Addressed safety issues up to 2024-12-29 #2585
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This GitHub workflow will setup and run various kinds of tests with a variety of Python versions | |
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions | |
name: test | |
on: | |
schedule: | |
# The schedule event always (and only) runs on the master branch. | |
- # cron (in UTC): minute hour day_of_month month day_of_week | |
cron: '00 22 * * SAT' | |
pull_request: # When creating a PR targeting these branches | |
branches: | |
- master | |
- stable_* | |
push: # When merging a PR targeting these branches (direct push is disabled) | |
branches: | |
- master | |
- stable_* | |
jobs: | |
set_matrix: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.select_matrix.outputs.matrix }} | |
steps: | |
- name: "Select matrix" | |
id: select_matrix | |
# Select full matrix when scheduled or when releasing, and normal matrix | |
# otherwise. The matrix is defined as a JSON string. | |
# This technique documented in: | |
# https://stackoverflow.com/questions/65384420/how-to-make-a-github-action-matrix-element-conditional | |
# TODO: Find a way to define this with less escapes. | |
run: | | |
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.head_ref }}" =~ ^release_ ]]; then \ | |
echo "matrix={ \ | |
\"os\": [ \"ubuntu-latest\", \"macos-latest\" ], \ | |
\"python-version\": [ \"3.8\", \"3.9\", \"3.10\", \"3.11\", \"3.12\" ], \ | |
\"package_level\": [ \"minimum\", \"latest\", \"ansible\" ], \ | |
\"exclude\": [ \ | |
{ \ | |
\"os\": \"ubuntu-latest\", \ | |
\"python-version\": \"3.8\", \ | |
\"package_level\": \"minimum\" \ | |
}, \ | |
{ \ | |
\"os\": \"ubuntu-latest\", \ | |
\"python-version\": \"3.8\", \ | |
\"package_level\": \"latest\" \ | |
}, \ | |
{ \ | |
\"os\": \"ubuntu-latest\", \ | |
\"python-version\": \"3.8\", \ | |
\"package_level\": \"ansible\" \ | |
} \ | |
], \ | |
\"include\": [ \ | |
{ \ | |
\"os\": \"ubuntu-22.04\", \ | |
\"python-version\": \"3.8\", \ | |
\"package_level\": \"minimum\" \ | |
}, \ | |
{ \ | |
\"os\": \"ubuntu-22.04\", \ | |
\"python-version\": \"3.8\", \ | |
\"package_level\": \"latest\" \ | |
}, \ | |
{ \ | |
\"os\": \"ubuntu-22.04\", \ | |
\"python-version\": \"3.8\", \ | |
\"package_level\": \"ansible\" \ | |
} \ | |
] \ | |
}" >> $GITHUB_OUTPUT; \ | |
else \ | |
echo "matrix={ \ | |
\"os\": [ \"ubuntu-latest\" ], \ | |
\"python-version\": [ \"3.12\" ], \ | |
\"package_level\": [ \"minimum\", \"latest\" ], \ | |
\"include\": [ \ | |
{ \ | |
\"os\": \"ubuntu-22.04\", \ | |
\"python-version\": \"3.8\", \ | |
\"package_level\": \"minimum\" \ | |
}, \ | |
{ \ | |
\"os\": \"ubuntu-22.04\", \ | |
\"python-version\": \"3.8\", \ | |
\"package_level\": \"latest\" \ | |
}, \ | |
{ \ | |
\"os\": \"ubuntu-latest\", \ | |
\"python-version\": \"3.9\", \ | |
\"package_level\": \"minimum\" \ | |
}, \ | |
{ \ | |
\"os\": \"ubuntu-latest\", \ | |
\"python-version\": \"3.9\", \ | |
\"package_level\": \"ansible\" \ | |
}, \ | |
{ \ | |
\"os\": \"ubuntu-latest\", \ | |
\"python-version\": \"3.10\", \ | |
\"package_level\": \"minimum\" \ | |
}, \ | |
{ \ | |
\"os\": \"ubuntu-latest\", \ | |
\"python-version\": \"3.10\", \ | |
\"package_level\": \"latest\" \ | |
}, \ | |
{ \ | |
\"os\": \"ubuntu-latest\", \ | |
\"python-version\": \"3.10\", \ | |
\"package_level\": \"ansible\" \ | |
}, \ | |
{ \ | |
\"os\": \"ubuntu-latest\", \ | |
\"python-version\": \"3.11\", \ | |
\"package_level\": \"minimum\" \ | |
}, \ | |
{ \ | |
\"os\": \"macos-latest\", \ | |
\"python-version\": \"3.8\", \ | |
\"package_level\": \"minimum\" \ | |
}, \ | |
{ \ | |
\"os\": \"macos-latest\", \ | |
\"python-version\": \"3.9\", \ | |
\"package_level\": \"latest\" \ | |
}, \ | |
{ \ | |
\"os\": \"macos-latest\", \ | |
\"python-version\": \"3.12\", \ | |
\"package_level\": \"latest\" \ | |
} \ | |
] \ | |
}" >> $GITHUB_OUTPUT; \ | |
fi | |
- name: Show matrix in JSON | |
run: echo '${{ steps.select_matrix.outputs.matrix }}' | |
test: | |
needs: set_matrix | |
strategy: | |
fail-fast: false | |
max-parallel: 20 | |
matrix: ${{ fromJson(needs.set_matrix.outputs.matrix) }} | |
runs-on: ${{ matrix.os }} | |
container: ${{ matrix.container }} | |
env: | |
PIP_DISABLE_PIP_VERSION_CHECK: 1 | |
PIP_NO_PYTHON_VERSION_WARNING: 1 | |
steps: | |
- name: Set run type (normal, scheduled, release) | |
id: set-run-type | |
uses: actions/github-script@v7 | |
with: | |
result-encoding: string | |
script: | | |
var result | |
if ("${{ github.event_name }}" == "schedule") { | |
result = "scheduled" | |
} else if ("${{ github.head_ref }}".match(/^release_/)) { | |
result = "release" | |
} else { | |
result = "normal" | |
} | |
console.log(result) | |
return result | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Display initial Python packages | |
run: | | |
echo "Installed Python packages:" | |
pip list | |
- name: Install the package and its dependents | |
env: | |
PACKAGE_LEVEL: ${{ matrix.package_level }} | |
RUN_TYPE: ${{ steps.set-run-type.outputs.result }} | |
run: | | |
make install | |
- name: Show installed package versions | |
run: | | |
echo "Installed Python packages:" | |
pip list | |
- name: Development setup | |
env: | |
PACKAGE_LEVEL: ${{ matrix.package_level }} | |
RUN_TYPE: ${{ steps.set-run-type.outputs.result }} | |
run: | | |
make develop | |
- name: Show installed package versions | |
run: | | |
echo "Installed Python packages:" | |
pip list | |
- name: Fail if version of xz tool is affected by CVE-2024-3094 | |
run: | | |
xz --version; | |
bash -c "! (xz --version | grep -E '5\.6\.(0|1)')" | |
- name: Show package dependency tree | |
run: | | |
echo "Package dependency tree of installed Python packages:" | |
python -m pipdeptree --all | |
- name: Run docs | |
env: | |
PACKAGE_LEVEL: ${{ matrix.package_level }} | |
RUN_TYPE: ${{ steps.set-run-type.outputs.result }} | |
run: | | |
make docs | |
- name: Check that module .rst files are up to date | |
# Because the Ansible rst generator changed its output over time, we only | |
# check this on the latest Python release with latest package levels. | |
if: ${{ matrix.python-version == '3.12' && matrix.package_level == 'latest' }} | |
run: | | |
bash -c "if ! git diff --exit-code HEAD docs/source/modules; then | |
echo 'Error: Module .rst files are not up to date in this PR. Run make docslocal to update.'; | |
exit 1; | |
fi" | |
- name: Run check | |
env: | |
PACKAGE_LEVEL: ${{ matrix.package_level }} | |
RUN_TYPE: ${{ steps.set-run-type.outputs.result }} | |
run: | | |
make check | |
- name: Run pylint | |
env: | |
PACKAGE_LEVEL: ${{ matrix.package_level }} | |
RUN_TYPE: ${{ steps.set-run-type.outputs.result }} | |
run: | | |
make pylint | |
- name: Run sanity | |
env: | |
PACKAGE_LEVEL: ${{ matrix.package_level }} | |
RUN_TYPE: ${{ steps.set-run-type.outputs.result }} | |
run: | | |
make sanity | |
- name: Run ansible_lint | |
env: | |
PACKAGE_LEVEL: ${{ matrix.package_level }} | |
RUN_TYPE: ${{ steps.set-run-type.outputs.result }} | |
run: | | |
make ansible_lint | |
- name: Run unit/function test | |
env: | |
PACKAGE_LEVEL: ${{ matrix.package_level }} | |
RUN_TYPE: ${{ steps.set-run-type.outputs.result }} | |
# TESTCASES: test_partition.py | |
run: | | |
make test | |
- name: Run mocked end2end test | |
env: | |
PACKAGE_LEVEL: ${{ matrix.package_level }} | |
RUN_TYPE: ${{ steps.set-run-type.outputs.result }} | |
# TESTCASES: test_partition.py | |
run: | | |
make end2end_mocked | |
- name: Report coverage result locally | |
run: | | |
coverage report | |
- name: Send coverage result to coveralls.io | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
COVERALLS_PARALLEL: true | |
COVERALLS_FLAG_NAME: "${{ matrix.os }},${{ matrix.python-version }},${{ matrix.package_level }}" | |
COVERALLS_SERVICE_NAME: github | |
COVERALLS_SERVICE_JOB_ID: "${{ github.run_id }}" | |
COVERALLS_SERVICE_NUMBER: "${{ github.workflow }}-${{ github.run_number }}" | |
run: | | |
coveralls | |
- name: Run check_reqs | |
env: | |
PACKAGE_LEVEL: ${{ matrix.package_level }} | |
RUN_TYPE: ${{ steps.set-run-type.outputs.result }} | |
run: | | |
make check_reqs | |
- name: Run safety | |
env: | |
PACKAGE_LEVEL: ${{ matrix.package_level }} | |
RUN_TYPE: ${{ steps.set-run-type.outputs.result }} | |
run: | | |
make safety | |
- name: Run bandit | |
env: | |
PACKAGE_LEVEL: ${{ matrix.package_level }} | |
RUN_TYPE: ${{ steps.set-run-type.outputs.result }} | |
run: | | |
make bandit | |
- name: Run linkcheck | |
env: | |
PACKAGE_LEVEL: ${{ matrix.package_level }} | |
RUN_TYPE: ${{ steps.set-run-type.outputs.result }} | |
run: | | |
make linkcheck | |
test_finish: | |
needs: test | |
runs-on: ubuntu-latest | |
container: python:3-slim | |
steps: | |
- name: Install coveralls | |
run: | | |
pip3 install --upgrade coveralls | |
- name: Send coverage finish to coveralls.io | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
COVERALLS_SERVICE_NUMBER: "${{ github.workflow }}-${{ github.run_number }}" | |
run: | | |
coveralls --finish |