From 7d2b257e7a0dbe62106aee5c19c69198c8f78f87 Mon Sep 17 00:00:00 2001 From: Matthew Feickert Date: Thu, 30 May 2024 14:39:22 -0500 Subject: [PATCH] ci(backport): Update CI permissions changes (#2505) * Backport: - PR https://github.com/scikit-hep/pyhf/pull/2363 - PR https://github.com/scikit-hep/pyhf/pull/2479 - PR https://github.com/scikit-hep/pyhf/pull/2481 - PR https://github.com/scikit-hep/pyhf/pull/2483 - PR https://github.com/scikit-hep/pyhf/pull/2489 --- .github/workflows/bump-version.yml | 5 ++ .github/workflows/ci-windows.yml | 50 +++++++++++++++++++ .github/workflows/ci.yml | 3 ++ .github/workflows/codeql-analysis.yml | 7 +++ .github/workflows/dependencies-head.yml | 3 ++ .github/workflows/docker.yml | 6 +++ .github/workflows/docs.yml | 3 ++ .github/workflows/lint.yml | 3 ++ .../workflows/lower-bound-requirements.yml | 5 +- .github/workflows/merged.yml | 3 ++ .github/workflows/notebooks.yml | 5 +- .github/workflows/publish-package.yml | 4 +- .github/workflows/release_tests.yml | 7 +++ .github/workflows/semantic-pr-check.yml | 6 +++ 14 files changed, 107 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/ci-windows.yml diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 3a5b1f0142..e63bf7c940 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -33,8 +33,13 @@ on: description: 'Perform a dry run to check' default: true +permissions: + contents: read + jobs: bump-version: + permissions: + contents: write # for Git to git push runs-on: ubuntu-latest if: github.repository == 'scikit-hep/pyhf' diff --git a/.github/workflows/ci-windows.yml b/.github/workflows/ci-windows.yml new file mode 100644 index 0000000000..0dbef41600 --- /dev/null +++ b/.github/workflows/ci-windows.yml @@ -0,0 +1,50 @@ +name: CI on Windows + +on: + # Run daily at 1:23 UTC + schedule: + - cron: '23 1 * * *' + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + test: + + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [windows-latest] + python-version: ['3.9', '3.10', '3.11', '3.12'] + + steps: + - uses: actions/checkout@v4 + + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v5 + with: + python-version: ${{ matrix.python-version }} + + - name: Install dependencies + run: | + python -m pip install uv + uv pip install --system --upgrade pip setuptools wheel + uv pip install --system --upgrade '.[all,test]' + + - name: List installed Python packages + run: python -m pip list + + - name: Test with pytest and coverage + # FIXME: ignore tests/test_scripts.py as runner breaks on Windows currently + run: | + coverage run --module pytest --ignore tests/test_scripts.py --ignore tests/contrib --ignore tests/benchmarks --ignore tests/test_notebooks.py + + - name: Coverage report for core project + run: | + coverage report + coverage xml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 588d759f5e..6088875367 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,6 +15,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: test: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7d680f58d3..507b0c7808 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -15,8 +15,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: analyze: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/analyze to upload SARIF results name: Analyze runs-on: ubuntu-latest diff --git a/.github/workflows/dependencies-head.yml b/.github/workflows/dependencies-head.yml index 849cf6fea4..feaf00a5ec 100644 --- a/.github/workflows/dependencies-head.yml +++ b/.github/workflows/dependencies-head.yml @@ -10,6 +10,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: release-candidates: diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index bd9b5527f4..e3b4616fa3 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -20,9 +20,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: docker: name: Build, test, and publish Docker images to Docker Hub + permissions: + contents: read + packages: write # for docker to push to registry runs-on: ubuntu-latest steps: diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 365aeff43b..c434195821 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -14,6 +14,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: build: name: Build docs diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index fdce2d7b28..5cc93cb35c 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -8,6 +8,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: lint: diff --git a/.github/workflows/lower-bound-requirements.yml b/.github/workflows/lower-bound-requirements.yml index 4b170d67ac..dd1593b164 100644 --- a/.github/workflows/lower-bound-requirements.yml +++ b/.github/workflows/lower-bound-requirements.yml @@ -6,6 +6,9 @@ on: - cron: '1 0 * * *' workflow_dispatch: +permissions: + contents: read + jobs: test: @@ -26,7 +29,7 @@ jobs: - name: Install dependencies and force lowest bound run: | - python -m pip install --upgrade pip setuptools wheel + python -m pip install --upgrade pip 'setuptools<70.0.0' wheel python -m pip --no-cache-dir install --constraint tests/constraints.txt .[test] - name: List installed Python packages diff --git a/.github/workflows/merged.yml b/.github/workflows/merged.yml index 3923caaffe..cce0e42670 100644 --- a/.github/workflows/merged.yml +++ b/.github/workflows/merged.yml @@ -5,6 +5,9 @@ on: types: [closed] workflow_dispatch: +permissions: + contents: read + jobs: binder: name: Trigger Binder build diff --git a/.github/workflows/notebooks.yml b/.github/workflows/notebooks.yml index 29d6df0605..50580dfa86 100644 --- a/.github/workflows/notebooks.yml +++ b/.github/workflows/notebooks.yml @@ -10,6 +10,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: test: @@ -41,4 +44,4 @@ jobs: # Override the ini option for filterwarnings with an empty list to disable error # on filterwarnings as testing for notebooks to run with the latest API, not if # Jupyter infrastructure is warning free. - pytest --override-ini filterwarnings= tests/test_notebooks.py + pytest --verbose --override-ini filterwarnings= tests/test_notebooks.py diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml index eeb8131afa..7f798b3616 100644 --- a/.github/workflows/publish-package.yml +++ b/.github/workflows/publish-package.yml @@ -25,6 +25,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: build: name: Build Python distribution @@ -32,7 +35,6 @@ jobs: permissions: id-token: write attestations: write - contents: read steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/release_tests.yml b/.github/workflows/release_tests.yml index f5c1904260..89162bf60f 100644 --- a/.github/workflows/release_tests.yml +++ b/.github/workflows/release_tests.yml @@ -10,6 +10,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: pypi_release: @@ -45,6 +48,10 @@ jobs: - name: Canary test public API run: | + # Override the ini option for filterwarnings with an empty list to disable error on filterwarnings + # as testing the latest release API still works, not the release is warning free. + # Though still show warnings by setting warning control to 'default'. + export PYTHONWARNINGS='default' pytest tests/test_public_api.py # FIXME: c.f. https://github.com/proycon/codemetapy/issues/24 diff --git a/.github/workflows/semantic-pr-check.yml b/.github/workflows/semantic-pr-check.yml index 143ec8377e..f7f0d13283 100644 --- a/.github/workflows/semantic-pr-check.yml +++ b/.github/workflows/semantic-pr-check.yml @@ -11,9 +11,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.number }} cancel-in-progress: true +permissions: + contents: read + jobs: main: + permissions: + pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs + statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR name: Validate PR title runs-on: ubuntu-latest