Update tj-actions/changed-files action to v36 [SECURITY] - autoclosed #720
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Pipeline | |
on: | |
push: | |
branches-ignore: | |
- gh-pages | |
tags-ignore: | |
- docs-* | |
pull_request: | |
release: | |
types: [published] | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }} | |
cancel-in-progress: true | |
jobs: | |
concurrency: | |
name: Show Concurrency Group | |
runs-on: ubuntu-latest | |
steps: | |
- name: Concurrency Group | |
run: | | |
echo "$CONCURRENCY_GROUP" | |
env: | |
CONCURRENCY_GROUP: ${{ github.workflow }}-${{ github.head_ref || github.ref }} | |
changes: | |
name: Get Changed Files | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # OR "2" -> To retrieve the preceding commit. | |
- name: Get changed files in the src folder | |
id: src-changed | |
uses: tj-actions/changed-files@v36 | |
with: | |
files: src/** | |
- name: List src changes | |
if: steps.src-changed.outputs.any_changed == 'true' | |
run: | | |
echo "One or more files in the src folder has changed." | |
echo "List all the files that have changed: ${{ steps.src-changed.outputs.all_changed_files }}" | |
- name: Get changed files in the tests folder | |
id: tests-changed | |
uses: tj-actions/changed-files@v36 | |
with: | |
files: tests/** | |
- name: List tests changes | |
if: steps.tests-changed.outputs.any_changed == 'true' | |
run: | | |
echo "One or more files in the tests folder has changed." | |
echo "List all the files that have changed: ${{ steps.tests-changed.outputs.all_changed_files }}" | |
- name: Get changed files in the root folder | |
id: root-changed | |
uses: tj-actions/changed-files@v36 | |
with: | |
files: | | |
*.{toml,ini} | |
tools/** | |
- name: List root changes | |
if: steps.root-changed.outputs.any_changed == 'true' | |
run: | | |
echo "One or more config files in the root folder has changed." | |
echo "List all the files that have changed: ${{ steps.root-changed.outputs.all_changed_files }}" | |
- name: Get changed files in the docs folder | |
id: docs-changed | |
uses: tj-actions/changed-files@v36 | |
with: | |
files: docs/** | |
- name: List docs changes | |
if: steps.docs-changed.outputs.any_changed == 'true' | |
run: | | |
echo "One or more files in the docs folder has changed." | |
echo "List all the files that have changed: ${{ steps.docs-changed.outputs.all_changed_files }}" | |
- name: Get changed files in the workflows folder | |
id: workflows-changed | |
uses: tj-actions/changed-files@v36 | |
with: | |
files: .github/workflows/** | |
- name: List workflows changes | |
if: steps.workflows-changed.outputs.any_changed == 'true' | |
run: | | |
echo "One or more files in the .github/workflows folder has changed." | |
echo "List all the files that have changed: ${{ steps.workflows-changed.outputs.all_changed_files }}" | |
- name: Get changed files in the .github folder | |
id: tools-changed | |
uses: tj-actions/changed-files@v36 | |
with: | |
files: .github/*.{json,properties} | |
- name: List tools changes | |
if: steps.tools-changed.outputs.any_changed == 'true' | |
run: | | |
echo "One or more tool configurations in the .github folder has changed." | |
echo "List all the files that have changed: ${{ steps.tools-changed.outputs.all_changed_files }}" | |
outputs: | |
src: ${{ steps.src-changed.outputs.any_changed == 'true'}} | |
tests: ${{ steps.tests-changed.outputs.any_changed == 'true'}} | |
config: ${{ steps.root-changed.outputs.any_changed == 'true'}} | |
tools: ${{ steps.tools-changed.outputs.any_changed == 'true'}} | |
workflows: ${{ steps.workflows-changed.outputs.any_changed == 'true'}} | |
lint: | |
name: Lint (${{ github.event_name }}) | |
runs-on: windows-latest | |
needs: | |
- changes | |
if: > | |
(needs.changes.outputs.src || needs.changes.outputs.tools || needs.changes.outputs.config) || | |
(github.event_name == 'pull_request' ) || | |
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) || | |
(github.event_name == 'release') | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: 3.10 | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install tox | |
- name: Lint | |
run: tox -e lint | |
collate-packages: | |
name: Collate Wheels | |
runs-on: ${{ matrix.os}}-latest | |
needs: | |
- changes | |
if: > | |
(needs.changes.outputs.src || needs.changes.outputs.tests || needs.changes.outputs.config || needs.changes.outputs.workflows) || | |
(github.event_name == 'pull_request' && contains(github.base_ref, 'main')) || | |
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) || | |
(github.event_name == 'release') | |
strategy: | |
fail-fast: true | |
# needs to run as matricx due to https://github.com/pypa/pip/issues/11664 | |
# dependencies aren't evaluated by the requested platform | |
matrix: | |
os: | |
- ubuntu | |
- windows | |
- macos | |
py: | |
- 3.7 | |
- 3.8 | |
- 3.9 | |
- "3.10" | |
- 3.11 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: ${{ matrix.py }} | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install tox | |
- name: Populate platform wheels | |
run: tox -e populate -- --target-dir ./wheels --py ${{matrix.py}} | |
- name: Store collated wheels | |
uses: actions/upload-artifact@v3 | |
with: | |
name: wheels-${{matrix.os}}-${{matrix.py}} | |
path: | | |
./wheels/* | |
aggregate: | |
name: Aggregate | |
runs-on: ubuntu-latest | |
needs: | |
- changes | |
- collate-packages | |
if: > | |
(needs.changes.outputs.src || needs.changes.outputs.tests || needs.changes.outputs.config || needs.changes.outputs.workflows) || | |
(github.event_name == 'pull_request' && contains(github.base_ref, 'main')) || | |
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) || | |
(github.event_name == 'release') | |
steps: | |
- name: Download collated wheels | |
uses: actions/download-artifact@v3 | |
with: | |
path: artifacts | |
- shell: bash | |
run: | | |
mkdir wheels | |
cp -u artifacts/*/*.whl wheels/ | |
ls -l wheels/ | |
- name: Store aggregated wheels | |
uses: actions/upload-artifact@v3 | |
with: | |
name: wheels | |
path: | | |
./wheels/* | |
test: | |
name: Test Python ${{ matrix.py }} - ${{ matrix.os }} - ${{matrix.tox_version}} (${{ github.event_name }}) | |
runs-on: ${{ matrix.os }}-latest | |
needs: | |
- changes | |
- aggregate | |
if: > | |
(needs.changes.outputs.src || needs.changes.outputs.tests || needs.changes.outputs.config || needs.changes.outputs.workflows) || | |
(github.event_name == 'pull_request' ) || | |
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) || | |
(github.event_name == 'release') | |
strategy: | |
fail-fast: false | |
matrix: | |
os: | |
- ubuntu | |
- windows | |
- macos | |
py: | |
- 3.7 | |
- 3.8 | |
- 3.9 | |
- "3.10" | |
- 3.11 | |
tox_version: | |
- v3 | |
- v4 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up Python ${{ matrix.py }} | |
uses: actions/setup-python@v4 | |
with: | |
python-version: ${{ matrix.py }} | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install -U tox setuptools | |
- name: Download aggregated wheels | |
uses: actions/download-artifact@v3 | |
with: | |
name: wheels | |
path: src/azure_devops_artifacts_helpers/wheels/ | |
- name: Setup Test Suite | |
run: tox -e test-${{ matrix.tox_version }} -vv --notest | |
- name: Run Test Suite | |
run: tox -e test-${{ matrix.tox_version }} --skip-pkg-install | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@v3 | |
with: | |
directory: ./reports/ | |
flags: tests | |
name: ${{ matrix.py }} - ${{ matrix.os }} - ${{ matrix.tox_version }} | |
- name: Configure testspace | |
uses: testspace-com/setup-testspace@v1 | |
with: | |
domain: ${{ github.repository_owner }} | |
if: always() | |
- name: Push result to Testspace server | |
run: | | |
testspace reports/*-test.xml | |
if: always() | |
sonarcloud: | |
name: SonarCloud (${{ github.event_name }}) | |
runs-on: ubuntu-latest | |
needs: | |
- changes | |
if: > | |
(needs.changes.outputs.src || needs.changes.outputs.config || needs.changes.outputs.workflows) || | |
(github.event_name == 'pull_request' ) || | |
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) || | |
(github.event_name == 'release') | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
- name: SonarCloud Scan | |
uses: SonarSource/sonarcloud-github-action@master | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
with: | |
args: > | |
-Dsonar.projectKey=djpugh_azure_devops_artifacts_helpers | |
-Dsonar.organization=djpugh | |
-Dsonar.coverage.exclusions=**/*.* | |
# No coverage as handled separately | |
license-scan: | |
name: Scan Licenses (${{ github.event_name }}) | |
runs-on: ubuntu-latest | |
needs: | |
- changes | |
if: > | |
(needs.changes.outputs.config || needs.changes.outputs.workflows) || | |
(github.event_name == 'pull_request' && contains(github.base_ref, 'main')) || | |
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) || | |
(github.event_name == 'release') | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Set up Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: 3.11 | |
- name: compile requirements.txt | |
run: | | |
python -m pip install --upgrade pip | |
pip install pip-tools pipenv | |
pip-compile -o requirements.txt --extra tox | |
cat requirements.txt | |
- name: Run FOSSA scan and upload build data | |
uses: fossa-contrib/fossa-action@v2 | |
with: | |
fossa-api-key: ${{ secrets.FOSSA_API_KEY }} | |
github-token: ${{ github.token }} | |
codeql-analyze: | |
name: CodeQL Analyze (${{ github.event_name }}) | |
runs-on: ubuntu-latest | |
needs: | |
- changes | |
if: > | |
(needs.changes.outputs.src || needs.changes.outputs.config || needs.changes.outputs.workflows) || | |
(github.event_name == 'pull_request' ) || | |
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) || | |
(github.event_name == 'release') | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
# Initializes the CodeQL tools for scanning. | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v2 | |
with: | |
languages: python | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v2 | |
build: | |
name: Build Package (${{ github.event_name }}) | |
runs-on: windows-latest | |
needs: | |
- aggregate | |
- changes | |
if: > | |
(needs.changes.outputs.src || needs.changes.outputs.config || needs.changes.outputs.workflows) || | |
(github.event_name == 'pull_request' && contains(github.base_ref, 'main')) || | |
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) || | |
(github.event_name == 'release') | |
strategy: | |
fail-fast: false | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
clean: true | |
- name: Set up Python ${{ matrix.py }} | |
uses: actions/setup-python@v4 | |
with: | |
python-version: 3.11 | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install tox | |
- name: Download aggregated wheels | |
uses: actions/download-artifact@v3 | |
with: | |
name: wheels | |
path: src/azure_devops_artifacts_helpers/wheels/ | |
- name: Build azure_devops_artifacts_helpers | |
run: tox -e build -vvv | |
- name: Store build artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: build | |
path: | | |
dist/* | |
docs: | |
name: Build docs (${{ github.event_name }}) | |
needs: | |
- aggregate | |
- changes | |
if: > | |
(needs.changes.outputs.src || needs.changes.outputs.config || needs.changes.outputs.docs || needs.changes.outputs.workflows) || | |
(github.event_name == 'pull_request' && contains(github.base_ref, 'main')) || | |
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) || | |
(github.event_name == 'release') | |
runs-on: windows-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up Python ${{ matrix.py }} | |
uses: actions/setup-python@v4 | |
with: | |
python-version: 3.11 | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install tox | |
- name: Download aggregated wheels | |
uses: actions/download-artifact@v3 | |
with: | |
name: wheels | |
path: src/azure_devops_artifacts_helpers/wheels/ | |
- name: Build docs | |
run: tox -e docs | |
env: | |
SPHINX_GITHUB_CHANGELOG_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Store build artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: docs | |
path: | | |
docs/html/* | |
!docs/html/.doctrees/* | |
test-build: | |
name: Test Build Python ${{ matrix.py }} - ${{ matrix.os }} - ${{ matrix.tox_version }} (${{ github.event_name }}) | |
needs: | |
- build | |
- test | |
if: > | |
(github.event_name == 'pull_request' && contains(github.base_ref, 'main')) || | |
(github.event_name == 'push' && (startsWith(github.ref, 'refs/tags') || contains(github.ref, 'main'))) || | |
(github.event_name == 'release') | |
runs-on: ${{ matrix.os }}-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
os: | |
- ubuntu | |
- windows | |
- macos | |
py: | |
- 3.7 | |
- 3.8 | |
- 3.9 | |
- "3.10" | |
- 3.11 | |
tox_version: | |
- "tox<4.0.0" | |
- "tox>=4.0.0" | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
path: ./repo | |
- name: Set up Python ${{ matrix.py }} | |
uses: actions/setup-python@v4 | |
with: | |
python-version: ${{ matrix.py }} | |
- name: Download build | |
uses: actions/download-artifact@v3 | |
with: | |
name: build | |
path: dist | |
- shell: bash | |
run: | | |
pip install $(ls -t dist/*.whl | head -n1) | |
pip install -U pytest setuptools | |
echo "Installing ${{ matrix.tox_version }}" | |
pip install "${{ matrix.tox_version }}" | |
- shell: bash | |
run: pytest ./repo/tests/functional | |
publish-package: | |
name: Publish Package | |
runs-on: ubuntu-latest | |
needs: | |
- lint | |
- test | |
- build | |
- sonarcloud | |
- license-scan | |
- codeql-analyze | |
- test-build | |
if: > | |
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags') && !contains(github.ref, 'dev-')) || | |
github.event_name == 'release' | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up Python ${{ matrix.py }} | |
uses: actions/setup-python@v4 | |
- name: Download build | |
uses: actions/download-artifact@v3 | |
with: | |
name: build | |
path: dist | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install -U twine | |
- name: Upload Packages | |
run: | | |
twine upload dist/*.whl --verbose --skip-existing | |
twine upload dist/*.tar.gz --verbose --skip-existing | |
env: | |
TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }} | |
TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }} | |
if: startsWith(github.ref, 'refs/tags') | |
publish-docs: | |
name: Publish Docs | |
runs-on: ubuntu-latest | |
needs: | |
- docs | |
- publish-package | |
# Only do this on the tagged build, not the release | |
if: > | |
(github.event_name == 'push' && | |
startsWith(github.ref, 'refs/tags') && !(contains(github.ref, 'gh-pages') || contains(github.ref, 'docs') || contains(github.ref, 'dev-')) | |
) | |
steps: | |
- name: Download docs | |
uses: actions/download-artifact@v3 | |
with: | |
name: docs | |
path: ./docs/html | |
- name: Get Version | |
id: get_version | |
run: | | |
tag_name=$(echo ${{github.ref}} | cut -d/ -f3) | |
echo "tag_name=$tag_name" >> $GITHUB_OUTPUT | |
- name: Check Tag doesn't exist | |
id: check_tag | |
run: | | |
if git show-ref --tags docs-${{ steps.get_version.outputs.tag_name }} --quiet; then | |
echo "::set-output name=tag_exists::true" | |
echo "tag_exists=true" >> $GITHUB_OUTPUT | |
else | |
echo "tag_exists=false" >> $GITHUB_OUTPUT | |
fi | |
- name: Deploy | |
uses: peaceiris/actions-gh-pages@v3 | |
if: steps.check_tag.outputs.tag_exists == false | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
publish_dir: ./docs/html | |
tag_name: docs-${{ steps.get_version.outputs.tag_name }} | |
tag_message: 'Docs ${{ steps.get_version.outputs.tag_name }}' |