Merge pull request #309 from gruebel/update-gha

update GHA workflows and add python version test jobs

.github/workflows/bump-version.yml

@@ -7,7 +7,7 @@ jobs:
   bump-version:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           ref: master
 

.github/workflows/nodejs-test.yml

@@ -2,7 +2,11 @@
 
 name: Node.js CI
 
-on: [push, pull_request]
+on:
+  push:
+    branches:
+      - master
+  pull_request:
 
 jobs:
   build:
@@ -11,14 +15,15 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [12.x, 14.x]
+        node-version: ['12.x', '14.x', '16.x']
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
     - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #  v3.8.1
       with:
         node-version: ${{ matrix.node-version }}
+        cache: 'npm'
     - run: npm install
     - run: npm run build --if-present
     - run: npm test

.github/workflows/publish.yml

@@ -11,12 +11,12 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
-      - name: Setup Python
-        uses: actions/setup-python@v1
+      - name: Setup Python 3.7
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
         with:
-          python-version: 3.7
+          python-version: '3.7'
 
       - name: Install dependencies
         run: |
@@ -26,6 +26,7 @@ jobs:
         run: |
           make install
 
+# TODO: fix all pylint issues first
 #      - name: Pylint
 #        run: |
 #          make lint
@@ -40,11 +41,11 @@ jobs:
     needs: test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Set up Python 3.7
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
         with:
-          python-version: 3.7
+          python-version: '3.7'
 
       - name: Install dependencies
         run: |
@@ -59,20 +60,19 @@ jobs:
           pip install setuptools wheel twine
           python -m setup sdist bdist_wheel
       - name: Publish package
-        uses: pypa/gh-action-pypi-publish@master
+        uses: pypa/gh-action-pypi-publish@b7f401de30cb6434a1e19f805ff006643653240e # v1.8.10
         with:
-          user: __token__
           password: ${{ secrets.PYPI_PASSWORD }}
 
   update-brew:
     needs: publish-package
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Set up Python 3.7
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
         with:
-          python-version: 3.7
+          python-version: '3.7'
       - name: publish brew
         run: |
           sleep 5m
@@ -94,7 +94,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: update-brew
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           ref: master
 

.github/workflows/python-dependency-updater.yml

@@ -9,16 +9,13 @@ on:
 jobs:
   python-dependency-updater:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python-version: ['3.7']
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: Setup Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
         with:
-          python-version: ${{ matrix.python-version }}
+          python-version: '3.7'
 
       - name: Run Pyup.io Dependency updater
         run: |

.github/workflows/release-drafter.yml

@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Drafts your next Release notes as Pull Requests are merged into "master"
-      - uses: release-drafter/release-drafter@v5
+      - uses: release-drafter/release-drafter@65c5fb495d1e69aa8c08a3317bc44ff8aabe9772 # v5.24.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/security.yml

@@ -11,16 +11,8 @@ jobs:
   detect-secrets:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: detect secrets
-        uses: edplato/trufflehog-actions-scan@master
+        uses: edplato/trufflehog-actions-scan@c36ff9abf0af8290ef23b1b45a36e75c742dd1d8 # v0.9l-beta
         with:
           scanArguments: "--regex --entropy=False --exclude_paths .github/exclude-patterns.txt --max_depth=1"
-#  bandit:
-#    runs-on: ubuntu-latest
-#    steps:
-#      - uses: actions/checkout@v1
-#      - name: security test
-#        uses: jpetrucciani/bandit-check@master
-#        with:
-#          path: 'cloudsplaining'

.github/workflows/test.yml

@@ -2,18 +2,23 @@
 
 name: Test
 
-on: [push, pull_request]
+on:
+  push:
+    branches:
+      - master
+  pull_request:
 
 jobs:
   test:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
-      - name: Setup Python
-        uses: actions/setup-python@v1
+      - name: Setup Python 3.7
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
         with:
-          python-version: 3.7
+          python-version: '3.7'
 
       - name: Install dependencies
         run: |
@@ -31,3 +36,30 @@ jobs:
       - name: Run mypy (static type check)
         run: |
           make type-check
+
+  python-version:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ['3.8', '3.9', '3.10', '3.11', '3.12']
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+        with:
+          python-version: ${{ matrix.python }}
+          allow-prereleases: true
+
+      - name: Install dependencies
+        run: |
+          make setup-dev
+
+      - name: Install the package to make sure nothing is randomly broken
+        run: |
+          make install
+
+      - name: Run pytest (unit tests) and bandit (security test)
+        run: |
+          make test

.github/workflows/update-bundle-report.yml

@@ -10,11 +10,10 @@ jobs:
   update:
     runs-on: ubuntu-latest
     steps:
-      - name: checkout
-        uses: actions/checkout@v2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: Setup python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
         with:
           python-version: '3.7'
 
@@ -36,8 +35,8 @@ jobs:
           make test-js
 
       - name: PR if files were updated
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
         with:
           commit-message: Update JS Bundle and example reports
-          title: 'Updates database'
+          title: 'Updates JS Bundle and example reports'
           body: This is an automated PR created to update the JS Bundle and the example reports.