chore(deps): update crazy-max/ghaction-github-labeler digest to 24d110a #190
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CI/CD" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| debug_enabled: | |
| description: "Run the workflow with tmate.io debugging enabled" | |
| required: true | |
| type: boolean | |
| default: false | |
| run_build_images: | |
| description: "Run build-images job" | |
| required: false | |
| type: boolean | |
| default: false | |
| pull_request: | |
| types: [opened, labeled, reopened, synchronize] | |
| paths-ignore: | |
| - "**/*.md" | |
| - "*" | |
| - "!flake.nix" | |
| - "!flake.lock" | |
| - "!pyproject.toml" | |
| - "!uv.lock" | |
| push: | |
| branches: | |
| - "main" | |
| - "beta" | |
| paths-ignore: | |
| - "**/*.md" | |
| - "*" | |
| - "!flake.nix" | |
| - "!flake.lock" | |
| - "!pyproject.toml" | |
| - "!uv.lock" | |
| defaults: | |
| run: | |
| shell: bash | |
| permissions: | |
| contents: read | |
| packages: write | |
| attestations: write | |
| actions: write | |
| id-token: write | |
| jobs: | |
| scan: | |
| name: gitguardian | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # fetch all history so multiple commits can be scanned | |
| - name: GitGuardian scan | |
| uses: GitGuardian/ggshield-action@455483042671cc73b40d0e753baddffef7309a1f # ratchet:GitGuardian/[email protected] | |
| env: | |
| GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} | |
| GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} | |
| GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
| GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
| set-variables: | |
| needs: scan | |
| runs-on: ubuntu-latest | |
| outputs: | |
| debug: ${{ steps.set-variables.outputs.debug }} | |
| skip_ci: ${{ steps.set-variables.outputs.skip_ci }} | |
| skip_tests: ${{ steps.set-variables.outputs.skip_tests }} | |
| dry_run_release: ${{ steps.set-variables.outputs.dry_run_release }} | |
| checkout_ref: ${{ steps.set-variables.outputs.checkout_ref }} | |
| checkout_rev: ${{ steps.set-variables.outputs.checkout_rev }} | |
| steps: | |
| - name: Set action variables | |
| id: set-variables | |
| run: | | |
| DEBUG="false" | |
| SKIP_CI="false" | |
| SKIP_TESTS="false" | |
| DRY_RUN_RELEASE="false" | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| DEBUG="${{ inputs.debug_enabled }}" | |
| fi | |
| if [[ "${{ github.event_name }}" == "pull_request" ]]; then | |
| if ${{ contains(github.event.pull_request.labels.*.name, 'skip-ci') }}; then | |
| SKIP_CI="true" | |
| fi | |
| if ${{ contains(github.event.pull_request.labels.*.name, 'skip-tests') }}; then | |
| SKIP_TESTS="true" | |
| fi | |
| if ${{ contains(github.event.pull_request.labels.*.name, 'actions-debug') }}; then | |
| DEBUG="true" | |
| fi | |
| if ${{ contains(github.event.pull_request.labels.*.name, 'release-dry-run') }}; then | |
| DRY_RUN_RELEASE="true" | |
| fi | |
| CHECKOUT_REF="${{ github.event.pull_request.head.ref }}" | |
| CHECKOUT_REV="${{ github.event.pull_request.head.sha }}" | |
| else | |
| CHECKOUT_REF="${{ github.ref_name }}" | |
| CHECKOUT_REV="${{ github.sha }}" | |
| fi | |
| echo "DEBUG=$DEBUG" | |
| echo "SKIP_CI=$SKIP_CI" | |
| echo "SKIP_TESTS=$SKIP_TESTS" | |
| echo "CHECKOUT_REF=$CHECKOUT_REF" | |
| echo "CHECKOUT_REV=$CHECKOUT_REV" | |
| echo "DEBUG=$DEBUG" >> $GITHUB_OUTPUT | |
| echo "SKIP_CI=$SKIP_CI" >> $GITHUB_OUTPUT | |
| echo "SKIP_TESTS=$SKIP_TESTS" >> $GITHUB_OUTPUT | |
| echo "DRY_RUN_RELEASE=$DRY_RUN_RELEASE" >> $GITHUB_OUTPUT | |
| echo "CHECKOUT_REF=$CHECKOUT_REF" >> $GITHUB_OUTPUT | |
| echo "CHECKOUT_REV=$CHECKOUT_REV" >> $GITHUB_OUTPUT | |
| nixci: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [ | |
| ubuntu-latest, | |
| # macos-latest | |
| ] | |
| needs: set-variables | |
| if: ${{ needs.set-variables.outputs.skip_ci != 'true' }} | |
| concurrency: | |
| group: nixci-${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.ref_name }} | |
| cancel-in-progress: true | |
| steps: | |
| - name: Install dependencies | |
| shell: bash | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -yq zstd | |
| sudo apt-get clean | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 | |
| - name: Install Nix | |
| uses: DeterminateSystems/nix-installer-action@a48face58194521af687ce7df4c802b1b558e743 # ratchet:DeterminateSystems/nix-installer-action@main | |
| with: | |
| extra-conf: "system-features = nixos-test benchmark big-parallel kvm" | |
| - name: Setup remote cache | |
| # TODO: disable continue-on-error https://www.github.com/cachix/cachix-action/issues/200 | |
| uses: cachix/cachix-action@be5295a636153b6ad194d3245f78f8e0b78dc704 # ratchet:cachix/cachix-action@master | |
| continue-on-error: true | |
| with: | |
| name: "${{ vars.CACHIX_CACHE_NAME }}" | |
| authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" | |
| extraPullNames: nix-community,pyproject-nix,sciexp,srid | |
| - name: Setup tmate debug session | |
| uses: mxschmitt/action-tmate@e5c7151931ca95bad1c6f4190c730ecf8c7dde48 # ratchet:mxschmitt/action-tmate@v3 | |
| if: ${{ inputs.debug_enabled }} | |
| - name: Install omnix | |
| run: nix --accept-flake-config profile install "github:juspay/omnix" | |
| - name: Summarize flake | |
| run: om show . | |
| - name: Run flake CI | |
| run: | | |
| om ci run | |
| test-python: | |
| needs: [set-variables] | |
| if: ${{ needs.set-variables.outputs.skip_ci != 'true' && needs.set-variables.outputs.skip_tests != 'true' }} | |
| concurrency: | |
| group: test-python-${{ matrix.config.python-version }}-${{ matrix.config.package-name }}-${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.ref_name }} | |
| cancel-in-progress: true | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| config: | |
| - python-version: "3.11" | |
| package-name: "python-nix-template" | |
| - python-version: "3.12" | |
| package-name: "python-nix-template" | |
| - python-version: "3.11" | |
| package-name: "pnt-functional" | |
| - python-version: "3.12" | |
| package-name: "pnt-functional" | |
| uses: ./.github/workflows/python-test.yaml | |
| with: | |
| python-version: ${{ matrix.config.python-version }} | |
| package-name: ${{ matrix.config.package-name }} | |
| debug_enabled: ${{ needs.set-variables.outputs.debug }} | |
| checkout_ref: ${{ needs.set-variables.outputs.checkout_ref }} | |
| secrets: inherit | |
| test-release-packages: | |
| needs: [set-variables, test-python] | |
| if: ${{ github.event_name == 'pull_request' }} | |
| concurrency: | |
| group: test-release-${{ matrix.package.name }}-${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.ref_name }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: write | |
| id-token: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| package: | |
| - name: python-nix-template | |
| path: "packages/python-nix-template" | |
| - name: pnt-functional | |
| path: packages/pnt-functional | |
| uses: ./.github/workflows/package-release.yaml | |
| with: | |
| package-path: ${{ matrix.package.path }} | |
| package-name: ${{ matrix.package.name }} | |
| version: "0.0.0-test" | |
| release-dry-run: true | |
| checkout-ref: ${{ needs.set-variables.outputs.checkout_ref }} | |
| secrets: inherit | |
| release-packages: | |
| needs: [test-python, nixci] | |
| if: ${{ github.repository_owner == 'sciexp' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/beta') }} | |
| concurrency: | |
| group: release-${{ matrix.package.name }}-${{ github.workflow }}-${{ github.ref_name }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: write | |
| id-token: write | |
| packages: write | |
| strategy: | |
| # NOTE: this is only necessary if releases commit to the repository | |
| # max-parallel: 1 | |
| matrix: | |
| package: | |
| - name: python-nix-template | |
| path: "packages/python-nix-template" | |
| build-images: true | |
| images: '["python-nix-template", "python-nix-template-dev"]' | |
| - name: pnt-functional | |
| path: packages/pnt-functional | |
| build-images: false | |
| images: "[]" | |
| uses: ./.github/workflows/package-release.yaml | |
| with: | |
| package-path: ${{ matrix.package.path }} | |
| package-name: ${{ matrix.package.name }} | |
| version: "0.0.0" | |
| release-dry-run: false | |
| checkout-ref: ${{ needs.set-variables.outputs.checkout_ref }} | |
| build-images: ${{ matrix.package.build-images }} | |
| images-to-build: ${{ matrix.package.images }} | |
| secrets: inherit | |
| build-pr-images: | |
| needs: [set-variables] | |
| if: ${{ needs.set-variables.outputs.skip_ci != 'true' && ( contains(github.event.pull_request.labels.*.name, 'build-images') || (github.event_name == 'workflow_dispatch' && inputs.run_build_images) ) }} | |
| uses: ./.github/workflows/build-nix-images.yaml | |
| concurrency: | |
| group: bni-${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| with: | |
| debug_enabled: ${{ needs.set-variables.outputs.debug }} | |
| version: "" | |
| images: '["python-nix-template", "python-nix-template-dev"]' | |
| branch: ${{ needs.set-variables.outputs.checkout_ref }} | |
| secrets: inherit |