security: don't persist git credentials in checkout #426
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CI | |
on: | |
push: | |
branches: ["main", "master", "ci-testing-*"] | |
pull_request: | |
branches: ["main", "master"] | |
schedule: | |
- cron: "0 6 * * MON" # Every Monday morning | |
workflow_dispatch: | |
jobs: | |
tests: | |
name: "Python ${{ matrix.python-version }} / ${{ matrix.os }}" | |
runs-on: "${{ matrix.os }}" | |
env: | |
USING_COVERAGE: "3.8,3.9,3.10,3.11,3.12" | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-latest, windows-latest] | |
python-version: | |
- "3.8" | |
- "3.9" | |
- "3.10" | |
- "3.11" | |
- "3.12" | |
- "pypy3.9" | |
exclude: | |
- os: macos-latest | |
python-version: pypy3.9 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
# We want our tags here | |
fetch-depth: 0 | |
persist-credentials: false | |
- name: Install the latest version of uv | |
id: setup-uv | |
uses: astral-sh/setup-uv@v3 | |
with: | |
enable-cache: true | |
- name: "Run tox targets for ${{ matrix.python-version }}" | |
env: | |
TOX_GH_MAJOR_MINOR: ${{ matrix.python-version }} | |
run: uvx --with tox-uv --with tox-gh tox | |
- name: Upload coverage data | |
uses: actions/upload-artifact@v4 | |
with: | |
name: coverage-data-${{ matrix.python-version }}-${{ matrix.os }} | |
path: ".coverage*" | |
if-no-files-found: ignore | |
include-hidden-files: true | |
coverage: | |
needs: | |
- tests | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install the latest version of uv | |
id: setup-uv | |
uses: astral-sh/setup-uv@v3 | |
with: | |
enable-cache: true | |
- name: Download coverage data | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: coverage-data-* | |
merge-multiple: true | |
- name: Combine coverage | |
run: | | |
uvx --with coverage[toml] coverage combine | |
# ignore-errors is so that we don't gag on missing code in .tox environments | |
- name: Generate the HTML report | |
run: uvx --with coverage[toml] coverage html --skip-covered --skip-empty --ignore-errors | |
- name: Upload the HTML report | |
uses: actions/upload-artifact@v4 | |
with: | |
name: html-report | |
path: htmlcov | |
# ignore-errors is so that we don't gag on missing code in .tox environments | |
- name: Enforce the coverage | |
run: uvx --with coverage[toml] coverage report --ignore-errors --fail-under 95 | |
package: | |
name: "Build & verify package" | |
runs-on: "ubuntu-latest" | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
# We want our tags here | |
fetch-depth: 0 | |
persist-credentials: false | |
- uses: hynek/build-and-inspect-python-package@v2 | |
install-dev: | |
strategy: | |
matrix: | |
os: ["ubuntu-latest", "windows-latest", "macos-latest"] | |
name: "Verify dev env / ${{ matrix.os }}" | |
runs-on: "${{ matrix.os }}" | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install the latest version of uv | |
id: setup-uv | |
uses: astral-sh/setup-uv@v3 | |
with: | |
enable-cache: true | |
- name: "Install in dev mode" | |
run: | | |
uv venv | |
uv pip install -e .[dev] | |
- name: "Import package" | |
run: "uv run python -c 'import hamcrest; print(hamcrest.__version__)'" |