-
Notifications
You must be signed in to change notification settings - Fork 0
111 lines (104 loc) · 4.03 KB
/
Copy pathci.yml
File metadata and controls
111 lines (104 loc) · 4.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
name: CI
on:
push:
branches: [main]
pull_request:
permissions:
contents: read
jobs:
test:
name: test (Python ${{ matrix.python-version }} / ${{ matrix.os }})
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
python-version: ["3.11", "3.12"]
os: [ubuntu-latest]
include:
- python-version: "3.12"
os: macos-latest
- python-version: "3.12"
os: windows-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: ${{ matrix.python-version }}
cache: pip
- name: Install dev deps (hash-pinned) and the package itself (editable)
# ``--require-hashes`` satisfies Scorecard's PinnedDependenciesID
# check and protects CI against a compromised PyPI mirror. See
# ``requirements/`` and ``CONTRIBUTING.md`` for how to refresh
# the lock files.
run: |
pip install --require-hashes --no-deps -r requirements/dev.txt
pip install --no-deps -e .
- name: Test
run: pytest -v --cov=aemo_mdff_reader --cov-report=term-missing --cov-report=xml
- name: Wheel install + import smoke
if: matrix.python-version == '3.12' && runner.os == 'Linux'
run: |
pip install --require-hashes --no-deps -r requirements/build.txt
python -m build --wheel
python -m venv /tmp/smoke
/tmp/smoke/bin/pip install dist/*.whl
/tmp/smoke/bin/python -c "import aemo_mdff_reader; print(aemo_mdff_reader.__version__)"
/tmp/smoke/bin/aemo-mdff-reader --version
lint:
name: ruff
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
cache: pip
- run: pip install --require-hashes --no-deps -r requirements/lint.txt
- run: ruff check .
- run: ruff format --check .
typecheck:
name: mypy --strict
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
cache: pip
- run: |
pip install --require-hashes --no-deps -r requirements/dev.txt
pip install --no-deps -e .
- run: mypy
security:
name: security (pip-audit + bandit)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
cache: pip
- run: pip install --require-hashes --no-deps -r requirements/audit.txt
- name: Audit our declared dependencies for known CVEs
# We have no required runtime deps; this audits dev extras + tooling.
run: pip-audit --skip-editable
- name: Bandit static security analysis
# The legacy aemo_mdff_reader.sql module is opt-in (extras_require=mysql)
# and not refactored in v2 — exclude it from this scan, same as mypy
# and ruff. We scan the new core (parser, types, reader, cli).
run: bandit -r aemo_mdff_reader -ll --exclude aemo_mdff_reader/sql
build:
name: build sdist + wheel
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: "3.12"
- run: pip install --require-hashes --no-deps -r requirements/build.txt
- run: python -m build
- run: twine check --strict dist/*
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: dist
path: dist/