Skip to content

Pin GitHub Actions to commit SHAs and add use Harden Runner (#190) #423

Pin GitHub Actions to commit SHAs and add use Harden Runner (#190)

Pin GitHub Actions to commit SHAs and add use Harden Runner (#190) #423

Workflow file for this run

# -*- mode: yaml; coding: utf-8 -*-
#
# Copyright (C) 2023 Benjamin Thomas Schwertfeger
# All rights reserved.
# https://github.com/btschwertfeger
#
# Workflow to apply pre-commit, build, test and upload the package
# to the test index of PyPI.
name: CI/CD
on:
push:
branches:
- "**"
schedule:
- cron: "20 16 * * 0"
release:
types: [created]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
## Checks the code logic, style and more
##
Pre-Commit:
uses: ./.github/workflows/_pre_commit.yaml
## Discover vulnerabilities
##
CodeQL:
uses: ./.github/workflows/_codeql.yaml
## Builds the package on multiple OS for multiple
## Python versions
##
Build:
needs: [Pre-Commit]
uses: ./.github/workflows/_build.yaml
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
with:
os: ${{ matrix.os }}
python-version: ${{ matrix.python-version }}
## Build the documentation
##
Build-Doc:
needs: [Pre-Commit]
uses: ./.github/workflows/_build_doc.yaml
with:
os: ubuntu-latest
python-version: "3.11"
## Run the unit tests for Python 3.9 until 3.14 and upload the
## coverage statistics to codecov
##
Test:
needs: [Pre-Commit]
uses: ./.github/workflows/_test.yaml
strategy:
# FIXME: fail-fast as soon as the tests are not flaky anymore
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest]
python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
with:
os: ${{ matrix.os }}
python-version: ${{ matrix.python-version }}
secrets:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
## Uploads the package to test.pypi.org on master if triggered by
## a regular commit/push.
##
## Trusted Publishing does not support reusable workflows, so the publish
## step runs inline here rather than in a called workflow. See
## https://github.com/pypi/warehouse/issues/11096
##
UploadTestPyPI:
if: |
(
success()
&& github.actor == 'btschwertfeger'
&& github.ref == 'refs/heads/master'
)
&& (github.event_name == 'push' || github.event_name == 'release')
needs:
- Build
- Build-Doc
- Test
- CodeQL
name: Upload current version to Test PyPI
runs-on: ubuntu-latest
permissions:
id-token: write # IMPORTANT: this permission is mandatory for OIDC publishing
environment:
name: testpypi
url: https://test.pypi.org/p/python-cmethods
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
fulcio.sigstore.dev
ghcr.io
github.com:443
pkg-containers.githubusercontent.com:443
rekor.sigstore.dev
test.pypi.org
tuf-repo-cdn.sigstore.dev
uploads.github.com:443
- name: Download all the distributions
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: python-package-distributions
path: dist/
- name: Publish package distributions to Test PyPI
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
with:
repository-url: https://test.pypi.org/legacy/
## Upload the python-cmethods package to Production PyPI
##
## Trusted Publishing does not support reusable workflows, so the publish
## step runs inline here rather than in a called workflow. See
## https://github.com/pypi/warehouse/issues/11096
##
UploadPyPI:
if: |
success() &&
github.actor == 'btschwertfeger' &&
github.event_name == 'release'
needs:
- Build
- Build-Doc
- Test
- CodeQL
name: Upload the current release to PyPI
runs-on: ubuntu-latest
permissions:
id-token: write # IMPORTANT: this permission is mandatory for OIDC publishing
environment:
name: pypi
url: https://pypi.org/p/python-cmethods
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
fulcio.sigstore.dev
ghcr.io
github.com:443
pkg-containers.githubusercontent.com:443
pypi.org
rekor.sigstore.dev
tuf-repo-cdn.sigstore.dev
upload.pypi.org
uploads.github.com:443
- name: Download all the distributions
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: python-package-distributions
path: dist/
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
with:
repository-url: https://upload.pypi.org/legacy/