using env variables | |
needs: build-package | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- uses: actions/setup-python@v5 | |
with: | |
python-version-file: .python-version-default | |
- uses: hynek/setup-cached-uv@v2 | |
- run: > | |
uvx --with=tox-uv | |
tox run | |
-f color |