Skip to content

ci: update workflow #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
pmarusz wants to merge 1 commit into from
Closed

ci: update workflow #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "daily"
23 changes: 23 additions & 0 deletions .github/dependency_review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
fail-on-severity: 'low'
allow-licenses:
- 'BSD-2-Clause'
- 'BSD-3-Clause'
- 'BSD-3-Clause-Clear'
- 'BSD-2-Clause-Views'
- 'MIT'
- 'Apache-2.0'
- 'ISC'
- 'BlueOak-1.0.0'
- '0BSD'
- 'Python-2.0'
- 'LGPL-3.0'
- 'MPL-2.0'
fail-on-scopes:
- 'runtime'
- 'development'
- 'unknown'
license-check: true
vulnerability-check: true
allow-dependencies-licenses:
- 'pkg:pypi/PyGithub@2.2.0'
- 'pkg:pypi/psycopg2-binary'
41 changes: 41 additions & 0 deletions .github/prepare_test_env/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: 'Prepare test environment'
inputs:
PYTHON_VERSION:
description: 'Python version to use'
required: true
SOURCE_PATH:
description: 'Path to the source code directory'
required: false
default: 'src'
type: string
VIRTUALENV_PATH:
description: 'Virtualenv path'
required: false
default: 'virtualenv'
type: string

runs:
using: "composite"
steps:
- name: Checkout main repository
uses: actions/checkout@v4
with:
path: ${{ inputs.SOURCE_PATH }}
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ inputs.PYTHON_VERSION }}
cache: 'pip'

- name: Install dependencies
shell: bash
run: |
python -m pip install --upgrade pip
python -m venv ${{ inputs.VIRTUALENV_PATH }}
source ${{ inputs.VIRTUALENV_PATH }}/*/activate
python --version
pip install ./${{ inputs.SOURCE_PATH }}
pip install -r ${{ inputs.SOURCE_PATH }}/requirements-test.txt
pip install -r ${{ inputs.SOURCE_PATH }}/requirements-dev.txt
pip install -r ${{ inputs.SOURCE_PATH }}/requirements.txt
186 changes: 64 additions & 122 deletions .github/workflows/build_upload_whl.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
description: 'PyPI API token to publish package'
required: false
inputs:
UPLOAD_PACKAGE:
RELEASE_STEPS:
description: 'Should the package be uploaded to PyPI?'
required: false
default: false
Expand All @@ -27,181 +27,123 @@
required: false
default: '3.10.11'
type: string
PUSH_TAG:
description: 'Push tag after version bump'
required: false
default: false
type: boolean
RELEASE_BUILD:
description: 'Is release build?'
required: false
default: false
type: boolean
GIT_USER:
description: 'Git user name for commit and tag'
required: true
type: string
GIT_EMAIL:
description: 'Git user email for commit and tag'
required: true
type: string
PROJECT_NAME:
description: 'Project name for tests'
description: 'Project name'
required: true
type: string
SOURCE_PATH:
description: 'Path to the source code directory'
required: false
default: 'src'
type: string
RUNS_ON:
description: 'Runner type for the job'
required: false
default: 'ubuntu-latest'
type: string
JOB_NAME:
description: 'Name of the job'
required: false
default: 'build_whl'
type: string

jobs:
build_whl:
permissions:
contents: write
id-token: write
environment:
name: "pypi"
url: https://pypi.org/p/${{ inputs.PROJECT_NAME }}
name: ${{ inputs.JOB_NAME }}
runs-on: ${{ inputs.RUNS_ON }}
steps:
- uses: actions/checkout@v4
with:
fetch-tags: true
fetch-depth: 0
path: ${{ inputs.SOURCE_PATH }}
ref: ${{ inputs.BRANCH_NAME }}
repository: ${{ inputs.REPOSITORY_NAME }}

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ inputs.PYTHON_VERSION }}
cache: 'pip'

- name: Version bumping
id: VERSION_BUMP
if: inputs.RELEASE_BUILD == true
env:
GIT_AUTHOR_NAME: ${{ inputs.GIT_USER }}
GIT_AUTHOR_EMAIL: ${{ inputs.GIT_EMAIL }}
GIT_COMMITTER_NAME: ${{ inputs.GIT_USER }}
GIT_COMMITTER_EMAIL: ${{ inputs.GIT_EMAIL }}
shell: bash
run: |
python -m pip install --upgrade pip
python -m venv bump_version
source bump_version/bin/activate
pip install python-semantic-release~=10.2
pip install -r ${{ inputs.SOURCE_PATH }}/requirements-dev.txt
pip install ./${{ inputs.SOURCE_PATH }}
mfd-create-config-files --project-dir ./${{ inputs.SOURCE_PATH }}
cd ${{ inputs.SOURCE_PATH }}
version_after_bump=$(semantic-release version --print | tail -n 1 | tr -d '\n')
version_from_tag=$(git describe --tags --abbrev=0 | tr -d '\n' | sed 's/^v//')
echo "Version after semantic-release bump is: ${version_after_bump}"
echo "Version from tag: ${version_from_tag}"
# Only check version equality if RELEASE_BUILD is true
if [ "${{ inputs.RELEASE_BUILD }}" == "true" ]; then
if [ "$version_after_bump" == "$version_from_tag" ]; then
echo "Version would not change: version_after_bump=${version_after_bump}, version_from_tag=${version_from_tag}"
exit 1
fi
fi
semantic-release version --no-push --no-vcs-release
cat pyproject.toml
echo "version_after_bump=v${version_after_bump}" >> $GITHUB_OUTPUT
- name: Create virtual environment for whl creation
shell: bash
- name: Show python version
run: python --version

- name: Run mfd-create-config-files
run: |
python -m venv whl_creation
source whl_creation/bin/activate
pip install build==1.2.2.post1
cd ${{ inputs.SOURCE_PATH }}
../whl_creation/bin/python -m build --wheel --outdir ../whl_creation/dist
ls -l ../whl_creation/dist
pip install -r requirements-dev.txt
pip install .
mfd-create-config-files --project-dir .

- name: Determine if unit and functional tests should run
id: test_check
shell: bash
- name: Check if bump version is expected
run: |
REPO_NAME=$(echo "${{ inputs.PROJECT_NAME }}")
echo "Repository name extracted: $REPO_NAME"
if [ "${{ inputs.RELEASE_BUILD }}" = "false" ]; then
COMMIT_MSG=$(git log -1 --pretty=%B)

UNIT_TEST_DIR="${{ inputs.SOURCE_PATH }}/tests/unit/test_$(echo "${REPO_NAME}" | tr '-' '_')"
FUNC_TEST_DIR="${{ inputs.SOURCE_PATH }}/tests/system/test_$(echo "${REPO_NAME}" | tr '-' '_')"
if [ -d "$UNIT_TEST_DIR" ]; then
echo "Unit tests directory exists: $UNIT_TEST_DIR"
echo "run_unit_tests=true" >> $GITHUB_OUTPUT
else
echo "Unit tests directory does not exist: $UNIT_TEST_DIR"
echo "run_unit_tests=false" >> $GITHUB_OUTPUT
fi
if [ -d "$FUNC_TEST_DIR" ]; then
echo "Functional tests directory exists: $FUNC_TEST_DIR"
echo "run_functional_tests=true" >> $GITHUB_OUTPUT
if echo "$COMMIT_MSG" | grep -Ei '^(docs|build|test|ci|refactor|perf|chore|revert):\s'; then
echo "CREATE_WHL=false" >> $GITHUB_ENV
echo "No version bump needed for commit message: $COMMIT_MSG, ending job"
else
echo "CREATE_WHL=true" >> $GITHUB_ENV
echo "Version bump needed for commit message: $COMMIT_MSG, continuing job"
fi
else
echo "Functional tests directory does not exist: $FUNC_TEST_DIR"
echo "run_functional_tests=false" >> $GITHUB_OUTPUT
echo "Skipping potential bump version check for release build"
echo "CREATE_WHL=true" >> $GITHUB_ENV
fi

- name: Install dependencies for tests
if: steps.test_check.outputs.run_unit_tests == 'true' || steps.test_check.outputs.run_functional_tests == 'true'
shell: bash
run: |
python -m venv test_env
source test_env/bin/activate
python -m pip install -r "${{ inputs.SOURCE_PATH }}/requirements.txt" -r "${{ inputs.SOURCE_PATH }}/requirements-test.txt" -r "${{ inputs.SOURCE_PATH }}/requirements-dev.txt"
python -m pip install ./${{ inputs.SOURCE_PATH }}
- name: Run python-semantic-release without version bump - force patch bump
if: env.CREATE_WHL == 'false'
uses: python-semantic-release/python-semantic-release@v10.3.1
with:
build: true
vcs_release: false
push: false
strict: true
force: patch

- name: Run unit tests if test directory exists
if: steps.test_check.outputs.run_unit_tests == 'true'
shell: bash
run: |
source test_env/bin/activate
mfd-unit-tests --project-dir ${{ github.workspace }}/${{ inputs.SOURCE_PATH }}
- name: Run python-semantic-release
if: env.CREATE_WHL == 'true'
uses: python-semantic-release/python-semantic-release@v10.3.1
with:
build: true
vcs_release: false
push: false
strict: true

- name: Run functional tests if test directory exists
if: steps.test_check.outputs.run_functional_tests == 'true'
- name: Check if .whl is installable
shell: bash
run: |
source test_env/bin/activate
mfd-system-tests --project-dir ${{ github.workspace }}/${{ inputs.SOURCE_PATH }}
python -m pip install dist/*.whl

- name: Publish package distributions to PyPI
if: ${{ inputs.RELEASE_BUILD == true && inputs.UPLOAD_PACKAGE == true }}
if: ${{ inputs.RELEASE_BUILD == true && inputs.RELEASE_STEPS == true }}
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: 'whl_creation/dist'
packages-dir: 'dist'
password: ${{ secrets.PYPI_TOKEN }}

- name: Publish comment how to build .whl
if: inputs.RELEASE_BUILD == false
if: inputs.RELEASE_BUILD == false && (github.event.pull_request != null && github.event.pull_request.head.repo.full_name == github.repository) # skip for forks
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GH_TOKEN }}
script: |
const prNumber = context.payload.pull_request.number;
const commentBody = "We don't publish DEVs .whl.\n To build .whl, run 'pip install git+https://github.com/${{ inputs.REPOSITORY_NAME }}@${{ inputs.BRANCH_NAME }}'";
await github.rest.issues.createComment({
const commentBody = "We don't publish DEVs .whl.\n To build .whl, run 'pip install git+https://${{ inputs.REPOSITORY_NAME }}@${{ inputs.BRANCH_NAME }}'";

const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: prNumber,
body: commentBody
});

- name: Push git tag after version bump
if: ${{ inputs.RELEASE_BUILD == true && inputs.PUSH_TAG == true }}
shell: bash
env:
GIT_AUTHOR_NAME: ${{ inputs.GIT_USER }}
GIT_AUTHOR_EMAIL: ${{ inputs.GIT_EMAIL }}
GIT_COMMITTER_NAME: ${{ inputs.GIT_USER }}
GIT_COMMITTER_EMAIL: ${{ inputs.GIT_EMAIL }}
version_after_bump: ${{ steps.VERSION_BUMP.outputs.version_after_bump }}
run: |
cd ${{ inputs.SOURCE_PATH }}
git push origin "${version_after_bump}"
const alreadyCommented = comments.some(comment => comment.body === commentBody);

if (!alreadyCommented) {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: prNumber,
body: commentBody
});
Comment on lines +52 to +148

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

The best way to fix this problem is to add an explicit permissions block to the workflow. For a reusable workflow like this, placing it at the workflow root (just after the on: block and before jobs) ensures all jobs inherit these default least-privilege permissions unless overridden.
The workflow steps do not need repository write access, but they do interact with pull requests (commenting), which requires pull-requests: write. Most other steps (checkout, reading code, uploading to PyPI) only require contents: read.
Implementation:
Edit .github/workflows/build_upload_whl.yml and, after the name and on: sections (e.g., right before jobs: at line 49), add:

permissions:
  contents: read
  pull-requests: write

This reduces GitHub token permissions to the minimum needed for the workflow: read access to repository contents and write access to pull request comments.

Suggested changeset 1
.github/workflows/build_upload_whl.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build_upload_whl.yml b/.github/workflows/build_upload_whl.yml
--- a/.github/workflows/build_upload_whl.yml
+++ b/.github/workflows/build_upload_whl.yml
@@ -47,6 +47,9 @@
         default: 'build_whl'
         type: string
 
+permissions:
+  contents: read
+  pull-requests: write
 jobs:
   build_whl:
     name: ${{ inputs.JOB_NAME }}
EOF
@@ -47,6 +47,9 @@
default: 'build_whl'
type: string

permissions:
contents: read
pull-requests: write
jobs:
build_whl:
name: ${{ inputs.JOB_NAME }}
Copilot is powered by AI and may make mistakes. Always verify output.
}
30 changes: 30 additions & 0 deletions .github/workflows/check_code_standard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Check Code Standard

on:
pull_request:
types: [opened, synchronize]

env:
SOURCE_PATH: 'src'
VIRTUALENV_PATH: 'virtualenv'

jobs:
run_check_standard:
strategy:
fail-fast: false
matrix:
python_version: ['3.10', '3.13']
runs-on: ubuntu-latest
steps:
- name: Checkout this repository
uses: actions/checkout@v4
with:
path: current_repo
- uses: ./current_repo/.github/prepare_test_env
with:
PYTHON_VERSION: ${{ matrix.python_version }}
- name: Run mfd-code-standard
shell: bash
run: |
source ${{ github.workspace }}/${{ env.VIRTUALENV_PATH }}/*/activate
mfd-code-standard --project-dir ${{ github.workspace }}/${{ env.SOURCE_PATH }}
Comment on lines +13 to +30

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix this problem, explicitly add a permissions block to the workflow. The least-privilege approach is to give read-only access to repository contents (contents: read), which is sufficient for checking out code and running static analysis. The permissions block can be added at the root level (before jobs:) so all jobs inherit these permissions unless overridden. Edit the file .github/workflows/check_code_standard.yml: add the following block right after the workflow name: and before the on: trigger section. No additional imports or dependencies are required.

Suggested changeset 1
.github/workflows/check_code_standard.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/check_code_standard.yml b/.github/workflows/check_code_standard.yml
--- a/.github/workflows/check_code_standard.yml
+++ b/.github/workflows/check_code_standard.yml
@@ -1,4 +1,6 @@
 name: Check Code Standard
+permissions:
+  contents: read
 
 on:
   pull_request:
EOF
@@ -1,4 +1,6 @@
name: Check Code Standard
permissions:
contents: read

on:
pull_request:
Copilot is powered by AI and may make mistakes. Always verify output.
12 changes: 12 additions & 0 deletions .github/workflows/check_pr_format.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
name: Title + Commit Validation

on:
pull_request:
types: [opened, synchronize]

jobs:
validate_pr_format:
uses: intel/mfd/.github/workflows/check_pr_format.yml@main
with:
REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }}
BRANCH_NAME: ${{ github.head_ref }}
Comment on lines +9 to +12

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 7 months ago

To fix the problem, you should explicitly specify the minimal permissions required at either the workflow or job level. Since the workflow check_pr_format.yml only delegates to a reusable workflow, it is best to set the permissions at the top/root level to ensure coverage for all jobs (unless individual jobs need different permissions, which is not indicated here). For pull request validation tasks, contents: read is generally sufficient unless the reusable workflow requires additional privileges (such as pull-requests: write). Absent further evidence, the minimal safe default is to set contents: read. Add the following lines near the top of the workflow, after the name: and before on: keys:

permissions:
  contents: read

If needed, you can adjust the permissions later based on actual requirements of the workflow.

Suggested changeset 1
.github/workflows/check_pr_format.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/check_pr_format.yml b/.github/workflows/check_pr_format.yml
--- a/.github/workflows/check_pr_format.yml
+++ b/.github/workflows/check_pr_format.yml
@@ -1,4 +1,6 @@
 name: Title + Commit Validation
+permissions:
+  contents: read
 
 on:
   pull_request:
EOF
@@ -1,4 +1,6 @@
name: Title + Commit Validation
permissions:
contents: read

on:
pull_request:
Copilot is powered by AI and may make mistakes. Always verify output.
Loading