Update github/codeql-action action to v4 #2884
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Tests # Run tests and upload coverage | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref || github.ref_name }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| tests: | |
| name: ${{ matrix.session }} ${{ matrix.python }} / ${{ matrix.os }} | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - { python: "3.9", os: "ubuntu-latest", session: "tests" } | |
| - { python: "3.10", os: "ubuntu-latest", session: "tests" } | |
| - { python: "3.11", os: "ubuntu-latest", session: "pre-commit" } | |
| - { python: "3.11", os: "ubuntu-latest", session: "xdoctest" } | |
| - { python: "3.11", os: "ubuntu-latest", session: "docs-build" } | |
| - { python: "3.11", os: "ubuntu-latest", session: "tests" } | |
| - { python: "3.11", os: "windows-latest", session: "tests" } | |
| - { python: "3.11", os: "ubuntu-latest", session: "pip-audit" } | |
| # - { python: "3.10", os: "ubuntu-latest", session: "mypy" } | |
| # - { python: "3.9", os: "ubuntu-latest", session: "mypy" } | |
| # - { python: "3.10", os: "ubuntu-latest", session: "typeguard" } | |
| env: | |
| NOXSESSION: ${{ matrix.session }} | |
| FORCE_COLOR: "1" | |
| PRE_COMMIT_COLOR: "always" | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| disable-telemetry: false | |
| allowed-endpoints: > | |
| auth.docker.io:443 | |
| files.pythonhosted.org:443 | |
| ghcr.io:443 | |
| github.com:443 | |
| pkg-containers.githubusercontent.com:443 | |
| production.cloudflare.docker.com:443 | |
| pypi.org:443 | |
| registry-1.docker.io:443 | |
| registry.npmjs.org:443 | |
| - name: Check out the repository | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Set up Python ${{ matrix.python }} | |
| uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 | |
| with: | |
| python-version: ${{ matrix.python }} | |
| - name: Upgrade pip | |
| run: | | |
| pip install --constraint=.github/workflows/constraints.txt pip | |
| pip --version | |
| - name: Install UV | |
| run: | | |
| pipx install --pip-args=--constraint=.github/workflows/constraints.txt uv | |
| uv --version | |
| - name: Install Nox | |
| run: | | |
| uvx pipx install --pip-args=--constraint=.github/workflows/constraints.txt nox | |
| nox --version | |
| - name: Compute pre-commit cache key | |
| if: matrix.session == 'pre-commit' | |
| id: pre-commit-cache | |
| shell: python | |
| run: | | |
| import hashlib | |
| import sys | |
| import os | |
| env_file = os.getenv("GITHUB_ENV") | |
| python="py{}.{}".format(*sys.version_info[:2]) | |
| payload=sys.version.encode() + sys.executable.encode() | |
| digest=hashlib.sha256(payload).hexdigest() | |
| cache_key="${{ runner.os }}-{}-{}-pre-commit".format(python, digest[:8]) | |
| with open(env_file, "a") as my_file: | |
| my_file.write(f"PC_CACHE_KEY={cache_key}") | |
| - name: Restore pre-commit cache | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| if: matrix.session == 'pre-commit' | |
| with: | |
| path: ~/.cache/pre-commit | |
| key: ${{ env.PC_CACHE_KEY }}-${{ hashFiles('.pre-commit-config.yaml') }} | |
| restore-keys: | | |
| ${{ env.PC_CACHE_KEY }}- | |
| - name: Run Nox | |
| env: | |
| UV_PREVIEW: 1 | |
| run: | | |
| nox --python=${{ matrix.python }} | |
| - name: Upload coverage data | |
| if: always() && matrix.session == 'tests' && matrix.python == '3.11' && matrix.os == 'ubuntu-latest' | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| # Hack for v4.4 hidden file change | |
| name: coverage-data | |
| path: ".coverage*" | |
| include-hidden-files: true | |
| - name: Upload documentation | |
| if: matrix.session == 'docs-build' | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: docs | |
| path: docs/_build | |
| coverage: | |
| runs-on: ubuntu-latest | |
| needs: tests | |
| steps: | |
| - name: Check out the repository | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Set up Python | |
| uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 | |
| with: | |
| python-version: "3.14" | |
| - name: Upgrade pip | |
| run: | | |
| pip install --constraint=.github/workflows/constraints.txt pip | |
| pip --version | |
| - name: Install UV | |
| run: | | |
| pipx install --pip-args=--constraint=.github/workflows/constraints.txt uv | |
| uv --version | |
| - name: Install Nox | |
| run: | | |
| uvx pipx install --pip-args=--constraint=.github/workflows/constraints.txt nox | |
| nox --version | |
| - name: Download coverage data | |
| uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 | |
| with: | |
| name: coverage-data | |
| - name: Combine coverage data and display human readable report | |
| env: | |
| UV_PREVIEW: 1 | |
| run: | | |
| nox --session=coverage | |
| - name: Create coverage report | |
| env: | |
| UV_PREVIEW: 1 | |
| run: | | |
| nox --session=coverage -- xml | |
| - name: Upload coverage report | |
| uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 |