-
Notifications
You must be signed in to change notification settings - Fork 0
100 lines (79 loc) · 2.83 KB
/
Copy pathtest.yml
File metadata and controls
100 lines (79 loc) · 2.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
name: Test
on:
push:
branches: ["main"]
pull_request:
jobs:
test:
name: "pytest / py${{ matrix.python-version }}"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version: ["3.11", "3.12", "3.13"]
steps:
- uses: actions/checkout@v7
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python-version }}
- name: Cache pip
uses: actions/cache@v5
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ matrix.python-version }}-${{ hashFiles('pyproject.toml') }}
restore-keys: |
${{ runner.os }}-pip-${{ matrix.python-version }}-
- name: Install package with dev extras
run: pip install -e ".[dev]"
- name: Run tests with coverage
run: pytest -q --cov=conclave --cov-report=term-missing --cov-fail-under=75
lint:
name: "ruff"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- name: Set up Python 3.12
uses: actions/setup-python@v6
with:
python-version: "3.12"
- name: Cache pip
uses: actions/cache@v5
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-ruff-${{ hashFiles('pyproject.toml') }}
- name: Install ruff
run: pip install ruff
- name: ruff check
run: ruff check .
- name: ruff format --check
run: ruff format --check .
audit:
name: "pip-audit"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- name: Set up Python 3.12
uses: actions/setup-python@v6
with:
python-version: "3.12"
- name: Cache pip
uses: actions/cache@v5
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-audit-${{ hashFiles('pyproject.toml') }}
# Install the project so its resolved runtime + dev deps are present in the
# environment, then audit that environment. conclave is security-positioned,
# so this gate is FAIL-CLOSED: a known vulnerability in any resolved
# dependency fails CI. The dep surface is tiny (httpx + a few well-maintained
# libs), so false-positive churn is low. If a transitive CVE with no fix
# blocks an unrelated PR, suppress it narrowly with
# `--ignore-vuln <GHSA/PYSEC id>` and a tracking note (see RELEASING.md).
- name: Install package with dev extras
run: pip install -e ".[dev]"
- name: Install pip-audit
run: pip install pip-audit
# `--skip-editable` drops the local editable `conclave` install (it is not on
# PyPI and cannot be audited); every real dependency is still audited.
- name: Audit resolved dependencies for known vulnerabilities
run: pip-audit --skip-editable