-
-
Notifications
You must be signed in to change notification settings - Fork 323
219 lines (187 loc) · 7.93 KB
/
python-code-quality.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
---
name: Python Code Quality
on:
push:
branches:
- main
- releasebranch_*
pull_request:
jobs:
python-checks:
name: Python Code Quality Checks
concurrency:
group: ${{ github.workflow }}-${{ github.job }}-${{
github.event_name == 'pull_request' &&
github.head_ref || github.sha }}
cancel-in-progress: true
strategy:
matrix:
include:
- os: ubuntu-22.04
env:
# renovate: datasource=python-version depName=python
PYTHON_VERSION: "3.13"
MIN_PYTHON_VERSION: "3.9"
# renovate: datasource=pypi depName=black
BLACK_VERSION: "24.10.0"
# renovate: datasource=pypi depName=flake8
FLAKE8_VERSION: "7.1.1"
# renovate: datasource=pypi depName=pylint
PYLINT_VERSION: "3.3.3"
# renovate: datasource=pypi depName=bandit
BANDIT_VERSION: "1.8.0"
# renovate: datasource=pypi depName=ruff
RUFF_VERSION: "0.9.0"
runs-on: ${{ matrix.os }}
permissions:
security-events: write
steps:
- name: Versions
run: |
echo OS: ${{ matrix.os }}
echo Python: ${{ env.PYTHON_VERSION }}
echo Minimal Python version: ${{ env.MIN_PYTHON_VERSION }}
echo Black: ${{ env.BLACK_VERSION }}
echo Flake8: ${{ env.FLAKE8_VERSION }}
echo Pylint: ${{ env.PYLINT_VERSION }}
echo Bandit: ${{ env.BANDIT_VERSION }}
echo Ruff: ${{ env.RUFF_VERSION }}
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Python
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: pip
- name: Upgrade pip
run: python -m pip install --upgrade pip
- name: Install Ruff
run: pip install ruff==${{ env.RUFF_VERSION }}
- name: Run Ruff (output annotations on fixable errors)
run: ruff check --output-format=github . --preview --unsafe-fixes
continue-on-error: true
- name: Run Ruff (apply fixes for suggestions)
run: ruff check . --preview --fix --unsafe-fixes
- name: Create and uploads code suggestions to apply for Ruff
# Will fail fast here if there are changes required
id: diff-ruff
# To run after ruff step exits with failure when rules don't have fixes available
if: ${{ !cancelled() }}
uses: ./.github/actions/create-upload-suggestions
with:
tool-name: ruff
# To keep repo's file structure in formatted changes artifact
extra-upload-changes: pyproject.toml
- name: Install Black only
run: pip install black[jupyter]==${{ env.BLACK_VERSION }}
- name: Run Black
run: black .
- name: Create and uploads code suggestions to apply for Black
# Will fail fast here if there are changes required
id: diff-black
uses: ./.github/actions/create-upload-suggestions
with:
tool-name: black
# To keep repo's file structure in formatted changes artifact
extra-upload-changes: .clang-format
- name: Install non-Python dependencies
run: |
sudo apt-get update -y
sudo apt-get install -y wget git gawk findutils
xargs -a <(awk '! /^ *(#|$)/' ".github/workflows/apt.txt") -r -- \
sudo apt-get install -y --no-install-recommends --no-install-suggests
- name: Install Python dependencies
run: |
pip install -r .github/workflows/python_requirements.txt
pip install -r .github/workflows/optional_requirements.txt
pip install --user pipx
pipx ensurepath
pipx install flake8==${{ env.FLAKE8_VERSION }}
pipx install pylint==${{ env.PYLINT_VERSION }}
pipx inject pylint -r .github/workflows/python_requirements.txt -r .github/workflows/optional_requirements.txt
# The extra toml is only needed before Python 3.11
pipx install bandit[sarif,toml]==${{ env.BANDIT_VERSION }}
- name: Run Flake8
run: |
flake8 --count --statistics --show-source --jobs=$(nproc) .
- name: Run Flake8 on additional files
run: |
flake8 --count --statistics --show-source --jobs=$(nproc) python/grass/{script,jupyter}/testsuite/
- name: Bandit Vulnerability Scan
run: |
bandit -c pyproject.toml -iii -r . -f sarif -o bandit.sarif --exit-zero
- name: Upload Bandit Scan Results
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: bandit.sarif
path: bandit.sarif
- name: Upload SARIF File into Security Tab
uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
with:
sarif_file: bandit.sarif
- name: Create installation directory
run: |
mkdir $HOME/install
- name: Set number of cores for compilation
run: |
echo "MAKEFLAGS=-j$(nproc)" >> $GITHUB_ENV
- uses: rui314/setup-mold@8ec40be1d14871f7ce8fbf273c4b33f3ff75f1d1 # v1
- name: Build
run: .github/workflows/build_${{ matrix.os }}.sh $HOME/install
- name: Add the bin directory to PATH
run: |
echo "$HOME/install/bin" >> $GITHUB_PATH
- name: Run Pylint on grass package
# Until slower checks (like similarity) are reenabled, running in one step is faster
if: false
run: |
export PYTHONPATH=`grass --config python_path`:$PYTHONPATH
export LD_LIBRARY_PATH=$(grass --config path)/lib:$LD_LIBRARY_PATH
pylint --persistent=no --py-version=${{ env.MIN_PYTHON_VERSION }} --jobs=$(nproc) grass
- name: Run Pylint on other files using pytest
# Until slower checks (like similarity) are reenabled, running in one step is faster
if: false
run: |
pipx inject --include-apps pylint pytest
pipx inject pylint pytest-pylint pytest-github-actions-annotate-failures pytest-timeout
export PYTHONPATH=`grass --config python_path`:$PYTHONPATH
export LD_LIBRARY_PATH=$(grass --config path)/lib:$LD_LIBRARY_PATH
pytest --pylint -m pylint --pylint-jobs=$(nproc) \
--pylint-ignore-patterns="${{ env.PylintIgnore }}"
env:
PylintIgnore: "python/.*,gui/.*"
- name: Run Pylint on wxGUI
# Until slower checks (like similarity) are reenabled, running in one step is faster
if: false
run: |
export PYTHONPATH=`grass --config python_path`:$PYTHONPATH
export LD_LIBRARY_PATH=$(grass --config path)/lib:$LD_LIBRARY_PATH
pylint --persistent=no --py-version=${{ env.MIN_PYTHON_VERSION }} --jobs=$(nproc) gui
- name: Run Pylint all in one pass
run: |
export PYTHONPATH=`grass --config python_path`:$PYTHONPATH
export LD_LIBRARY_PATH=$(grass --config path)/lib:$LD_LIBRARY_PATH
pylint --persistent=no --py-version=${{ env.MIN_PYTHON_VERSION }} --jobs=$(nproc) .
- name: Test compiling example modules
run: |
( cd doc/examples/raster/r.example/ && make )
( cd doc/examples/vector/v.example/ && make )
- name: Run Sphinx to check API documentation build
run: |
pip install sphinx
make sphinxdoclib
ARCH=$(cat include/Make/Platform.make | grep ^ARCH | cut -d'=' -f2 | xargs)
cp -rp dist.$ARCH/docs/html/libpython sphinx-grass
- name: Make Sphinx documentation available
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: sphinx-grass
path: sphinx-grass
retention-days: 3
python-success:
name: Python Code Quality Result
needs:
- python-checks
if: ${{ always() }}
uses: ./.github/workflows/verify-success.yml
with:
needs_context: ${{ toJson(needs) }}