Skip to content

MAINT - CI improvements (security and maintenance) #575

MAINT - CI improvements (security and maintenance)

MAINT - CI improvements (security and maintenance) #575

Workflow file for this run

# Testing (pytest, a11y-tests), profiling, and coverage checks for PST
name: continuous-integration
# Concurrency group that uses the workflow name and PR number if available
# or commit SHA as a fallback. If a new build is triggered under that
# concurrency group while a previous build is running it will be canceled.
# Repeated pushes to a PR will cancel all previous builds, while multiple
# merges to main will not cancel.
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true
env:
FORCE_COLOR: "1" # Make tools pretty
DEFAULT_PYTHON_VERSION: "3.12" # keep in sync with tox.ini
PIP_DISABLE_PIP_VERSION_CHECK: "1" # Don't check for pip updates
permissions: {}
on:
push:
branches:
- main
pull_request:
branches:
- "*"
# allows this to be used as a composite action in other workflows
workflow_call:
# allow manual triggering of the workflow, while debugging
workflow_dispatch:
jobs:
# Run our test suite on various combinations of OS & Python versions
run-pytest:
strategy:
fail-fast: true
matrix:
# https://github.com/actions/runner-images
# macos-14==latest
# ubuntu-24.04==latest
# windows-2022==latest
os: ["ubuntu-latest", "ubuntu-22.04", "macos-14", "windows-latest"]
python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
sphinx-version: [""]
include:
# oldest Python version with the oldest Sphinx version
- os: ubuntu-latest
python-version: "3.9"
sphinx-version: "6.1"
# newest Python version with the newest Sphinx version
- os: ubuntu-latest
python-version: "3.12"
# Sphinx HEAD
sphinx-version: "dev"
exclude:
# Python 3.9 is not supported on macOS 14 - https://raw.githubusercontent.com/actions/python-versions/main/versions-manifest.json
- os: macos-14
python-version: "3.9"
# do not need all the tests so will limit to the latest versions of Python
- os: ubuntu-24.04
python-version: "3.9"
- os: ubuntu-24.04
python-version: "3.10"
runs-on: ${{ matrix.os }}
steps:
- name: "Checkout repository 🛎"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: "Setup CI environment 🛠"
uses: pydata/pydata-sphinx-theme/.github/actions/set-dev-env@01731d0cc57768b9eff1c97f38909932ecd7e7d1
with:
python-version: ${{ matrix.python-version }}
pandoc: true
- name: "Run tests ✅"
shell: bash
run: |
# this will compile the assets and translations then run the tests
# check if there is a specific Sphinx version to test with
# example substitution: tox run -e compile-assets,i18n-compile,py39-sphinx61-tests
if [ -n "${{matrix.sphinx-version}}" ]; then
python -Im tox run -e compile-assets,i18n-compile,py$(echo ${{ matrix.python-version }} | tr -d .)-sphinx$(echo ${{ matrix.sphinx-version }} | tr -d .)-tests
# if not we use the default version
# example substitution: tox run -e compile-assets,i18n-compile,py39-tests
else
python -Im tox run -e compile-assets,i18n-compile,py$(echo ${{ matrix.python-version }} | tr -d .)-tests
fi
- name: "Upload coverage data to GH artifacts 📤"
if: matrix.python-version == '3.12' && matrix.os == 'ubuntu-latest' && matrix.sphinx-version == 'dev'
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08
with:
name: coverage-data-${{ matrix.python-version }}
path: .coverage
if-no-files-found: ignore
include-hidden-files: true
coverage:
name: "Check coverage"
needs: run-pytest
runs-on: ubuntu-latest
# avoid running this on schedule, releases, workflow_call, or workflow_dispatch
if: github.event_name != 'schedule' && github.event_name != 'release' && github.event_name != 'workflow_call' && github.event_name != 'workflow_dispatch'
permissions:
contents: write
pull-requests: write
steps:
- name: "Checkout repository 🛎"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: "Setup CI environment 🛠"
uses: pydata/pydata-sphinx-theme/.github/actions/set-dev-env@01731d0cc57768b9eff1c97f38909932ecd7e7d1
with:
python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
- run: python -Im pip install --upgrade coverage[toml]
- name: "Download coverage data 📥"
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
with:
pattern: coverage-data-*
merge-multiple: true
- name: "Get coverage data & fail if it's <80%"
run: |
# if we decide to check cov across versions and combine
# python -Im coverage combine
python -Im coverage html --skip-covered --skip-empty
# report and write to summary.
python -Im coverage report --format=markdown >> $GITHUB_STEP_SUMMARY
# report again and fail if under 80%.
python -Im coverage report --fail-under=80
- name: "Upload HTML report if check failed 📤"
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08
with:
name: html-report
path: htmlcov
if: ${{ failure() }}
# seems we need to call this from the main CI workflow first
- name: "Coverage comment 💬"
uses: py-cov-action/python-coverage-comment-action@b2eb38dd175bf053189b35f738f9207278b00925
id: coverage_comment
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: "Store Pull Request comment to be posted 📤"
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08
if: steps.coverage_comment.outputs.COMMENT_FILE_WRITTEN == 'true'
with:
# leave default names
name: python-coverage-comment-action
path: python-coverage-comment-action.txt
profiling:
needs: [run-pytest]
runs-on: ubuntu-latest
steps:
- name: "Checkout repository 🛎"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
persist-credentials: false
- name: "Setup CI environment 🛠"
uses: pydata/pydata-sphinx-theme/.github/actions/set-dev-env@01731d0cc57768b9eff1c97f38909932ecd7e7d1
with:
# 3.12 is not supported by py-spy yet
python-version: "3.11"
- name: "Run profiling with py-spy 🕵️‍♂️"
# profiling needs to be run as sudo
run: python -m tox run -e py311-profile-docs -- -o docbuild_profile.svg
continue-on-error: true
- name: "Upload profiling data to GH artifacts 📤"
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08
with:
name: profile-results
path: docbuild_profile.svg
if-no-files-found: ignore
# Calling the coverage-comment action from the main CI workflow
# we might want to pin the SHA once merged
coverage-comment:
uses: ./.github/workflows/coverage.yml
needs: [coverage]
permissions:
contents: write
pull-requests: write
actions: read