Skip to content

Commit

Permalink
Merge pull request #34 from step-security/shubham-patch-1
Browse files Browse the repository at this point in the history 
chore: fast forward upstream changes to v2.17.0
  • Loading branch information
@shubham-stepsecurity
shubham-stepsecurity authored Aug 6, 2024
2 parents 8ff5494 + 168fdb3 commit 4be6f05
Show file tree
Hide file tree
Showing 188 changed files with 9,262 additions and 2,455 deletions.
63 changes: 43 additions & 20 deletions .github/actions/test/action.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
name: 'Test'

description: 'A GitHub Action that tests this action'

inputs:
Expand All @@ -21,12 +22,12 @@ runs:

- name: Setup Python
if: inputs.python-version != 'installed'
uses: actions/setup-python@v4
uses: actions/setup-python@v5
with:
python-version: ${{ inputs.python-version }}

- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Detect OS
id: os
Expand All @@ -48,8 +49,9 @@ runs:
shell: bash

- name: Cache PIP Packages
uses: actions/cache@v3
uses: actions/cache@v4
id: cache
if: github.event_name != 'schedule'
with:
path: ${{ steps.os.outputs.pip-cache }}
key: ${{ inputs.os }}-pip-test-${{ inputs.python-version }}-${{ hashFiles('**/requirements.txt', '**/constraints.txt') }}-${{ steps.os.outputs.date }}
Expand All @@ -60,16 +62,37 @@ runs:
- name: Install Python dependencies
run: |
python3 -V
python3 -m pip freeze | sort
python3 -m pip cache info || true
python3 -m pip cache list || true
python3 -m pip install --upgrade --force pip wheel
python3 -m pip install --force -r python/requirements.txt
python3 -m pip install --force -r python/test/requirements.txt -c python/test/constraints.txt
python3 -m pip freeze | sort
python3 -m pip cache info || true
python3 -m pip cache list || true
python -m venv "$RUNNER_TEMP/venv"
echo "$RUNNER_TEMP/venv/bin" >> "$GITHUB_PATH"
echo "$RUNNER_TEMP/venv/Scripts" >> "$GITHUB_PATH"
export PATH="$RUNNER_TEMP/venv/bin:$RUNNER_TEMP/venv/Scripts:$PATH"
which python
# inspect pip cache
python -m pip freeze | sort
python -m pip cache info || true
python -m pip cache list || true
# remove cached built whl files
rm -rf "$(python -m pip cache info | grep ".*[Ww]heels location: " | cut -d ":" -f 2- | cut -d " " -f 2-)"
python -m pip cache list || true
# install dependencies
python_minor_version="$(python -c 'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}")')"
python -m pip install --force -r python/requirements-$python_minor_version.txt
python -m pip install --force -r python/test/requirements.txt -c python/test/constraints.txt
# inspect pip cache
python -m pip freeze | sort
python -m pip cache info || true
python -m pip cache list || true
# assert no whl files have been built
if python -m pip cache info && [[ "$(python -m pip cache info | grep "Number of .*wheels:")" != "Number of "*"wheels: 0" ]]
then
echo "Dependency whl files have been built"
exit 1
fi
shell: bash

- name: Update expectation files
Expand All @@ -84,16 +107,16 @@ runs:
# we only upload the changed files if we can find zip
if which zip
then
(git diff --name-only && git ls-files -o --exclude-standard) | xargs -d "\n" zip changed-expectations.zip
(git diff --name-only && git ls-files -o --exclude-standard) | xargs zip changed-expectations.zip
exit 1
fi
fi
shell: bash
- name: Upload changed expectation files
if: steps.changes.outcome == 'failure'
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: Changed expectations
name: Changed expectations (python-${{ inputs.python-version }}, ${{ inputs.os }})
path: changed-expectations.zip
if-no-files-found: error

Expand All @@ -102,7 +125,7 @@ runs:
PYTHONPATH: ..
run: |
cd python/test
python3 -m pytest --capture=tee-sys --continue-on-collection-errors --junit-xml ../../test-results/pytest.xml
python -m pytest --capture=tee-sys --continue-on-collection-errors --junit-xml ../../test-results/pytest.xml
shell: bash

- name: PyTest (EST)
Expand All @@ -112,7 +135,7 @@ runs:
PYTHONPATH: ..
run: |
cd python/test
python3 -m pytest --capture=tee-sys --continue-on-collection-errors --junit-xml ../../test-results/pytest-est.xml
python -m pytest --capture=tee-sys --continue-on-collection-errors --junit-xml ../../test-results/pytest-est.xml
shell: bash

- name: PyTest (CET)
Expand All @@ -122,12 +145,12 @@ runs:
PYTHONPATH: ..
run: |
cd python/test
python3 -m pytest --capture=tee-sys --continue-on-collection-errors --junit-xml ../../test-results/pytest-cet.xml
python -m pytest --capture=tee-sys --continue-on-collection-errors --junit-xml ../../test-results/pytest-cet.xml
shell: bash

- name: Upload Test Results
if: always()
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: Test Results (python-${{ inputs.python-version }}, ${{ inputs.os }})
path: |
Expand Down
4 changes: 0 additions & 4 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,3 @@ updates:
directory: "/"
schedule:
interval: "monthly"
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
9 changes: 5 additions & 4 deletions .github/upgrade-pip-packages.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,13 @@
set -euo pipefail

base="$(dirname "$0")"
python_minor_version="$(python3 -c 'import sys; print(f"{sys.version_info.major}.{sys.version_info.minor}")')"

pip install --upgrade --force pip==22.0.0
pip install --upgrade --upgrade-strategy eager -r "$base/../python/requirements-direct.txt"
pip install --upgrade --force pip==24.0.0
pip install --upgrade --upgrade-strategy eager -r "$base/../python/requirements.txt"

pip install pipdeptree
pipdeptree --packages="$(sed -e "s/;.*//" -e "s/=.*//g" "$base/../python/requirements-direct.txt" | paste -s -d ,)" --freeze > "$base/../python/requirements.txt"
pipdeptree --packages="$(sed -e "s/;.*//" -e "s/=.*//g" "$base/../python/requirements.txt" | paste -s -d ,)" --freeze > "$base/../python/requirements-$python_minor_version.txt"

git diff "$base/../python/requirements.txt"
git diff "$base/../python/requirements-$python_minor_version.txt"

58 changes: 38 additions & 20 deletions .github/workflows/ci-cd.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,34 +19,54 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Check requirements.txt against requirements-direct.txt
uses: actions/checkout@v4
- name: Check requirements.txt
run: |
(diff -w python/requirements-direct.txt python/requirements.txt || true) | (! grep -e "^<")
(diff -w <(grep -v "python_version > '3.7'" python/requirements.txt | sed -e "s/;.*//") python/requirements-3.7.txt || true) | (! grep -e "^<")
(diff -w <(grep -v "python_version <= '3.7'" python/requirements.txt | sed -e "s/;.*//") python/requirements-post-3.7.txt || true) | (! grep -e "^<")
shell: bash
- name: Check for dependency updates
continue-on-error: true
run:
.github/upgrade-pip-packages.sh
run: |
pip install tox
tox
git diff --exit-code
shell: bash

test-mac:
name: "Test macOS"
uses: "./.github/workflows/test-os.yml"
with:
os: '["macos-12", "macos-13"]'
os: '["macos-12", "macos-13", "macos-14"]'
python-version: '["3.10", "3.11", "3.12", "installed"]'
include: >
[
{"os": "macos-12", "python-version": "3.8"},
{"os": "macos-12", "python-version": "3.9"},
{"os": "macos-13", "python-version": "3.8"},
{"os": "macos-13", "python-version": "3.9"},
]
test-lnx:
name: "Test Ubuntu"
uses: "./.github/workflows/test-os.yml"
with:
os: '["ubuntu-20.04", "ubuntu-22.04"]'
os: '["ubuntu-20.04", "ubuntu-22.04", "ubuntu-24.04"]'
python-version: '["3.9", "3.10", "3.11", "3.12", "installed"]'
include: >
[
{"os": "ubuntu-20.04", "python-version": "3.7"},
{"os": "ubuntu-20.04", "python-version": "3.8"},
{"os": "ubuntu-22.04", "python-version": "3.8"},
]
test-win:
name: "Test Windows"
uses: "./.github/workflows/test-os.yml"
with:
os: '["windows-2019", "windows-2022"]'
python-version: '["3.8", "3.9", "3.10", "3.11", "3.12", "installed"]'
include: '[{"os": "windows-2019", "python-version": "3.7"}]'

publish:
name: "Publish"
Expand Down Expand Up @@ -75,10 +95,10 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Extract action image and version
# we deploy from a specific commit on main (the one that mentions a new version the first time)
# we deploy from a specific commit on master (the one that mentions a new version the first time)
# so we need to tell docker/metadata-action to extract docker tags from that version
id: action
run: |
Expand All @@ -93,12 +113,10 @@ jobs:
env:
DOCKER_CLI_EXPERIMENTAL: enabled
run: |
exists='false'
if docker manifest inspect '${{ steps.action.outputs.image }}'
then
exists='true'
echo "exists=true" >>$GITHUB_OUTPUT
fi
echo "exists=$exists" >>$GITHUB_OUTPUT
shell: bash

deploy:
Expand All @@ -117,7 +135,7 @@ jobs:
steps:
- name: Docker meta
id: docker-meta
uses: docker/metadata-action@v4
uses: docker/metadata-action@v5
with:
images: ghcr.io/step-security/publish-unit-test-result-action
flavor: |
Expand All @@ -131,13 +149,13 @@ jobs:
type=semver,pattern={{version}},value=${{ needs.config-deploy.outputs.image-version }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@v3

- name: Login to GitHub Container Registry
uses: docker/login-action@v2
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
Expand All @@ -156,7 +174,7 @@ jobs:
- name: Build and push Docker image
uses: docker/build-push-action@v4
uses: docker/build-push-action@v6
id: build
with:
tags: ${{ steps.docker-meta.outputs.tags }}
Expand Down Expand Up @@ -184,20 +202,20 @@ jobs:
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
if: ${{ needs.deploy.outputs.should_push == 'true' }}
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
with:
image: ${{ needs.deploy.outputs.image }}
digest: ${{ needs.deploy.outputs.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}

event_file:
name: "Event File"
runs-on: ubuntu-latest
steps:
- name: Upload
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: Event File
path: ${{ github.event_path }}
8 changes: 4 additions & 4 deletions .github/workflows/codeql.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,11 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@v4

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -46,7 +46,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
uses: github/codeql-action/autobuild@v3

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
Expand All @@ -60,4 +60,4 @@ jobs:
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@v3
Loading

0 comments on commit 4be6f05

Please sign in to comment.