Merge pull request #1249 from GitGuardian/ctourriere/fix_root_plugin_… #3345
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| # About steps requiring the GITGUARDIAN_API_KEY: | |
| # | |
| # For security reasons, secrets are not available when a workflow is triggered by a pull request from a fork. This | |
| # causes all steps requiring the GITGUARDIAN_API_KEY to fail. To avoid this, we skip those steps when we are triggered | |
| # by a pull request from a fork. | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - '*' | |
| tags-ignore: | |
| - '*' | |
| paths-ignore: | |
| - 'doc/**' | |
| - 'README.md' | |
| env: | |
| UV_VERSION: 0.10.8 | |
| DEFAULT_PYTHON_VERSION: '3.9' | |
| jobs: | |
| lint: | |
| name: Lint package | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| version: ${{ env.UV_VERSION }} | |
| python-version: ${{ env.DEFAULT_PYTHON_VERSION }} | |
| - name: Install dependencies | |
| run: | | |
| uv sync --locked --group tests --group dev | |
| - uses: actions/cache@v4 | |
| with: | |
| path: ~/.cache/pre-commit | |
| key: pre-commit|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }} | |
| - name: Install pre-commit hooks | |
| run: uv run pre-commit install --install-hooks | |
| - name: Skip ggshield hooks when running from a fork | |
| # See note about steps requiring the GITGUARDIAN_API at the top of this file | |
| if: ${{ github.event.pull_request.head.repo.fork }} | |
| run: | | |
| echo "SKIP=ggshield,ggshield-local" >> $GITHUB_ENV | |
| - name: Run pre-commit checks | |
| run: | | |
| uv run pre-commit run --show-diff-on-failure --all-files | |
| env: | |
| GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
| - name: Check commit messages | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| PR_REF="${GITHUB_REF%/merge}/head" | |
| git fetch origin "$PR_REF" | |
| if git log --format=%s "origin/$GITHUB_BASE_REF..FETCH_HEAD" | grep '^fixup!' ; then | |
| echo 'Error: this pull request contains fixup commits. Squash them.' | |
| exit 1 | |
| fi | |
| # In case `git log` fails | |
| exit "${PIPESTATUS[0]}" | |
| build: | |
| name: Build and Test | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-22.04, macos-15-intel, windows-2022] | |
| python-version: ['3.9', '3.10', '3.11', '3.12'] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| # Get enough commits to run `ggshield secret scan commit-range` on ourselves | |
| fetch-depth: 10 | |
| - name: Install uv and set the Python version | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| version: ${{ env.UV_VERSION }} | |
| python-version: ${{ matrix.python-version }} | |
| - name: Install dependencies | |
| run: | | |
| uv sync --locked --group dev --group tests | |
| - name: Override base Docker image used for functional tests on Windows | |
| if: matrix.os == 'windows-2022' | |
| # This is required because GitHub Windows runner is not configured to | |
| # run Linux-based Docker images | |
| shell: bash | |
| run: | | |
| echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV | |
| - name: Ensure a clean package installation | |
| run: | | |
| uv build --wheel | |
| # The created wheel (.whl) file will be found and analyzed within the `dist/` folder | |
| uv run check-wheel-contents dist/ | |
| - name: Run unit tests | |
| run: | | |
| uv run coverage run --source ggshield -m pytest --disable-pytest-warnings --disable-socket tests/unit | |
| - name: Gather coverage report | |
| run: | | |
| uv run coverage report --fail-under=80 | |
| uv run coverage xml | |
| - uses: codecov/codecov-action@v4 | |
| with: | |
| file: ./coverage.xml | |
| flags: unittests | |
| name: codecov-umbrella | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| fail_ci_if_error: false | |
| - name: Run functional tests (non-API) | |
| shell: bash | |
| run: | | |
| make functest | |
| env: | |
| FUNCTEST_ARGS: '-m "not uses_gitguardian_api"' | |
| functest_api: | |
| name: Functional tests (API) | |
| # See note about steps requiring the GITGUARDIAN_API at the top of this file | |
| if: ${{ !github.event.pull_request.head.repo.fork }} | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| # Get enough commits to run `ggshield secret scan commit-range` on ourselves | |
| fetch-depth: 10 | |
| - name: Install uv and set the Python version | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| version: ${{ env.UV_VERSION }} | |
| python-version: ${{ env.DEFAULT_PYTHON_VERSION }} | |
| - name: Install dependencies | |
| run: | | |
| uv sync --locked --group dev --group tests | |
| - name: Run functional tests (API) | |
| shell: bash | |
| run: | | |
| make functest | |
| env: | |
| FUNCTEST_ARGS: '-m "uses_gitguardian_api"' | |
| GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
| GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
| TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }} | |
| TEST_GG_VALID_TOKEN: ${{ secrets.TEST_GG_VALID_TOKEN }} | |
| TEST_GG_VALID_TOKEN_IGNORE_SHA: ${{ secrets.TEST_GG_VALID_TOKEN_IGNORE_SHA }} | |
| TEST_UNKNOWN_SECRET: ${{ secrets.TEST_UNKNOWN_SECRET }} | |
| build_os_packages: | |
| uses: ./.github/workflows/build_release_assets.yml | |
| secrets: inherit | |
| test_github_secret_scan_action: | |
| name: Test GitHub action for `secret scan` | |
| # See note about steps requiring the GITGUARDIAN_API at the top of this file | |
| if: ${{ !github.event.pull_request.head.repo.fork }} | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Scan commits for hardcoded secrets | |
| uses: ./actions-unstable/secret | |
| env: | |
| GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} | |
| GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} | |
| GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
| GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
| GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
| push_docker_images-unstable: | |
| name: Push Docker image to Docker Hub and GitHub Packages | |
| runs-on: ubuntu-22.04 | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| needs: | |
| - lint | |
| - build | |
| - functest_api | |
| - test_github_secret_scan_action | |
| steps: | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: | | |
| gitguardian/ggshield:unstable | |
| ghcr.io/gitguardian/ggshield/ggshield:unstable |