diff --git a/.github/workflows/_audit.yml b/.github/workflows/_audit.yml index af3d1a9f5..533166fab 100644 --- a/.github/workflows/_audit.yml +++ b/.github/workflows/_audit.yml @@ -2,7 +2,7 @@ name: "Audit" on: workflow_call: - # No inputs needed at this time + # No secrets needed jobs: audit: diff --git a/.github/workflows/_build-native-only.yml b/.github/workflows/_build-native-only.yml index 480e2ede2..37d6134bd 100644 --- a/.github/workflows/_build-native-only.yml +++ b/.github/workflows/_build-native-only.yml @@ -2,7 +2,7 @@ name: "Build Native Only" on: workflow_call: - # No inputs needed at this time + # No secrets needed env: # https://gist.github.com/NodeJSmith/e7e37f2d3f162456869f015f842bcf15 diff --git a/.github/workflows/_codeql.yml b/.github/workflows/_codeql.yml index 4ad786abd..b312360fa 100644 --- a/.github/workflows/_codeql.yml +++ b/.github/workflows/_codeql.yml @@ -2,7 +2,7 @@ name: "CodeQL Analysis" on: workflow_call: - # No inputs needed at this time + # No secrets needed jobs: analyze: diff --git a/.github/workflows/_docker-publish.yml b/.github/workflows/_docker-publish.yml index c405ff444..5c80281f9 100644 --- a/.github/workflows/_docker-publish.yml +++ b/.github/workflows/_docker-publish.yml @@ -2,7 +2,11 @@ name: "Publish Docker Image" on: workflow_call: - # No inputs needed at this time + secrets: + DOCKER_USERNAME: + required: false + DOCKER_PASSWORD: + required: false jobs: docker_publish: diff --git a/.github/workflows/_ketryx_report_and_check.yml b/.github/workflows/_ketryx_report_and_check.yml index 2caee52b9..21232425f 100644 --- a/.github/workflows/_ketryx_report_and_check.yml +++ b/.github/workflows/_ketryx_report_and_check.yml @@ -2,7 +2,11 @@ name: "Report build to Ketryx and check for approval" on: workflow_call: - # No inputs needed at this time + secrets: + KETRYX_PROJECT: + required: false + KETRYX_API_KEY: + required: false env: # https://gist.github.com/NodeJSmith/e7e37f2d3f162456869f015f842bcf15 @@ -35,7 +39,7 @@ jobs: - name: Report build to Ketryx and check for approval if: (!contains(github.event.head_commit.message, 'skip:ketryx')) - uses: Ketryx/ketryx-github-action@v1.4.0 + uses: Ketryx/ketryx-github-action@40b13ef68c772e96e58ec01a81f5b216d7710186 # v1.4.0 continue-on-error: true # TODO(Helmut): Remove post having Ketryx configured to inspect the main branch with: project: ${{ secrets.KETRYX_PROJECT }} diff --git a/.github/workflows/_lint.yml b/.github/workflows/_lint.yml index bba8346a9..91e7b59d0 100644 --- a/.github/workflows/_lint.yml +++ b/.github/workflows/_lint.yml @@ -2,7 +2,7 @@ name: "Lint" on: workflow_call: - # No inputs needed at this time + # No secrets needed jobs: lint: diff --git a/.github/workflows/_package-publish.yml b/.github/workflows/_package-publish.yml index e2a0a6004..f9023fa1e 100644 --- a/.github/workflows/_package-publish.yml +++ b/.github/workflows/_package-publish.yml @@ -2,7 +2,13 @@ name: "Publish Package" on: workflow_call: - # No inputs needed at this time + secrets: + UV_PUBLISH_TOKEN: + required: false + SLACK_WEBHOOK_URL_RELEASE_ANNOUNCEMENT: + required: false + SLACK_CHANNEL_ID_RELEASE_ANNOUNCEMENT: + required: false env: # https://gist.github.com/NodeJSmith/e7e37f2d3f162456869f015f842bcf15 @@ -167,7 +173,11 @@ jobs: - name: Publish distribution to Python Package Index at pypi.org shell: bash - run: uv publish -t ${{ secrets.UV_PUBLISH_TOKEN }} + env: + UV_PUBLISH_TOKEN: ${{ secrets.UV_PUBLISH_TOKEN }} + run: | + # Use uv's credential storage - uv will read from UV_PUBLISH_TOKEN env var automatically + uv publish - name: Download test results for ubuntu-latest generated in _test.yml if: (!contains(github.event.head_commit.message, 'skip:test:all')) diff --git a/.github/workflows/_scheduled-audit.yml b/.github/workflows/_scheduled-audit.yml index e1499a3b8..5997435fd 100644 --- a/.github/workflows/_scheduled-audit.yml +++ b/.github/workflows/_scheduled-audit.yml @@ -2,7 +2,15 @@ name: "Scheduled Audit" on: workflow_call: - # No inputs needed at this time + secrets: + AIGNOSTICS_CLIENT_ID_DEVICE: + required: false + AIGNOSTICS_REFRESH_TOKEN: + required: false + GCP_CREDENTIALS: + required: false + BETTERSTACK_AUDIT_HEARTBEAT_URL: + required: false jobs: audit-scheduled: @@ -40,8 +48,10 @@ jobs: - name: Set up GCP credentials for bucket access shell: bash + env: + GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }} run: | - echo "${{ secrets.GCP_CREDENTIALS }}" | base64 -d > credentials.json + echo "$GCP_CREDENTIALS" | base64 -d > credentials.json echo "GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/credentials.json" >> $GITHUB_ENV - name: Audit diff --git a/.github/workflows/_scheduled-test.yml b/.github/workflows/_scheduled-test.yml index 97390ed03..668d84b40 100644 --- a/.github/workflows/_scheduled-test.yml +++ b/.github/workflows/_scheduled-test.yml @@ -2,7 +2,15 @@ name: "Scheduled Test" on: workflow_call: - # No inputs needed at this time + secrets: + AIGNOSTICS_CLIENT_ID_DEVICE: + required: false + AIGNOSTICS_REFRESH_TOKEN: + required: false + GCP_CREDENTIALS: + required: false + BETTERSTACK_HEARTBEAT_URL: + required: false jobs: test-scheduled: @@ -40,8 +48,10 @@ jobs: - name: Set up GCP credentials for bucket access shell: bash + env: + GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }} run: | - echo "${{ secrets.GCP_CREDENTIALS }}" | base64 -d > credentials.json + echo "$GCP_CREDENTIALS" | base64 -d > credentials.json echo "GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/credentials.json" >> $GITHUB_ENV - name: Test / scheduled diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml index f0c7922ba..ec1b858f3 100644 --- a/.github/workflows/_test.yml +++ b/.github/workflows/_test.yml @@ -2,7 +2,17 @@ name: "Test" on: workflow_call: - # No inputs needed at this time + secrets: + AIGNOSTICS_CLIENT_ID_DEVICE: + required: false + AIGNOSTICS_REFRESH_TOKEN: + required: false + GCP_CREDENTIALS: + required: false + CODECOV_TOKEN: + required: false + SONAR_TOKEN: + required: false env: # https://gist.github.com/NodeJSmith/e7e37f2d3f162456869f015f842bcf15 @@ -91,8 +101,10 @@ jobs: - name: Set up GCP credentials for bucket access shell: bash + env: + GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }} run: | - echo "${{ secrets.GCP_CREDENTIALS }}" | base64 -d > credentials.json + echo "$GCP_CREDENTIALS" | base64 -d > credentials.json echo "GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/credentials.json" >> $GITHUB_ENV - name: Validate installation diff --git a/.github/workflows/audit-scheduled.yml b/.github/workflows/audit-scheduled.yml index e41bdad0a..e757cfbb4 100644 --- a/.github/workflows/audit-scheduled.yml +++ b/.github/workflows/audit-scheduled.yml @@ -10,4 +10,8 @@ jobs: permissions: contents: read id-token: write - secrets: inherit + secrets: + AIGNOSTICS_CLIENT_ID_DEVICE: ${{ secrets.AIGNOSTICS_CLIENT_ID_DEVICE }} + AIGNOSTICS_REFRESH_TOKEN: ${{ secrets.AIGNOSTICS_REFRESH_TOKEN }} + GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }} + BETTERSTACK_AUDIT_HEARTBEAT_URL: ${{ secrets.BETTERSTACK_AUDIT_HEARTBEAT_URL }} diff --git a/.github/workflows/build-native-only.yml b/.github/workflows/build-native-only.yml index f77dbf519..1262df9d1 100644 --- a/.github/workflows/build-native-only.yml +++ b/.github/workflows/build-native-only.yml @@ -19,4 +19,3 @@ jobs: contents: write id-token: write packages: write - secrets: inherit diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index d8a4054c5..f1f5f1fa8 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -21,7 +21,6 @@ jobs: contents: read id-token: write packages: read - secrets: inherit audit: if: (!contains(github.event.head_commit.message, 'skip:ci')) && (!contains(github.event.head_commit.message, 'build:native:only')) @@ -30,7 +29,6 @@ jobs: contents: read id-token: write packages: read - secrets: inherit test: if: (!contains(github.event.head_commit.message, 'skip:ci')) && (!contains(github.event.head_commit.message, 'build:native:only')) @@ -40,7 +38,12 @@ jobs: contents: read id-token: write packages: write - secrets: inherit + secrets: + AIGNOSTICS_CLIENT_ID_DEVICE: ${{ secrets.AIGNOSTICS_CLIENT_ID_DEVICE }} + AIGNOSTICS_REFRESH_TOKEN: ${{ secrets.AIGNOSTICS_REFRESH_TOKEN }} + GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }} + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} codeql: @@ -51,7 +54,6 @@ jobs: contents: read packages: read security-events: write - secrets: inherit ketryx_report_and_check: @@ -65,7 +67,9 @@ jobs: contents: write id-token: write packages: write - secrets: inherit + secrets: + KETRYX_PROJECT: ${{ secrets.KETRYX_PROJECT }} + KETRYX_API_KEY: ${{ secrets.KETRYX_API_KEY }} package_publish: @@ -78,7 +82,10 @@ jobs: contents: write id-token: write packages: write - secrets: inherit + secrets: + UV_PUBLISH_TOKEN: ${{ secrets.UV_PUBLISH_TOKEN }} + SLACK_WEBHOOK_URL_RELEASE_ANNOUNCEMENT: ${{ secrets.SLACK_WEBHOOK_URL_RELEASE_ANNOUNCEMENT }} + SLACK_CHANNEL_ID_RELEASE_ANNOUNCEMENT: ${{ secrets.SLACK_CHANNEL_ID_RELEASE_ANNOUNCEMENT }} docker_publish: @@ -91,4 +98,6 @@ jobs: contents: read id-token: write packages: write - secrets: inherit + secrets: + DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} + DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} diff --git a/.github/workflows/codeql-scheduled.yml b/.github/workflows/codeql-scheduled.yml index dd80c6ab6..ea33590f2 100644 --- a/.github/workflows/codeql-scheduled.yml +++ b/.github/workflows/codeql-scheduled.yml @@ -12,4 +12,3 @@ jobs: contents: read packages: read security-events: write - secrets: inherit diff --git a/.github/workflows/test-scheduled.yml b/.github/workflows/test-scheduled.yml index 1472e2a16..a87cb435e 100644 --- a/.github/workflows/test-scheduled.yml +++ b/.github/workflows/test-scheduled.yml @@ -10,4 +10,8 @@ jobs: permissions: contents: read id-token: write - secrets: inherit + secrets: + AIGNOSTICS_CLIENT_ID_DEVICE: ${{ secrets.AIGNOSTICS_CLIENT_ID_DEVICE }} + AIGNOSTICS_REFRESH_TOKEN: ${{ secrets.AIGNOSTICS_REFRESH_TOKEN }} + GCP_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS }} + BETTERSTACK_HEARTBEAT_URL: ${{ secrets.BETTERSTACK_HEARTBEAT_URL }} diff --git a/tests/aignostics/wsi/service_test.py b/tests/aignostics/wsi/service_test.py index 88912797d..5ee2ef2b5 100644 --- a/tests/aignostics/wsi/service_test.py +++ b/tests/aignostics/wsi/service_test.py @@ -186,7 +186,7 @@ def test_serve_tiff_to_jpeg(user: User, silent_logging) -> None: assert image.height > 0 -def test_serve_tiff_to_jpeg_fails_on_broken_tiff(user: User, tmpdir) -> None: +def test_serve_tiff_to_jpeg_fails_on_broken_tiff(user: User, tmpdir, silent_logging) -> None: """Test that the tiff route falls back as expected on broken tiff. - Spin up local webserver serving 4711 random bytes