Skip to content

chore: fast forward upstream changes to v2.17.0 #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
shubham-stepsecurity merged 1 commit into from
Aug 6, 2024
Merged

chore: fast forward upstream changes to v2.17.0 #34

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 43 additions & 20 deletions .github/actions/test/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
name: 'Test'

description: 'A GitHub Action that tests this action'

inputs:
Expand All @@ -21,12 +22,12 @@ runs:

- name: Setup Python
if: inputs.python-version != 'installed'
uses: actions/setup-python@v4
uses: actions/setup-python@v5
with:
python-version: ${{ inputs.python-version }}

- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Detect OS
id: os
Expand All @@ -48,8 +49,9 @@ runs:
shell: bash

- name: Cache PIP Packages
uses: actions/cache@v3
uses: actions/cache@v4
id: cache
if: github.event_name != 'schedule'
with:
path: ${{ steps.os.outputs.pip-cache }}
key: ${{ inputs.os }}-pip-test-${{ inputs.python-version }}-${{ hashFiles('**/requirements.txt', '**/constraints.txt') }}-${{ steps.os.outputs.date }}
Expand All @@ -60,16 +62,37 @@ runs:

- name: Install Python dependencies
run: |
python3 -V
python3 -m pip freeze | sort
python3 -m pip cache info || true
python3 -m pip cache list || true
python3 -m pip install --upgrade --force pip wheel
python3 -m pip install --force -r python/requirements.txt
python3 -m pip install --force -r python/test/requirements.txt -c python/test/constraints.txt
python3 -m pip freeze | sort
python3 -m pip cache info || true
python3 -m pip cache list || true
python -m venv "$RUNNER_TEMP/venv"
echo "$RUNNER_TEMP/venv/bin" >> "$GITHUB_PATH"
echo "$RUNNER_TEMP/venv/Scripts" >> "$GITHUB_PATH"
export PATH="$RUNNER_TEMP/venv/bin:$RUNNER_TEMP/venv/Scripts:$PATH"
which python

# inspect pip cache
python -m pip freeze | sort
python -m pip cache info || true
python -m pip cache list || true

# remove cached built whl files
rm -rf "$(python -m pip cache info | grep ".*[Ww]heels location: " | cut -d ":" -f 2- | cut -d " " -f 2-)"
python -m pip cache list || true

# install dependencies
python_minor_version="$(python -c 'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}")')"
python -m pip install --force -r python/requirements-$python_minor_version.txt
python -m pip install --force -r python/test/requirements.txt -c python/test/constraints.txt

# inspect pip cache
python -m pip freeze | sort
python -m pip cache info || true
python -m pip cache list || true

# assert no whl files have been built
if python -m pip cache info && [[ "$(python -m pip cache info | grep "Number of .*wheels:")" != "Number of "*"wheels: 0" ]]
then
echo "Dependency whl files have been built"
exit 1
fi
shell: bash

- name: Update expectation files
Expand All @@ -84,16 +107,16 @@ runs:
# we only upload the changed files if we can find zip
if which zip
then
(git diff --name-only && git ls-files -o --exclude-standard) | xargs -d "\n" zip changed-expectations.zip
(git diff --name-only && git ls-files -o --exclude-standard) | xargs zip changed-expectations.zip
exit 1
fi
fi
shell: bash
- name: Upload changed expectation files
if: steps.changes.outcome == 'failure'
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: Changed expectations
name: Changed expectations (python-${{ inputs.python-version }}, ${{ inputs.os }})
path: changed-expectations.zip
if-no-files-found: error

Expand All @@ -102,7 +125,7 @@ runs:
PYTHONPATH: ..
run: |
cd python/test
python3 -m pytest --capture=tee-sys --continue-on-collection-errors --junit-xml ../../test-results/pytest.xml
python -m pytest --capture=tee-sys --continue-on-collection-errors --junit-xml ../../test-results/pytest.xml
shell: bash

- name: PyTest (EST)
Expand All @@ -112,7 +135,7 @@ runs:
PYTHONPATH: ..
run: |
cd python/test
python3 -m pytest --capture=tee-sys --continue-on-collection-errors --junit-xml ../../test-results/pytest-est.xml
python -m pytest --capture=tee-sys --continue-on-collection-errors --junit-xml ../../test-results/pytest-est.xml
shell: bash

- name: PyTest (CET)
Expand All @@ -122,12 +145,12 @@ runs:
PYTHONPATH: ..
run: |
cd python/test
python3 -m pytest --capture=tee-sys --continue-on-collection-errors --junit-xml ../../test-results/pytest-cet.xml
python -m pytest --capture=tee-sys --continue-on-collection-errors --junit-xml ../../test-results/pytest-cet.xml
shell: bash

- name: Upload Test Results
if: always()
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: Test Results (python-${{ inputs.python-version }}, ${{ inputs.os }})
path: |
Expand Down
4 changes: 0 additions & 4 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,3 @@ updates:
directory: "/"
schedule:
interval: "monthly"
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
9 changes: 5 additions & 4 deletions .github/upgrade-pip-packages.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,13 @@
set -euo pipefail

base="$(dirname "$0")"
python_minor_version="$(python3 -c 'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}")')"

pip install --upgrade --force pip==22.0.0
pip install --upgrade --upgrade-strategy eager -r "$base/../python/requirements-direct.txt"
pip install --upgrade --force pip==24.0.0
pip install --upgrade --upgrade-strategy eager -r "$base/../python/requirements.txt"

pip install pipdeptree
pipdeptree --packages="$(sed -e "s/;.*//" -e "s/=.*//g" "$base/../python/requirements-direct.txt" | paste -s -d ,)" --freeze > "$base/../python/requirements.txt"
pipdeptree --packages="$(sed -e "s/;.*//" -e "s/=.*//g" "$base/../python/requirements.txt" | paste -s -d ,)" --freeze > "$base/../python/requirements-$python_minor_version.txt"

git diff "$base/../python/requirements.txt"
git diff "$base/../python/requirements-$python_minor_version.txt"

58 changes: 38 additions & 20 deletions .github/workflows/ci-cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,34 +19,54 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Check requirements.txt against requirements-direct.txt
uses: actions/checkout@v4
- name: Check requirements.txt
run: |
(diff -w python/requirements-direct.txt python/requirements.txt || true) | (! grep -e "^<")
(diff -w <(grep -v "python_version > '3.7'" python/requirements.txt | sed -e "s/;.*//") python/requirements-3.7.txt || true) | (! grep -e "^<")
(diff -w <(grep -v "python_version <= '3.7'" python/requirements.txt | sed -e "s/;.*//") python/requirements-post-3.7.txt || true) | (! grep -e "^<")
shell: bash
- name: Check for dependency updates
continue-on-error: true
run:
.github/upgrade-pip-packages.sh
run: |
pip install tox
tox
git diff --exit-code
shell: bash

test-mac:
name: "Test macOS"
uses: "./.github/workflows/test-os.yml"
with:
os: '["macos-12", "macos-13"]'
os: '["macos-12", "macos-13", "macos-14"]'
python-version: '["3.10", "3.11", "3.12", "installed"]'
include: >
[
{"os": "macos-12", "python-version": "3.8"},
{"os": "macos-12", "python-version": "3.9"},
{"os": "macos-13", "python-version": "3.8"},
{"os": "macos-13", "python-version": "3.9"},
]

test-lnx:
name: "Test Ubuntu"
uses: "./.github/workflows/test-os.yml"
with:
os: '["ubuntu-20.04", "ubuntu-22.04"]'
os: '["ubuntu-20.04", "ubuntu-22.04", "ubuntu-24.04"]'
python-version: '["3.9", "3.10", "3.11", "3.12", "installed"]'
include: >
[
{"os": "ubuntu-20.04", "python-version": "3.7"},
{"os": "ubuntu-20.04", "python-version": "3.8"},
{"os": "ubuntu-22.04", "python-version": "3.8"},
]

test-win:
name: "Test Windows"
uses: "./.github/workflows/test-os.yml"
with:
os: '["windows-2019", "windows-2022"]'
python-version: '["3.8", "3.9", "3.10", "3.11", "3.12", "installed"]'
include: '[{"os": "windows-2019", "python-version": "3.7"}]'

publish:
name: "Publish"
Expand Down Expand Up @@ -75,10 +95,10 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Extract action image and version
# we deploy from a specific commit on main (the one that mentions a new version the first time)
# we deploy from a specific commit on master (the one that mentions a new version the first time)
# so we need to tell docker/metadata-action to extract docker tags from that version
id: action
run: |
Expand All @@ -93,12 +113,10 @@ jobs:
env:
DOCKER_CLI_EXPERIMENTAL: enabled
run: |
exists='false'
if docker manifest inspect '${{ steps.action.outputs.image }}'
then
exists='true'
echo "exists=true" >>$GITHUB_OUTPUT
fi
echo "exists=$exists" >>$GITHUB_OUTPUT
shell: bash

deploy:
Expand All @@ -117,7 +135,7 @@ jobs:
steps:
- name: Docker meta
id: docker-meta
uses: docker/metadata-action@v4
uses: docker/metadata-action@v5
with:
images: ghcr.io/step-security/publish-unit-test-result-action
flavor: |
Expand All @@ -131,13 +149,13 @@ jobs:
type=semver,pattern={{version}},value=${{ needs.config-deploy.outputs.image-version }}

- name: Set up QEMU
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@v3

- name: Login to GitHub Container Registry
uses: docker/login-action@v2
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
Expand All @@ -156,7 +174,7 @@ jobs:


- name: Build and push Docker image
uses: docker/build-push-action@v4
uses: docker/build-push-action@v6
id: build
with:
tags: ${{ steps.docker-meta.outputs.tags }}
Expand Down Expand Up @@ -184,20 +202,20 @@ jobs:
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
if: ${{ needs.deploy.outputs.should_push == 'true' }}
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
with:
image: ${{ needs.deploy.outputs.image }}
digest: ${{ needs.deploy.outputs.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}

event_file:
name: "Event File"
runs-on: ubuntu-latest
steps:
- name: Upload
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: Event File
path: ${{ github.event_path }}
8 changes: 4 additions & 4 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,11 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@v4

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -46,7 +46,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
uses: github/codeql-action/autobuild@v3

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
Expand All @@ -60,4 +60,4 @@ jobs:
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@v3
Loading