Add zizmor security linter#134
Conversation
| run: | | ||
| python -m pip install --upgrade pip | ||
| pip install -U tox | ||
| - name: Create tox environments |
There was a problem hiding this comment.
Instead of building the package and then running the tests in the same job can we have multiple stages? One where the package is built, one where the test suite is executed, and then one where it's published?
This avoids needing to install all the dev/test dependencies into the more critical build/publish jobs.
There was a problem hiding this comment.
Good idea, something like:
- https://github.com/python/python-docs-theme/actions/runs/24636197159
- https://github.com/python/python-docs-theme/blob/6da68a738f3358fa85edc2d769a1a6adf8d5b860/.github/workflows/pypi-package.yml
I suggest doing this in a followup.
There was a problem hiding this comment.
Let's move this to a different PR.
| pip install -U tox | ||
| - name: Create tox environments | ||
| run: | | ||
| tox -p -e py,build --notest |
There was a problem hiding this comment.
Can we avoid needing to install tox at all by installing build and twine via a lock file? It seems like the tox script may be a hold-over from when the package was built and published on a developer computer.
There was a problem hiding this comment.
Yeah, and I don't think we need to run tests at all in this workflow, everything should be green in regular test CI before starting a release.
Or tests should be run in a separate job, isolated from release artifacts.
Again, good for a followup.
Co-authored-by: Stan Ulbrych <stan@python.org>
|
Thanks! |
3 participants
And fix findings. Also update pre-commit and add some other useful hooks.
Will fail until #133 is merged.