chore(deps-dev): Bump safety from 3.2.7 to 3.2.10 #172
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: CI | |
| # Ensure only one job per branch. | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| on: | |
| push: | |
| branches: [master] | |
| tags: ["*"] | |
| pull_request: | |
| branches: [master] | |
| types: [opened, synchronize] | |
| jobs: | |
| test: | |
| name: Test python ${{ matrix.python-version }} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| python-version: ["3.12", "3.11"] | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| - name: Set up Nix | |
| uses: ./.github/actions/setup-nix | |
| with: | |
| cachix_auth_token: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
| - name: Run tests | |
| run: | | |
| if [ "${{ matrix.python-version }}" = "3.11" ]; then | |
| nix develop .#ciPy311 --command make test | |
| else | |
| nix develop .#ci --command make test | |
| fi | |
| - name: Upload test report | |
| if: always() | |
| uses: mikepenz/action-junit-report@v4 | |
| with: | |
| check_name: Test report | |
| report_paths: '**/.junit.xml' | |
| - name: Upload coverage | |
| uses: paambaati/codeclimate-action@v9.0.0 | |
| env: | |
| CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }} | |
| with: | |
| coverageLocations: | | |
| ${{ github.workspace }}/.coverage.xml:cobertura | |
| lint: | |
| name: ${{ matrix.lint.name }} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| lint: | |
| - name: Lint style | |
| rule: lint-style | |
| - name: Lint types | |
| rule: lint-types | |
| - name: Lint other metrics | |
| rule: lint-metrics | |
| - name: Scan AST security | |
| rule: scan-sec-ast | |
| - name: Scan dependencies | |
| rule: scan-sec-deps | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| - name: Set up Nix | |
| uses: ./.github/actions/setup-nix | |
| with: | |
| cachix_auth_token: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
| - name: ${{ matrix.lint.name }} | |
| run: | | |
| if [ "${{ matrix.lint.rule }}" = "scan-sec-deps" ]; then | |
| nix develop .#ci --command make ${{ matrix.lint.rule }} \ | |
| || (echo "::warning file=scan-sec-deps::Scan dependencies failed with exit code $?.") | |
| else | |
| nix develop .#ci --command make ${{ matrix.lint.rule }} | |
| fi | |
| continue-on-error: ${{ matrix.lint.rule == 'scan-sec-deps' }} | |
| pub-image: | |
| name: Publish Docker image | |
| runs-on: ubuntu-latest | |
| needs: [lint, test] | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| - name: Set up Nix | |
| uses: ./.github/actions/setup-nix | |
| with: | |
| cachix_auth_token: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
| - name: Set image tag | |
| run: > | |
| if [ "${{ github.ref_type }}" = "tag" ] && [ -n "${{ github.ref_name }}" ]; then | |
| echo "IMG_TAG=$(echo ${{ github.ref_name }} | sed 's/^v//')" >> ${GITHUB_ENV} | |
| else | |
| echo "IMG_TAG=latest" >> ${GITHUB_ENV} | |
| fi | |
| - name: Update pyproject.toml version with | |
| if: github.ref_type == 'tag' && github.ref_name != '' | |
| run: nix develop --command poetry dynamic-versioning | |
| - name: Capture current commit hash | |
| run: printf "${{ github.sha }}" > .rev && git add .rev | |
| - name: Build and push image to registry | |
| run: > | |
| nix build .#dockerArchiveStreamer | |
| && ./result | |
| | gzip --fast | |
| | skopeo copy | |
| --dest-creds ${{ github.repository_owner }}:${{ secrets.GITHUB_TOKEN }} | |
| docker-archive:/dev/stdin | |
| docker://ghcr.io/${{ github.repository }}:${IMG_TAG} |