MAINT - CI improvements (security and maintenance) #575
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Testing (pytest, a11y-tests), profiling, and coverage checks for PST | |
name: continuous-integration | |
# Concurrency group that uses the workflow name and PR number if available | |
# or commit SHA as a fallback. If a new build is triggered under that | |
# concurrency group while a previous build is running it will be canceled. | |
# Repeated pushes to a PR will cancel all previous builds, while multiple | |
# merges to main will not cancel. | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} | |
cancel-in-progress: true | |
env: | |
FORCE_COLOR: "1" # Make tools pretty | |
DEFAULT_PYTHON_VERSION: "3.12" # keep in sync with tox.ini | |
PIP_DISABLE_PIP_VERSION_CHECK: "1" # Don't check for pip updates | |
permissions: {} | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- "*" | |
# allows this to be used as a composite action in other workflows | |
workflow_call: | |
# allow manual triggering of the workflow, while debugging | |
workflow_dispatch: | |
jobs: | |
# Run our test suite on various combinations of OS & Python versions | |
run-pytest: | |
strategy: | |
fail-fast: true | |
matrix: | |
# https://github.com/actions/runner-images | |
# macos-14==latest | |
# ubuntu-24.04==latest | |
# windows-2022==latest | |
os: ["ubuntu-latest", "ubuntu-22.04", "macos-14", "windows-latest"] | |
python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"] | |
sphinx-version: [""] | |
include: | |
# oldest Python version with the oldest Sphinx version | |
- os: ubuntu-latest | |
python-version: "3.9" | |
sphinx-version: "6.1" | |
# newest Python version with the newest Sphinx version | |
- os: ubuntu-latest | |
python-version: "3.12" | |
# Sphinx HEAD | |
sphinx-version: "dev" | |
exclude: | |
# Python 3.9 is not supported on macOS 14 - https://raw.githubusercontent.com/actions/python-versions/main/versions-manifest.json | |
- os: macos-14 | |
python-version: "3.9" | |
# do not need all the tests so will limit to the latest versions of Python | |
- os: ubuntu-24.04 | |
python-version: "3.9" | |
- os: ubuntu-24.04 | |
python-version: "3.10" | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: "Checkout repository 🛎" | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
with: | |
persist-credentials: false | |
- name: "Setup CI environment 🛠" | |
uses: pydata/pydata-sphinx-theme/.github/actions/set-dev-env@01731d0cc57768b9eff1c97f38909932ecd7e7d1 | |
with: | |
python-version: ${{ matrix.python-version }} | |
pandoc: true | |
- name: "Run tests ✅" | |
shell: bash | |
run: | | |
# this will compile the assets and translations then run the tests | |
# check if there is a specific Sphinx version to test with | |
# example substitution: tox run -e compile-assets,i18n-compile,py39-sphinx61-tests | |
if [ -n "${{matrix.sphinx-version}}" ]; then | |
python -Im tox run -e compile-assets,i18n-compile,py$(echo ${{ matrix.python-version }} | tr -d .)-sphinx$(echo ${{ matrix.sphinx-version }} | tr -d .)-tests | |
# if not we use the default version | |
# example substitution: tox run -e compile-assets,i18n-compile,py39-tests | |
else | |
python -Im tox run -e compile-assets,i18n-compile,py$(echo ${{ matrix.python-version }} | tr -d .)-tests | |
fi | |
- name: "Upload coverage data to GH artifacts 📤" | |
if: matrix.python-version == '3.12' && matrix.os == 'ubuntu-latest' && matrix.sphinx-version == 'dev' | |
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 | |
with: | |
name: coverage-data-${{ matrix.python-version }} | |
path: .coverage | |
if-no-files-found: ignore | |
include-hidden-files: true | |
coverage: | |
name: "Check coverage" | |
needs: run-pytest | |
runs-on: ubuntu-latest | |
# avoid running this on schedule, releases, workflow_call, or workflow_dispatch | |
if: github.event_name != 'schedule' && github.event_name != 'release' && github.event_name != 'workflow_call' && github.event_name != 'workflow_dispatch' | |
permissions: | |
contents: write | |
pull-requests: write | |
steps: | |
- name: "Checkout repository 🛎" | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
with: | |
persist-credentials: false | |
- name: "Setup CI environment 🛠" | |
uses: pydata/pydata-sphinx-theme/.github/actions/set-dev-env@01731d0cc57768b9eff1c97f38909932ecd7e7d1 | |
with: | |
python-version: ${{ env.DEFAULT_PYTHON_VERSION }} | |
- run: python -Im pip install --upgrade coverage[toml] | |
- name: "Download coverage data 📥" | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 | |
with: | |
pattern: coverage-data-* | |
merge-multiple: true | |
- name: "Get coverage data & fail if it's <80%" | |
run: | | |
# if we decide to check cov across versions and combine | |
# python -Im coverage combine | |
python -Im coverage html --skip-covered --skip-empty | |
# report and write to summary. | |
python -Im coverage report --format=markdown >> $GITHUB_STEP_SUMMARY | |
# report again and fail if under 80%. | |
python -Im coverage report --fail-under=80 | |
- name: "Upload HTML report if check failed 📤" | |
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 | |
with: | |
name: html-report | |
path: htmlcov | |
if: ${{ failure() }} | |
# seems we need to call this from the main CI workflow first | |
- name: "Coverage comment 💬" | |
uses: py-cov-action/python-coverage-comment-action@b2eb38dd175bf053189b35f738f9207278b00925 | |
id: coverage_comment | |
with: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: "Store Pull Request comment to be posted 📤" | |
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 | |
if: steps.coverage_comment.outputs.COMMENT_FILE_WRITTEN == 'true' | |
with: | |
# leave default names | |
name: python-coverage-comment-action | |
path: python-coverage-comment-action.txt | |
profiling: | |
needs: [run-pytest] | |
runs-on: ubuntu-latest | |
steps: | |
- name: "Checkout repository 🛎" | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
with: | |
persist-credentials: false | |
- name: "Setup CI environment 🛠" | |
uses: pydata/pydata-sphinx-theme/.github/actions/set-dev-env@01731d0cc57768b9eff1c97f38909932ecd7e7d1 | |
with: | |
# 3.12 is not supported by py-spy yet | |
python-version: "3.11" | |
- name: "Run profiling with py-spy 🕵️♂️" | |
# profiling needs to be run as sudo | |
run: python -m tox run -e py311-profile-docs -- -o docbuild_profile.svg | |
continue-on-error: true | |
- name: "Upload profiling data to GH artifacts 📤" | |
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 | |
with: | |
name: profile-results | |
path: docbuild_profile.svg | |
if-no-files-found: ignore | |
# Calling the coverage-comment action from the main CI workflow | |
# we might want to pin the SHA once merged | |
coverage-comment: | |
uses: ./.github/workflows/coverage.yml | |
needs: [coverage] | |
permissions: | |
contents: write | |
pull-requests: write | |
actions: read |