-
Notifications
You must be signed in to change notification settings - Fork 2
104 lines (95 loc) · 4.07 KB
/
Copy pathtest.yml
File metadata and controls
104 lines (95 loc) · 4.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
name: Tests
on:
pull_request:
types: [opened, synchronize]
push:
branches: [main]
permissions: {}
concurrency:
group: "test-${{ github.ref }}"
cancel-in-progress: true
jobs:
pre-commit:
name: Pre-Commit
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Setup Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.11"
- name: Install uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
- name: Install dependencies
run: uv sync --locked
- name: Run Pre-commit
run: uv run pre-commit run --all-files
- name: Pre-import Codecov uploader signing key
if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
# Workaround for codecov/codecov-action#1876: the uploader intermittently
# fails to fetch its own verification key, producing "Can't check signature:
# No public key" and failing the job under fail_ci_if_error. Pre-seed Codecov's
# public key (codecovsecops, fingerprint 2703 4E7F DB85 0E0B BC2C 62FF 806B B28A
# ED77 9869) so the wrapper's check succeeds even when its own fetch flakes. The
# observed wrapper verifies against the default keyring (`gpg --verify`), so that
# import is the one that fixes this failure; trustedkeys.gpg is also seeded for
# the documented gpgv path. The fetched key's fingerprint is checked against the
# expected value BEFORE import, so a DNS hijack or tampered keybase response is
# never installed into a trusted keyring. Best-effort: never fails the build, so a
# fetch outage or fingerprint mismatch just falls back to the uploader's own check.
run: |
set +e
expected="27034E7FDB850E0BBC2C62FF806BB28AED779869"
curl -fsSL https://keybase.io/codecovsecops/pgp_keys.asc -o codecov.asc
if gpg --show-keys --with-colons codecov.asc 2>/dev/null | grep -q ":${expected}:"; then
gpg --batch --import codecov.asc
gpg --batch --no-default-keyring --keyring trustedkeys.gpg --import codecov.asc
else
echo "WARNING: Codecov signing key not verified (fetch failed or fingerprint mismatch) – skipping pre-import"
fi
rm -f codecov.asc
exit 0
- name: Upload coverage to Codecov
if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
with:
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: true
# Note: This job also exists in release.yml as a final quality gate before publishing.
# While it may seem redundant, it serves as a safety check in case of misconfiguration.
test-matrix:
name: Test Python ${{ matrix.python-version }}
runs-on: ubuntu-latest
if: github.event_name == 'push'
continue-on-error: ${{ matrix.experimental }}
strategy:
fail-fast: false
matrix:
python-version: ["3.10", "3.11", "3.12", "3.13"]
experimental: [false]
steps:
- name: Checkout code
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ matrix.python-version }}
- name: Install uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
- name: Install dependencies
run: |
uv sync --locked
- name: Run tests
run: |
uv run pytest tests/ --ignore=tests/integration --tb=short -v
env:
PYTHONDONTWRITEBYTECODE: 1