static_code_checks.yaml

name: code checks

on:
  push:
    branches:
      - main
    paths:
      - .pre-commit-config.yaml
      - .github/workflows/code_checks.yml
      - '**.py'
      - poetry.lock
      - pyproject.toml
      - '**.ipynb'
  pull_request:
    branches:
      - main
    paths:
      - .pre-commit-config.yaml
      - .github/workflows/code_checks.yml
      - '**.py'
      - poetry.lock
      - pyproject.toml
      - '**.ipynb'

jobs:
  run-code-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4.1.7
      - name: Install and configure Poetry
        uses: snok/install-poetry@v1
        with:
          virtualenvs-create: true
          virtualenvs-in-project: true
      - uses: actions/setup-python@v5.1.0
        with:
          python-version: '3.9'
          cache: 'poetry'
      - name: Setup yarn
        uses: mskelton/setup-yarn@v2
      - name: Install dependencies and check code
        run: |
          yarn
          poetry env use '3.9'
          source .venv/bin/activate
          poetry install --with test --all-extras
          pre-commit run --all-files
      - name: pip-audit (gh-action-pip-audit)
        uses: pypa/gh-action-pip-audit@v1.0.8
        with:
          virtual-environment: .venv/
          # Skipping 3 cryptography issues that can't be patched because of Flower
          # Skipping 1 wandb issue that was rolled back, seems like a pip-audit bug
          ignore-vulns: |
            GHSA-3ww4-gg4f-jr7f
            GHSA-9v9h-cgj8-h64p
            GHSA-6vqw-3v5j-54x4
            GHSA-cqh9-jfqr-h9jj