model_api/.github/workflows/test_precommit.yml at 6ede2642e83f69ae641f7857f2718003f8b35d0a · open-edge-platform/model_api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
name: test_precommit
permissions: {} # No permissions by default on workflow level
on:
  pull_request:
  merge_group:
    branches:
      - master
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
jobs:
  Python-Functional-Tests:
    strategy:
      fail-fast: false
      matrix:
        os:
          - "ubuntu-24.04"
          - "windows-2022"
        python-version:
          - "3.10"
          - "3.11"
          - "3.12"
          - "3.13"
    name: pr pre-commit test (${{ matrix.os }}, Python ${{ matrix.python-version }})
    runs-on: ${{ matrix.os }}
    steps:
      - name: CHECKOUT REPOSITORY
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          persist-credentials: false
      - name: Install uv
        uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
        with:
          enable-cache: false
          python-version: ${{ matrix.python-version }}
      - name: Install dependencies
        run: |
          uv sync --locked --extra tests --extra-index-url https://download.pytorch.org/whl/cpu
      - name: Prepare test data
        run: |
          uv run python tests/accuracy/download_models.py -d data -j tests/precommit/public_scope.json -l
      - name: Run test
        run: |
          uv run pytest --data=./data tests/functional
  Zizmor-Scan-PR:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          persist-credentials: false
      - name: Run Zizmor scan
        uses: open-edge-platform/geti-ci/actions/zizmor@66652424b4ec87ff529dce5ae4a03f339e58a84b
        with:
          scan-scope: "changed"
          severity-level: "LOW"
          confidence-level: "LOW"
          fail-on-findings: true
  Bandit-Scan-PR:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          persist-credentials: false
      - name: Run Bandit scan
        uses: open-edge-platform/geti-ci/actions/bandit@66652424b4ec87ff529dce5ae4a03f339e58a84b
        with:
          scan-scope: "changed"
          severity-level: "LOW"
          confidence-level: "LOW"
          config_file: "./pyproject.toml"
          fail-on-findings: true

  Semgrep-Scan-PR:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write # Needed to upload the results in SARIF
    steps:
      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          persist-credentials: false
          fetch-depth: 0
      - name: Run Semgrep scan
        uses: open-edge-platform/geti-ci/actions/semgrep@66652424b4ec87ff529dce5ae4a03f339e58a84b
        with:
          scan-scope: "changed"
          severity: "LOW"
          fail-on-findings: true