[pre-commit.ci] pre-commit autoupdate #58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CI | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main] | |
workflow_dispatch: | |
env: | |
FORCE_COLOR: "1" # Make tools pretty. | |
TOX_TESTENV_PASSENV: FORCE_COLOR | |
SETUPTOOLS_SCM_PRETEND_VERSION: "1.0" # avoid warnings about shallow checkout | |
PIP_DISABLE_PIP_VERSION_CHECK: 1 | |
PIP_NO_PYTHON_VERSION_WARNING: 1 | |
# N.B. default Python version for setup-python comes from the .python-version | |
# file at the root of the project. | |
permissions: | |
contents: read | |
jobs: | |
tests: | |
name: Tests on ${{ matrix.python-version }} | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
python-version: | |
- "3.7" | |
- "3.8" | |
- "3.9" | |
- "3.10" | |
- "3.11" | |
- "pypy-3.7" | |
- "pypy-3.8" | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@v2 | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
pypi.org:443 | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- run: python -Im pip install --upgrade wheel tox | |
- name: Determine Python version for tox | |
run: | | |
V=${{ matrix.python-version }} | |
if [[ "$V" = ~* ]]; then | |
# Extract version from a '~3.XX.0-0' specifier. | |
V=${V:1:4} | |
fi | |
if [[ "$V" = pypy-* ]]; then | |
V=pypy3 | |
else | |
V=py$(echo $V | tr -d .) | |
fi | |
echo TOX_PYTHON=$V >>$GITHUB_ENV | |
- run: python -Im tox run -f ${{ env.TOX_PYTHON }} | |
- name: Upload coverage data | |
uses: actions/upload-artifact@v3 | |
with: | |
name: coverage-data | |
path: .coverage.* | |
if-no-files-found: ignore | |
coverage: | |
name: Combine & check coverage. | |
runs-on: ubuntu-latest | |
needs: tests | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@v2 | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-python@v4 | |
- uses: actions/download-artifact@v3 | |
with: | |
name: coverage-data | |
- run: python -Im pip install --upgrade coverage[toml] | |
- name: Combine coverage & fail if it's <100%. | |
run: | | |
python -Im coverage combine | |
python -Im coverage html --skip-covered --skip-empty | |
python -Im coverage report --fail-under=100 | |
- name: Upload HTML report if check failed. | |
uses: actions/upload-artifact@v3 | |
with: | |
name: html-report | |
path: htmlcov | |
if: ${{ failure() }} | |
system-package: | |
name: Install & test with system package of Argon2. | |
runs-on: ubuntu-latest | |
env: | |
SETUPTOOLS_SCM_PRETEND_VERSION: "" # inconsistency error otherwise | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@v2 | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
azure.archive.ubuntu.com:80 | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- uses: actions/setup-python@v4 | |
- name: Install dependencies | |
run: | | |
sudo apt-get install libargon2-0 libargon2-0-dev | |
python -VV | |
python -Im site | |
python -Im pip install --upgrade wheel tox | |
- run: python -Im tox run -e system-argon2 | |
mypy: | |
name: Mypy on ${{ matrix.python-version }} | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
python-version: | |
- "3.7" | |
- "3.8" | |
- "3.9" | |
- "3.10" | |
- "3.11" | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- run: python -Im pip install --upgrade wheel tox | |
- run: python -Im tox run -e mypy | |
docs: | |
name: Build docs & run doctests | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@v2 | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
docs.python.org:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: "3.10" | |
- run: python -Im pip install --upgrade wheel tox | |
- run: tox run -e docs | |
package: | |
name: Build & verify package | |
runs-on: ubuntu-latest | |
env: | |
SETUPTOOLS_SCM_PRETEND_VERSION: "" | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@v2 | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- uses: hynek/build-and-inspect-python-package@v1 | |
install-dev: | |
name: Verify dev env | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: [ubuntu-latest, windows-latest, macos-latest] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@v2 | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
- uses: actions/checkout@v3 | |
- uses: actions/setup-python@v4 | |
- run: python -Im pip install -e .[dev] | |
- run: python -Im argon2 -n 1 -t 1 -m 8 -p 1 | |
# Ensure everything required is passing for branch protection. | |
required-checks-pass: | |
if: always() | |
needs: | |
- coverage | |
- docs | |
- install-dev | |
- package | |
- system-package | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@v2 | |
with: | |
egress-policy: block | |
- name: Decide whether the needed jobs succeeded or failed | |
uses: re-actors/alls-green@release/v1 | |
with: | |
jobs: ${{ toJSON(needs) }} |