Skip to content

Update tj-actions/changed-files action to v36 [SECURITY] #719

Update tj-actions/changed-files action to v36 [SECURITY]

Update tj-actions/changed-files action to v36 [SECURITY] #719

Workflow file for this run

name: Pipeline
on:
push:
branches-ignore:
- gh-pages
tags-ignore:
- docs-*
pull_request:
release:
types: [published]
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
cancel-in-progress: true
jobs:
concurrency:
name: Show Concurrency Group
runs-on: ubuntu-latest
steps:
- name: Concurrency Group
run: |
echo "$CONCURRENCY_GROUP"
env:
CONCURRENCY_GROUP: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
changes:
name: Get Changed Files
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
fetch-depth: 0 # OR "2" -> To retrieve the preceding commit.
- name: Get changed files in the src folder
id: src-changed
uses: tj-actions/changed-files@v36
with:
files: src/**
- name: List src changes
if: steps.src-changed.outputs.any_changed == 'true'
run: |
echo "One or more files in the src folder has changed."
echo "List all the files that have changed: ${{ steps.src-changed.outputs.all_changed_files }}"
- name: Get changed files in the tests folder
id: tests-changed
uses: tj-actions/changed-files@v36
with:
files: tests/**
- name: List tests changes
if: steps.tests-changed.outputs.any_changed == 'true'
run: |
echo "One or more files in the tests folder has changed."
echo "List all the files that have changed: ${{ steps.tests-changed.outputs.all_changed_files }}"
- name: Get changed files in the root folder
id: root-changed
uses: tj-actions/changed-files@v36
with:
files: |
*.{toml,ini}
tools/**
- name: List root changes
if: steps.root-changed.outputs.any_changed == 'true'
run: |
echo "One or more config files in the root folder has changed."
echo "List all the files that have changed: ${{ steps.root-changed.outputs.all_changed_files }}"
- name: Get changed files in the docs folder
id: docs-changed
uses: tj-actions/changed-files@v36
with:
files: docs/**
- name: List docs changes
if: steps.docs-changed.outputs.any_changed == 'true'
run: |
echo "One or more files in the docs folder has changed."
echo "List all the files that have changed: ${{ steps.docs-changed.outputs.all_changed_files }}"
- name: Get changed files in the workflows folder
id: workflows-changed
uses: tj-actions/changed-files@v36
with:
files: .github/workflows/**
- name: List workflows changes
if: steps.workflows-changed.outputs.any_changed == 'true'
run: |
echo "One or more files in the .github/workflows folder has changed."
echo "List all the files that have changed: ${{ steps.workflows-changed.outputs.all_changed_files }}"
- name: Get changed files in the .github folder
id: tools-changed
uses: tj-actions/changed-files@v36
with:
files: .github/*.{json,properties}
- name: List tools changes
if: steps.tools-changed.outputs.any_changed == 'true'
run: |
echo "One or more tool configurations in the .github folder has changed."
echo "List all the files that have changed: ${{ steps.tools-changed.outputs.all_changed_files }}"
outputs:
src: ${{ steps.src-changed.outputs.any_changed == 'true'}}
tests: ${{ steps.tests-changed.outputs.any_changed == 'true'}}
config: ${{ steps.root-changed.outputs.any_changed == 'true'}}
tools: ${{ steps.tools-changed.outputs.any_changed == 'true'}}
workflows: ${{ steps.workflows-changed.outputs.any_changed == 'true'}}
lint:
name: Lint (${{ github.event_name }})
runs-on: windows-latest
needs:
- changes
if: >
(needs.changes.outputs.src || needs.changes.outputs.tools || needs.changes.outputs.config) ||
(github.event_name == 'pull_request' ) ||
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) ||
(github.event_name == 'release')
steps:
- uses: actions/checkout@v3
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: 3.10
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install tox
- name: Lint
run: tox -e lint
collate-packages:
name: Collate Wheels
runs-on: ${{ matrix.os}}-latest
needs:
- changes
if: >
(needs.changes.outputs.src || needs.changes.outputs.tests || needs.changes.outputs.config || needs.changes.outputs.workflows) ||
(github.event_name == 'pull_request' && contains(github.base_ref, 'main')) ||
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) ||
(github.event_name == 'release')
strategy:
fail-fast: true
# needs to run as matricx due to https://github.com/pypa/pip/issues/11664
# dependencies aren't evaluated by the requested platform
matrix:
os:
- ubuntu
- windows
- macos
py:
- 3.7
- 3.8
- 3.9
- "3.10"
- 3.11
steps:
- uses: actions/checkout@v3
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.py }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install tox
- name: Populate platform wheels
run: tox -e populate -- --target-dir ./wheels --py ${{matrix.py}}
- name: Store collated wheels
uses: actions/upload-artifact@v3
with:
name: wheels-${{matrix.os}}-${{matrix.py}}
path: |
./wheels/*
aggregate:
name: Aggregate
runs-on: ubuntu-latest
needs:
- changes
- collate-packages
if: >
(needs.changes.outputs.src || needs.changes.outputs.tests || needs.changes.outputs.config || needs.changes.outputs.workflows) ||
(github.event_name == 'pull_request' && contains(github.base_ref, 'main')) ||
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) ||
(github.event_name == 'release')
steps:
- name: Download collated wheels
uses: actions/download-artifact@v3
with:
path: artifacts
- shell: bash
run: |
mkdir wheels
cp -u artifacts/*/*.whl wheels/
ls -l wheels/
- name: Store aggregated wheels
uses: actions/upload-artifact@v3
with:
name: wheels
path: |
./wheels/*
test:
name: Test Python ${{ matrix.py }} - ${{ matrix.os }} - ${{matrix.tox_version}} (${{ github.event_name }})
runs-on: ${{ matrix.os }}-latest
needs:
- changes
- aggregate
if: >
(needs.changes.outputs.src || needs.changes.outputs.tests || needs.changes.outputs.config || needs.changes.outputs.workflows) ||
(github.event_name == 'pull_request' ) ||
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) ||
(github.event_name == 'release')
strategy:
fail-fast: false
matrix:
os:
- ubuntu
- windows
- macos
py:
- 3.7
- 3.8
- 3.9
- "3.10"
- 3.11
tox_version:
- v3
- v4
steps:
- uses: actions/checkout@v3
- name: Set up Python ${{ matrix.py }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.py }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -U tox setuptools
- name: Download aggregated wheels
uses: actions/download-artifact@v3
with:
name: wheels
path: src/azure_devops_artifacts_helpers/wheels/
- name: Setup Test Suite
run: tox -e test-${{ matrix.tox_version }} -vv --notest
- name: Run Test Suite
run: tox -e test-${{ matrix.tox_version }} --skip-pkg-install
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v3
with:
directory: ./reports/
flags: tests
name: ${{ matrix.py }} - ${{ matrix.os }} - ${{ matrix.tox_version }}
- name: Configure testspace
uses: testspace-com/setup-testspace@v1
with:
domain: ${{ github.repository_owner }}
if: always()
- name: Push result to Testspace server
run: |
testspace reports/*-test.xml
if: always()
sonarcloud:
name: SonarCloud (${{ github.event_name }})
runs-on: ubuntu-latest
needs:
- changes
if: >
(needs.changes.outputs.src || needs.changes.outputs.config || needs.changes.outputs.workflows) ||
(github.event_name == 'pull_request' ) ||
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) ||
(github.event_name == 'release')
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
args: >
-Dsonar.projectKey=djpugh_azure_devops_artifacts_helpers
-Dsonar.organization=djpugh
-Dsonar.coverage.exclusions=**/*.*
# No coverage as handled separately
license-scan:
name: Scan Licenses (${{ github.event_name }})
runs-on: ubuntu-latest
needs:
- changes
if: >
(needs.changes.outputs.config || needs.changes.outputs.workflows) ||
(github.event_name == 'pull_request' && contains(github.base_ref, 'main')) ||
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) ||
(github.event_name == 'release')
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: 3.11
- name: compile requirements.txt
run: |
python -m pip install --upgrade pip
pip install pip-tools pipenv
pip-compile -o requirements.txt --extra tox
cat requirements.txt
- name: Run FOSSA scan and upload build data
uses: fossa-contrib/fossa-action@v2
with:
fossa-api-key: ${{ secrets.FOSSA_API_KEY }}
github-token: ${{ github.token }}
codeql-analyze:
name: CodeQL Analyze (${{ github.event_name }})
runs-on: ubuntu-latest
needs:
- changes
if: >
(needs.changes.outputs.src || needs.changes.outputs.config || needs.changes.outputs.workflows) ||
(github.event_name == 'pull_request' ) ||
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) ||
(github.event_name == 'release')
steps:
- name: Checkout repository
uses: actions/checkout@v3
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: python
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
build:
name: Build Package (${{ github.event_name }})
runs-on: windows-latest
needs:
- aggregate
- changes
if: >
(needs.changes.outputs.src || needs.changes.outputs.config || needs.changes.outputs.workflows) ||
(github.event_name == 'pull_request' && contains(github.base_ref, 'main')) ||
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) ||
(github.event_name == 'release')
strategy:
fail-fast: false
steps:
- uses: actions/checkout@v3
with:
clean: true
- name: Set up Python ${{ matrix.py }}
uses: actions/setup-python@v4
with:
python-version: 3.11
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install tox
- name: Download aggregated wheels
uses: actions/download-artifact@v3
with:
name: wheels
path: src/azure_devops_artifacts_helpers/wheels/
- name: Build azure_devops_artifacts_helpers
run: tox -e build -vvv
- name: Store build artifact
uses: actions/upload-artifact@v3
with:
name: build
path: |
dist/*
docs:
name: Build docs (${{ github.event_name }})
needs:
- aggregate
- changes
if: >
(needs.changes.outputs.src || needs.changes.outputs.config || needs.changes.outputs.docs || needs.changes.outputs.workflows) ||
(github.event_name == 'pull_request' && contains(github.base_ref, 'main')) ||
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) ||
(github.event_name == 'release')
runs-on: windows-latest
steps:
- uses: actions/checkout@v3
- name: Set up Python ${{ matrix.py }}
uses: actions/setup-python@v4
with:
python-version: 3.11
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install tox
- name: Download aggregated wheels
uses: actions/download-artifact@v3
with:
name: wheels
path: src/azure_devops_artifacts_helpers/wheels/
- name: Build docs
run: tox -e docs
env:
SPHINX_GITHUB_CHANGELOG_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Store build artifact
uses: actions/upload-artifact@v3
with:
name: docs
path: |
docs/html/*
!docs/html/.doctrees/*
test-build:
name: Test Build Python ${{ matrix.py }} - ${{ matrix.os }} - ${{ matrix.tox_version }} (${{ github.event_name }})
needs:
- build
- test
if: >
(github.event_name == 'pull_request' && contains(github.base_ref, 'main')) ||
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) ||
(github.event_name == 'release')
runs-on: ${{ matrix.os }}-latest
strategy:
fail-fast: false
matrix:
os:
- ubuntu
- windows
- macos
py:
- 3.7
- 3.8
- 3.9
- "3.10"
- 3.11
tox_version:
- "tox<4.0.0"
- "tox>=4.0.0"
steps:
- uses: actions/checkout@v3
with:
path: ./repo
- name: Set up Python ${{ matrix.py }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.py }}
- name: Download build
uses: actions/download-artifact@v3
with:
name: build
path: dist
- shell: bash
run: |
pip install $(ls -t dist/*.whl | head -n1)
pip install -U pytest setuptools
echo "Installing ${{ matrix.tox_version }}"
pip install "${{ matrix.tox_version }}"
- shell: bash
run: pytest ./repo/tests/functional
publish-package:
name: Publish Package
runs-on: ubuntu-latest
needs:
- lint
- test
- build
- sonarcloud
- license-scan
- codeql-analyze
- test-build
if: >
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags') && !contains(github.ref, 'dev-')) ||
github.event_name == 'release'
steps:
- uses: actions/checkout@v3
- name: Set up Python ${{ matrix.py }}
uses: actions/setup-python@v4
- name: Download build
uses: actions/download-artifact@v3
with:
name: build
path: dist
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -U twine
- name: Upload Packages
run: |
twine upload dist/*.whl --verbose --skip-existing
twine upload dist/*.tar.gz --verbose --skip-existing
env:
TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
if: startsWith(github.ref, 'refs/tags')
publish-docs:
name: Publish Docs
runs-on: ubuntu-latest
needs:
- docs
- publish-package
# Only do this on the tagged build, not the release
if: >
(github.event_name == 'push' &&
startsWith(github.ref, 'refs/tags') && !(contains(github.ref, 'gh-pages') || contains(github.ref, 'docs') || contains(github.ref, 'dev-'))
)
steps:
- name: Download docs
uses: actions/download-artifact@v3
with:
name: docs
path: ./docs/html
- name: Get Version
id: get_version
run: |
tag_name=$(echo ${{github.ref}} | cut -d/ -f3)
echo "tag_name=$tag_name" >> $GITHUB_OUTPUT
- name: Check Tag doesn't exist
id: check_tag
run: |
if git show-ref --tags docs-${{ steps.get_version.outputs.tag_name }} --quiet; then
echo "::set-output name=tag_exists::true"
echo "tag_exists=true" >> $GITHUB_OUTPUT
else
echo "tag_exists=false" >> $GITHUB_OUTPUT
fi
- name: Deploy
uses: peaceiris/actions-gh-pages@v3
if: steps.check_tag.outputs.tag_exists == false
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./docs/html
tag_name: docs-${{ steps.get_version.outputs.tag_name }}
tag_message: 'Docs ${{ steps.get_version.outputs.tag_name }}'