Skip to content

ci: harden github actions according to "zizmor" recommendations (#13062) #5750

ci: harden github actions according to "zizmor" recommendations (#13062)

ci: harden github actions according to "zizmor" recommendations (#13062) #5750

Workflow file for this run

name: test
on:
push:
branches:
- main
- "[0-9]+.[0-9]+.x"
- "test-me-*"
tags:
- "[0-9]+.[0-9]+.[0-9]+"
- "[0-9]+.[0-9]+.[0-9]+rc[0-9]+"
pull_request:
branches:
- main
- "[0-9]+.[0-9]+.x"
types:
- opened # default
- synchronize # default
- reopened # default
- ready_for_review # used in PRs created from the release workflow
env:
PYTEST_ADDOPTS: "--color=yes"
# Cancel running jobs for the same workflow and branch.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# Set permissions at the job level.
permissions: {}
jobs:
package:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Build and Check Package
uses: hynek/[email protected]
build:
needs: [package]
runs-on: ${{ matrix.os }}
timeout-minutes: 45
permissions:
contents: read
strategy:
fail-fast: false
matrix:
name: [
"windows-py39-unittestextras",
"windows-py39-pluggy",
"windows-py39-xdist",
"windows-py310",
"windows-py311",
"windows-py312",
"windows-py313",
"ubuntu-py39-lsof-numpy-pexpect",
"ubuntu-py39-pluggy",
"ubuntu-py39-freeze",
"ubuntu-py39-xdist",
"ubuntu-py310-xdist",
"ubuntu-py311",
"ubuntu-py312",
"ubuntu-py313-pexpect",
"ubuntu-pypy3-xdist",
"macos-py39",
"macos-py310",
"macos-py312",
"macos-py313",
"doctesting",
"plugins",
]
include:
- name: "windows-py39-unittestextras"
python: "3.9"
os: windows-latest
tox_env: "py39-unittestextras"
use_coverage: true
- name: "windows-py39-pluggy"
python: "3.9"
os: windows-latest
tox_env: "py39-pluggymain-pylib-xdist"
- name: "windows-py39-xdist"
python: "3.9"
os: windows-latest
tox_env: "py39-xdist"
- name: "windows-py310"
python: "3.10"
os: windows-latest
tox_env: "py310-xdist"
- name: "windows-py311"
python: "3.11"
os: windows-latest
tox_env: "py311"
- name: "windows-py312"
python: "3.12"
os: windows-latest
tox_env: "py312"
- name: "windows-py313"
python: "3.13"
os: windows-latest
tox_env: "py313"
- name: "ubuntu-py39-lsof-numpy-pexpect"
python: "3.9"
os: ubuntu-latest
tox_env: "py39-lsof-numpy-pexpect"
- name: "ubuntu-py39-pluggy"
python: "3.9"
os: ubuntu-latest
tox_env: "py39-pluggymain-pylib-xdist"
- name: "ubuntu-py39-freeze"
python: "3.9"
os: ubuntu-latest
tox_env: "py39-freeze"
- name: "ubuntu-py39-xdist"
python: "3.9"
os: ubuntu-latest
tox_env: "py39-xdist"
- name: "ubuntu-py310-xdist"
python: "3.10"
os: ubuntu-latest
tox_env: "py310-xdist"
- name: "ubuntu-py311"
python: "3.11"
os: ubuntu-latest
tox_env: "py311"
use_coverage: true
- name: "ubuntu-py312"
python: "3.12"
os: ubuntu-latest
tox_env: "py312"
use_coverage: true
- name: "ubuntu-py313-pexpect"
python: "3.13"
os: ubuntu-latest
tox_env: "py313-pexpect"
use_coverage: true
- name: "ubuntu-pypy3-xdist"
python: "pypy-3.9"
os: ubuntu-latest
tox_env: "pypy3-xdist"
- name: "macos-py39"
python: "3.9"
os: macos-latest
tox_env: "py39-xdist"
use_coverage: true
- name: "macos-py310"
python: "3.10"
os: macos-latest
tox_env: "py310-xdist"
- name: "macos-py312"
python: "3.12"
os: macos-latest
tox_env: "py312-xdist"
- name: "macos-py313"
python: "3.13"
os: macos-latest
tox_env: "py313-xdist"
- name: "plugins"
python: "3.12"
os: ubuntu-latest
tox_env: "plugins"
- name: "doctesting"
python: "3.9"
os: ubuntu-latest
tox_env: "doctesting"
use_coverage: true
continue-on-error: >-
${{
contains(
fromJSON(
'[
"windows-py39-pluggy",
"windows-py313",
"ubuntu-py39-pluggy",
"ubuntu-py39-freeze",
"ubuntu-py313",
"macos-py39",
"macos-py313"
]'
),
matrix.name
)
&& true
|| false
}}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Download Package
uses: actions/download-artifact@v4
with:
name: Packages
path: dist
- name: Set up Python ${{ matrix.python }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python }}
check-latest: ${{ endsWith(matrix.python, '-dev') }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install tox coverage
- name: Test without coverage
if: "! matrix.use_coverage"
shell: bash
run: tox run -e ${{ matrix.tox_env }} --installpkg `find dist/*.tar.gz`
- name: Test with coverage
if: "matrix.use_coverage"
shell: bash
run: tox run -e ${{ matrix.tox_env }}-coverage --installpkg `find dist/*.tar.gz`
- name: Generate coverage report
if: "matrix.use_coverage"
run: python -m coverage xml
- name: Upload coverage to Codecov
if: "matrix.use_coverage"
uses: codecov/codecov-action@v5
with:
fail_ci_if_error: false
files: ./coverage.xml
verbose: true
check: # This job does nothing and is only used for the branch protection
if: always()
needs:
- build
runs-on: ubuntu-latest
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@223e4bb7a751b91f43eda76992bcfbf23b8b0302
with:
jobs: ${{ toJSON(needs) }}