Skip to content

test(segstats): cover unknown_customer_value with extra_aggs on the n… #1133

test(segstats): cover unknown_customer_value with extra_aggs on the n…

test(segstats): cover unknown_customer_value with extra_aggs on the n… #1133

Workflow file for this run

name: Tests
on:
pull_request:
types: [opened, synchronize]
push:
branches: [main]
permissions: {}
concurrency:
group: "test-${{ github.ref }}"
cancel-in-progress: true
jobs:
pre-commit:
name: Pre-Commit
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Setup Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.11"
- name: Install uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
- name: Install dependencies
run: uv sync --locked
- name: Run Pre-commit
run: uv run pre-commit run --all-files
- name: Pre-import Codecov uploader signing key
if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
# Workaround for codecov/codecov-action#1876: the uploader intermittently
# fails to fetch its own verification key, producing "Can't check signature:
# No public key" and failing the job under fail_ci_if_error. Pre-seed Codecov's
# public key (codecovsecops, fingerprint 2703 4E7F DB85 0E0B BC2C 62FF 806B B28A
# ED77 9869) so the wrapper's check succeeds even when its own fetch flakes. The
# observed wrapper verifies against the default keyring (`gpg --verify`), so that
# import is the one that fixes this failure; trustedkeys.gpg is also seeded for
# the documented gpgv path. The fetched key's fingerprint is checked against the
# expected value BEFORE import, so a DNS hijack or tampered keybase response is
# never installed into a trusted keyring. Best-effort: never fails the build, so a
# fetch outage or fingerprint mismatch just falls back to the uploader's own check.
run: |
set +e
expected="27034E7FDB850E0BBC2C62FF806BB28AED779869"
curl -fsSL https://keybase.io/codecovsecops/pgp_keys.asc -o codecov.asc
if gpg --show-keys --with-colons codecov.asc 2>/dev/null | grep -q ":${expected}:"; then
gpg --batch --import codecov.asc
gpg --batch --no-default-keyring --keyring trustedkeys.gpg --import codecov.asc
else
echo "WARNING: Codecov signing key not verified (fetch failed or fingerprint mismatch) – skipping pre-import"
fi
rm -f codecov.asc
exit 0
- name: Upload coverage to Codecov
if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
with:
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: true
# Note: This job also exists in release.yml as a final quality gate before publishing.
# While it may seem redundant, it serves as a safety check in case of misconfiguration.
test-matrix:
name: Test Python ${{ matrix.python-version }}
runs-on: ubuntu-latest
if: github.event_name == 'push'
continue-on-error: ${{ matrix.experimental }}
strategy:
fail-fast: false
matrix:
python-version: ["3.10", "3.11", "3.12", "3.13"]
experimental: [false]
steps:
- name: Checkout code
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ matrix.python-version }}
- name: Install uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
- name: Install dependencies
run: |
uv sync --locked
- name: Run tests
run: |
uv run pytest tests/ --ignore=tests/integration --tb=short -v
env:
PYTHONDONTWRITEBYTECODE: 1