mifeet · mifeet · Dec 8, 2024 · Dec 8, 2024 · Dec 8, 2024 · Dec 8, 2024
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,88 @@
+name: Release
+on:
+  release:
+    types: [ released ]
+
+jobs:
+  tests:
+    name: 'Unit tests & type check'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Run tests
+        run: |
+          set -euo pipefail
+          pipx install poetry
+          poetry install --no-interaction
+          poetry run pytest
+          poetry run black --check .
+
+  build:
+    name: 'Build'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install dependencies
+        run: |
+          pipx install poetry
+          poetry install --no-interaction
+
+      - name: Build package
+        run: poetry build
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+
+  release:
+    name: 'Release'
+    runs-on: ubuntu-latest
+    needs:
+      - build
+      - tests
+    environment:
+      name: pypi
+      url: https://pypi.org/p/pyfluent-iterables
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Sign the dists with Sigstore
+        uses: sigstore/[email protected]
+        with:
+          inputs: >-
+            ./dist/*.tar.gz
+            ./dist/*.whl
+
+      - name: Upload artifact signatures to GitHub Release
+        if: github.event_name == 'release'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          gh release upload --repo '${{ github.repository }}' '${{ github.ref_name }}' dist/* 
+
+      - name: Publish distribution 📦 to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        if: github.event_name == 'release'
diff --git a/.github/workflows/repo-scan.yaml b/.github/workflows/repo-scan.yaml
@@ -0,0 +1,47 @@
+name: Vulnerability scan of the repo
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  repo-scan:
+    name: 'Trivy repo scan'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          trivy-config: "trivy-config.yaml"
+        env:
+          # env variables seems to be a more reliable way to configure trivy than inputs
+          TRIVY_FORMAT: table # we cannot use the GitHub-integrated sarif format without GitHub advanced security
+          TRIVY_OUTPUT: trivy-report.txt
+          TRIVY_EXIT_CODE: 1
+
+      - shell: bash
+        if: always()
+        # Print result so that one doesn't need to download zip files to see the result
+        run: |
+          cat trivy-report.txt
+
+          echo "Trivy report:" >> $GITHUB_STEP_SUMMARY
+          echo '~~~' >> $GITHUB_STEP_SUMMARY
+          cat trivy-report.txt >> $GITHUB_STEP_SUMMARY
+          echo '~~~' >> $GITHUB_STEP_SUMMARY
+
+          if echo "$REPORT_WITHOUT_TABLES" | grep -E '(HIGH|CRITICAL): [1-9]' > /dev/null; then
+            echo "::error::Found HIGH or CRITICAL vulnerabilities"
+          fi    
+
+      - name: Upload report artifact
+        uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: trivy-report.txt
+          path: trivy-report.txt
+
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -0,0 +1,33 @@
+name: Tests & type check
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  tests:
+    name: 'Unit tests'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install dependencies
+        run: |
+          pipx install poetry
+          poetry install --no-interaction
+
+      - name: Run tests
+        run: |
+          poetry run pytest
+
+      - name: Run type check
+        run: |
+          poetry run black --check .
+
+