From 0310610738be7719cf6cd3dd497246f049fae433 Mon Sep 17 00:00:00 2001 From: Victor Chang Date: Tue, 3 Dec 2024 18:14:04 +0800 Subject: [PATCH] Add GitHub workflows Signed-off-by: Victor Chang --- .github/workflows/check.yaml | 82 ++++++++++++++++++++++++ .github/workflows/codeql-analysis.yml | 44 +++++++++++++ .github/workflows/dependabot_updates.yml | 47 ++++++++++++++ 3 files changed, 173 insertions(+) create mode 100644 .github/workflows/check.yaml create mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/dependabot_updates.yml diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml new file mode 100644 index 0000000..14f8dce --- /dev/null +++ b/.github/workflows/check.yaml @@ -0,0 +1,82 @@ +# This workflow will install Python dependencies, +# run tests with a variety of Python versions, +# and upload a new build to TestPyPI. +# +# For more information see: +# https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions + +name: Code Check + +on: [ push ] + +jobs: + test: + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-latest] + python-version: [ + '3.9', + '3.10', + '3.11', + '3.12', + ] + env: + PYTHON_VERSION: ${{ matrix.python-version }} + + steps: + + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v5 + with: + python-version: ${{ matrix.python-version }} + + - name: Install Poetry + uses: Gr1N/setup-poetry@v9 + + - name: Install library and dependencies + run: | + poetry run pip install --upgrade pip setuptools + poetry install --with tests + + - name: Run pre-commit Check + uses: pre-commit/action@v3.0.1 + + - name: Run Pytest + Coverage + run: | + poetry run pytest + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PLATFORM: ${{ matrix.os }} + + # - name: Upload Results to CodeCov + # if: success() + # uses: codecov/codecov-action@v5 + # with: + # env_vars: TOXENV + # fail_ci_if_error: false + # files: ./tests/reports/coverage-html/index.html,./tests/reports/coverage.xml + # flags: unittests + # name: ${{ matrix.os }} - Python ${{ matrix.python-version }} + # token: ${{ secrets.CODECOV_TOKEN }} + + + # testpypi-deploy: + # name: Build and publish Python 🐍 distributions 📦 to TestPyPI + # runs-on: ubuntu-latest + # needs: test + # steps: + + # - name: Checkout repository + # uses: actions/checkout@v4 + + # - name: Publish distribution 📦 to Test PyPI + # uses: JRubics/poetry-publish@v2.0 + # continue-on-error: true + # with: + # pypi_token: ${{ secrets.TEST_PYPI_PASSWORD }} + # repository_name: 'testpypi' + # repository_url: 'https://test.pypi.org/legacy/' diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..a77ba61 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,44 @@ +# Analyses the code quality of the project + +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '0 0 * * *' + +jobs: + analyse: + name: Analyse + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'python' ] + + steps: + + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependabot_updates.yml b/.github/workflows/dependabot_updates.yml new file mode 100644 index 0000000..867268d --- /dev/null +++ b/.github/workflows/dependabot_updates.yml @@ -0,0 +1,47 @@ +# This workflow enables Dependabot to automatically merge dependency updates + +name: Dependabot reviewer +on: pull_request + +permissions: + contents: write + pull-requests: write + +jobs: + review-dependabot-pr: + runs-on: ubuntu-latest + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} + steps: + + - name: Dependabot metadata + id: dependabot-metadata + uses: dependabot/fetch-metadata@v2.2.0 + + - name: Enable auto-merge for Dependabot PRs + run: gh pr merge --auto --merge "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Approve patch and minor updates + if: ${{ steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' || steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor' }} + run: gh pr review $PR_URL --approve -b "I'm **approving** this pull request because **it includes a patch or minor update**" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Approve major updates of development dependencies + if: ${{ steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' && steps.dependabot-metadata.outputs.dependency-type == 'direct:development' }} + run: gh pr review $PR_URL --approve -b "I'm **approving** this pull request because **it includes a major update of a dependency used only in development**" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Comment on major updates of non-development dependencies + if: ${{ steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' && steps.dependabot-metadata.outputs.dependency-type == 'direct:production' }} + run: | + gh pr comment $PR_URL --body "I'm **not approving** this PR because **it includes a major update of a dependency used in production**" + gh pr edit $PR_URL --add-label "requires-manual-qa" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}