From 0bb91c5654db04ad15182dc8c0e491ae0664394f Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 31 Jan 2023 13:06:42 -0500 Subject: [PATCH 1/6] Update pre-commit hooks Update pre-commit hooks using `pre-commit autoupdate`. The `ansible-lint` hook is intentionally held back to be updated independently to v6. --- .pre-commit-config.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 25f8d1d..2764bb4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ default_language_version: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.3.0 + rev: v4.4.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -31,7 +31,7 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.32.2 + rev: v0.33.0 hooks: - id: markdownlint args: @@ -41,7 +41,7 @@ repos: hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.28.0 + rev: v1.29.0 hooks: - id: yamllint args: @@ -49,14 +49,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.18.4 + rev: 0.21.0 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v2.20.0 + rev: v3.0.2 hooks: - id: validate_manifest @@ -88,25 +88,25 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 22.10.0 + rev: 22.12.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 5.0.4 + rev: 6.0.0 hooks: - id: flake8 additional_dependencies: - flake8-docstrings - repo: https://github.com/PyCQA/isort - rev: 5.10.1 + rev: 5.12.0 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v0.990 + rev: v0.991 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.2.0 + rev: v3.3.1 hooks: - id: pyupgrade @@ -119,7 +119,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.76.0 + rev: v1.77.0 hooks: - id: terraform_fmt - id: terraform_validate From 313e79263e8b6a1fbd311e5b9543a2b9a99ab93b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 2 Feb 2023 13:56:59 -0500 Subject: [PATCH 2/6] Add a security label --- .github/labels.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index 500b000..5b16492 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -53,6 +53,9 @@ - color: "ef476c" description: This issue is a request for information or needs discussion name: question +- color: "d73a4a" + description: This issue or pull request addresses a security issue + name: security - color: "00008b" description: This issue or pull request adds or otherwise modifies test code name: test From 0c52e4684d527fdcb991f49c2e0957d1b5fc087a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 11 Jan 2023 00:54:03 -0500 Subject: [PATCH 3/6] Update wheel installation in the `test-build` job Retrieve the wheel to a `dist/` sub-directory and get the name of the specific file (wheel) to be installed. Then update the installation step to use this found filename instead of a wildcard. --- .github/workflows/build.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index baa8c3b..bcacbea 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -289,12 +289,14 @@ jobs: uses: actions/download-artifact@v3 with: name: dist-${{ matrix.python-version }} - - name: Install testing dependencies - run: | - python -m pip install --upgrade pip setuptools wheel - python -m pip install --upgrade pytest pytest-cov - - name: Install the built wheel (there should only be one) - run: python -m pip install *.whl + path: dist + - id: find-wheel + name: Get the name of the retrieved wheel (there should only be one) + run: echo "wheel=$(ls dist/*whl)" >> $GITHUB_OUTPUT + - name: Update core Python packages + run: python -m pip install --upgrade pip setuptools wheel + - name: Install the built wheel + run: python -m pip install ${{ steps.find-wheel.outputs.wheel }} - name: Run tests env: RELEASE_TAG: ${{ github.event.release.tag_name }} From 22bce632cd5d850d5ec8e48ac3f5b8aee5fb24c4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 11 Jan 2023 00:56:10 -0500 Subject: [PATCH 4/6] Install the `test` dependencies of the built wheel When installing the wheel that was built in the `build` job we will also install the `test` optional dependencies. --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bcacbea..00b6dc7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -295,8 +295,8 @@ jobs: run: echo "wheel=$(ls dist/*whl)" >> $GITHUB_OUTPUT - name: Update core Python packages run: python -m pip install --upgrade pip setuptools wheel - - name: Install the built wheel - run: python -m pip install ${{ steps.find-wheel.outputs.wheel }} + - name: Install the built wheel (along with testing dependencies) + run: python -m pip install ${{ steps.find-wheel.outputs.wheel }}[test] - name: Run tests env: RELEASE_TAG: ${{ github.event.release.tag_name }} From 659a9eb05185633c4ee1cc5e88f0cdbc94f94cc2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 3 Feb 2023 14:04:21 -0500 Subject: [PATCH 5/6] Adjust key order in the build workflow Sort all pre-`steps` keys alphabetically descending. Sorting all keys alphabetically would be somewhat onerous because the `strategy` key would come after the `steps` key even though it's configuration information. We can at least sort everything but the `steps` key in alphabetically descending order and make the `steps` the last for a job. --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 00b6dc7..82f1382 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -195,10 +195,10 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE build: - runs-on: ${{ matrix.os }} needs: - lint - test + runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: @@ -248,9 +248,9 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE test-build: - runs-on: ${{ matrix.os }} needs: - build + runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: From 0f3dd3911b05a9488cf13c34d46ca19d62a875ff Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 3 Feb 2023 14:14:05 -0500 Subject: [PATCH 6/6] Make build workflow job names more descriptive Add `name` keys to the `test`, `build`, and `test-build` jobs that are both more descriptive and include the Python version from the job's matrix. This will produce consistent and more helpful job names in the GitHub Actions log in the GitHub web UI. --- .github/workflows/build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 82f1382..ab4a66f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -103,6 +103,7 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE test: + name: test source - py${{ matrix.python-version }} runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -195,6 +196,7 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE build: + name: build wheel - py${{ matrix.python-version }} needs: - lint - test @@ -248,6 +250,7 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE test-build: + name: test built wheel - py${{ matrix.python-version }} needs: - build runs-on: ${{ matrix.os }}