feat!: add lockfile generation support (#318) #747
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is a workflow for ensuring tests pass all supported environments. | |
--- | |
name: Test | |
on: | |
# Allow running this workflow manually from the Actions tab | |
workflow_dispatch: | |
pull_request: | |
push: | |
branches: | |
- main | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
QA: | |
name: Quality Assurance | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
# It's only one Python version specified in a "matrix", but on purpose to stay DRY | |
python-version: ["3.11"] | |
steps: | |
- name: Checkout the repo | |
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | |
- name: Install poetry | |
run: pipx install poetry==1.6.1 | |
- name: Configure poetry | |
run: poetry config virtualenvs.in-project true | |
- name: Set up Python | |
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 | |
with: | |
python-version: ${{ matrix.python-version }} | |
cache: 'poetry' | |
- name: Install the project with poetry | |
run: | | |
poetry env use python${{ matrix.python-version }} | |
poetry check --lock | |
poetry lock --no-update --no-cache | |
poetry install --verbose --no-root --sync --with qa | |
- name: Run tox via poetry | |
env: | |
# Skip the `phylum-ci` pre-commit hook since: | |
# * The current GitHub integration expects to *only* be run in a PR context | |
# * The `phylum-ci` action will already be run for pull request triggers | |
# Skip the `no-commit-to-branch` pre-commit hook since: | |
# * It will cause failures in CI when merging a PR back to `main` | |
# * The hook is meant to be used locally, where blocking before CI can run is the goal | |
SKIP: phylum-ci,no-commit-to-branch | |
# Add annotations to the PR for any findings | |
RUFF_FORMAT: github | |
run: poetry run tox run -e qa | |
test-matrix: | |
name: Test on Python ${{ matrix.python-version }} | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
python-version: ["3.8", "3.9", "3.10", "3.11"] | |
steps: | |
- name: Checkout the repo | |
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | |
- name: Install poetry | |
run: pipx install poetry==1.6.1 | |
- name: Configure poetry | |
run: poetry config virtualenvs.in-project true | |
- name: Set up Python ${{ matrix.python-version }} | |
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 | |
with: | |
python-version: ${{ matrix.python-version }} | |
cache: 'poetry' | |
- name: Install the project with poetry | |
run: | | |
poetry env use python${{ matrix.python-version }} | |
poetry check --lock | |
poetry lock --no-update --no-cache | |
poetry install --verbose --no-root --sync --with test,ci | |
- name: Run tox via poetry | |
run: poetry run tox | |
# This job is meant to be a sanity check on the Docker image...that it can be | |
# created with various Dockerfiles, from source or a built distribution, and | |
# have the script entry points called without error. | |
docker-matrix: | |
name: ${{ matrix.dockerfile }} ${{ matrix.build }} smoke test | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
# It's only one Python version specified in a "matrix", but on purpose to stay DRY | |
python-version: ["3.11"] | |
dockerfile: ["Dockerfile", "Dockerfile.slim"] | |
build: ["wheel", "source"] | |
env: | |
DOCKER_BUILDKIT: 1 | |
steps: | |
- name: Checkout the repo | |
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | |
- name: Install poetry | |
if: ${{ matrix.build == 'wheel' }} | |
run: pipx install poetry==1.6.1 | |
- name: Configure poetry | |
if: ${{ matrix.build == 'wheel' }} | |
run: poetry config virtualenvs.in-project true | |
- name: Set up Python | |
if: ${{ matrix.build == 'wheel' }} | |
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 | |
with: | |
python-version: ${{ matrix.python-version }} | |
cache: 'poetry' | |
- name: Install the project with poetry | |
if: ${{ matrix.build == 'wheel' }} | |
run: | | |
poetry env use python${{ matrix.python-version }} | |
poetry check --lock | |
poetry lock --no-update --no-cache | |
poetry install --verbose --no-root --sync | |
- name: Build wheel and source distribution | |
if: ${{ matrix.build == 'wheel' }} | |
run: poetry build -vvv | |
- name: Build docker image with pre-built distributions | |
if: ${{ matrix.build == 'wheel' }} | |
run: | | |
docker build \ | |
--tag phylum-ci \ | |
--cache-from phylumio/phylum-ci:latest \ | |
--build-arg PKG_SRC=dist/phylum-*.whl \ | |
--build-arg PKG_NAME=phylum-*.whl \ | |
--build-arg GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \ | |
--file ${{ matrix.dockerfile }} \ | |
. | |
- name: Build docker image from source | |
if: ${{ matrix.build == 'source' }} | |
run: | | |
docker build \ | |
--tag phylum-ci \ | |
--cache-from phylumio/phylum-ci:latest \ | |
--build-arg GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \ | |
--file ${{ matrix.dockerfile }} \ | |
. | |
- name: Test slim docker image built from ${{ matrix.build }} | |
if: ${{ matrix.dockerfile == 'Dockerfile.slim' }} | |
run: scripts/docker_tests.sh --image phylum-ci --slim | |
- name: Test full docker image built from ${{ matrix.build }} | |
if: ${{ matrix.dockerfile == 'Dockerfile' }} | |
run: scripts/docker_tests.sh --image phylum-ci | |
# This job reports the results of the test jobs above and is used to enforce status checks in | |
# the repo settings without needing to update those settings everytime the test jobs are updated. | |
test-rollup: | |
name: Test rollup | |
runs-on: ubuntu-latest | |
if: always() | |
needs: [QA, test-matrix, docker-matrix] | |
steps: | |
- name: Check for test jobs failure or cancellation | |
if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') | |
run: exit 1 |