Safety run for all dependencies must succeed for releases

Details:

* The safety run for all dependencies now must succeed when the test workflow
  is run for a release (i.e. branch name 'release_...').

Signed-off-by: Andreas Maier <maiera@de.ibm.com>

.github/workflows/test.yml

@@ -206,6 +206,22 @@ jobs:
       PIP_DISABLE_PIP_VERSION_CHECK: 1
       PIP_NO_PYTHON_VERSION_WARNING: 1
     steps:
+    - name: Set run type (normal, scheduled, release)
+      id: set-run-type
+      uses: actions/github-script@v6
+      with:
+        result-encoding: string
+        script: |
+          var result
+          if ("${{ github.event_name }}" == "schedule") {
+            result = "scheduled"
+          } else if ("${{ github.head_ref }}".match(/^release_/)) {
+            result = "release"
+          } else {
+            result = "normal"
+          }
+          console.log(result)
+          return result
     - name: Checkout repo
       uses: actions/checkout@v4
       with:
@@ -222,42 +238,37 @@ jobs:
     - name: Install the package and its dependents
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make install
     - name: Show installed package versions
-      env:
-        PACKAGE_LEVEL: ${{ matrix.package_level }}
       run: |
         echo "Installed Python packages:"
         pip list
     - name: Development setup
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make develop
     - name: Show installed package versions
-      env:
-        PACKAGE_LEVEL: ${{ matrix.package_level }}
       run: |
         echo "Installed Python packages:"
         pip list
     - name: Show package dependency tree
-      env:
-        PACKAGE_LEVEL: ${{ matrix.package_level }}
       run: |
         echo "Package dependency tree of installed Python packages:"
         python -m pipdeptree --all
     - name: Run docs
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make docs
     - name: Check that module .rst files are up to date
       # Because the Ansible rst generator changed its output over time, we only
       # check this on the latest Python release with latest package levels.
       if: ${{ matrix.python-version == '3.11' && matrix.package_level == 'latest' }}
-      env:
-        PACKAGE_LEVEL: ${{ matrix.package_level }}
       run: |
         bash -c "if ! git diff --exit-code HEAD docs/source/modules; then
           echo 'Error: Module .rst files are not up to date in this PR. Run make docslocal to update.';
@@ -266,6 +277,7 @@ jobs:
     - name: Run check
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make check
     - name: Run sanity
@@ -274,22 +286,26 @@ jobs:
       if: ${{ ! ( matrix.python-version == '2.7' ) }}
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make sanity
     - name: Run ansible_lint
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make ansible_lint
     - name: Run unit/function test
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
         # TESTCASES: test_partition.py
       run: |
         make test
     - name: Run mocked end2end test
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
         # TESTCASES: test_partition.py
       run: |
         make end2end_mocked
@@ -309,11 +325,13 @@ jobs:
     - name: Run check_reqs
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make check_reqs
     - name: Run safety
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make safety
 

Makefile

@@ -46,6 +46,11 @@ else
   endif
 endif
 
+# Run type (normal, scheduled, release)
+ifndef RUN_TYPE
+  RUN_TYPE := normal
+endif
+
 # Determine OS platform make runs on
 ifeq ($(OS),Windows_NT)
   PLATFORM := Windows
@@ -480,7 +485,7 @@ ifeq ($(python_m_n_version),3.5)
 else
 	@echo "Makefile: Running Safety for all packages"
 	-$(call RM_FUNC,$@)
-	-safety check --policy-file $(safety_all_policy_file) -r minimum-constraints.txt --full-report
+	bash -c "safety check --policy-file $(safety_all_policy_file) -r minimum-constraints.txt --full-report || test '$(RUN_TYPE)' != 'release' || exit 1"
 	echo "done" >$@
 	@echo "Makefile: Done running Safety"
 endif

docs/source/development.rst

@@ -311,14 +311,27 @@ local clone of the zhmc-ansible-modules Git repo.
 
         make authors
 
-6.  Commit your changes and push the topic branch to the remote repo:
+6.  Run the Safety tool:
+
+    .. code-block:: sh
+
+        RUN_TYPE=release make safety
+
+    When releasing a version, the safety run for all dependencies will fail
+    if there are any safety issues reported. In normal and scheduled runs,
+    safety issues reported for all dependencies will be ignored.
+
+    If the safety run fails, you need to fix the safety issues that are
+    reported.
+
+7.  Commit your changes and push the topic branch to the remote repo:
 
     .. code-block:: sh
 
         git commit -asm "Release ${MNU}"
         git push --set-upstream origin release_${MNU}
 
-7.  On GitHub, create a Pull Request for branch ``release_M.N.U``.
+8.  On GitHub, create a Pull Request for branch ``release_M.N.U``.
 
     Important: When creating Pull Requests, GitHub by default targets the
     ``master`` branch. When releasing based on a stable branch, you need to
@@ -328,18 +341,18 @@ local clone of the zhmc-ansible-modules Git repo.
     tests for all defined environments, since it discovers by the branch name
     that this is a PR for a release.
 
-8.  On GitHub, once the checks for that Pull Request have succeeded, merge the
+9.  On GitHub, once the checks for that Pull Request have succeeded, merge the
     Pull Request (no review is needed). This automatically deletes the branch
     on GitHub.
 
     If the PR did not succeed, fix the issues.
 
-9.  On GitHub, close milestone ``M.N.U``.
+10. On GitHub, close milestone ``M.N.U``.
 
     Verify that the milestone has no open items anymore. If it does have open
     items, investigate why and fix.
 
-10. Publish the collection to Ansible Galaxy
+11. Publish the collection to Ansible Galaxy
 
     .. code-block:: sh
 
@@ -355,7 +368,7 @@ local clone of the zhmc-ansible-modules Git repo.
     it on Github, and finally creates a new stable branch on Github if the master
     branch was released.
 
-11. Verify the publishing
+12. Verify the publishing
 
     * Verify that the new version is available on Ansible Galaxy at
       https://galaxy.ansible.com/ibm/ibm_zhmc/
@@ -370,7 +383,7 @@ local clone of the zhmc-ansible-modules Git repo.
     * Verify that the new version has documentation on Github pages at
       https://zhmcclient.github.io/zhmc-ansible-modules/release_notes.html
 
-12. Publish the collection to Ansible AutomationHub
+13. Publish the collection to Ansible AutomationHub
 
     This needs to be done in addition to the prior publish step, and it
     has not successfully been automated as of today.

docs/source/release_notes.rst

@@ -58,6 +58,9 @@ Availability: `AutomationHub`_, `Galaxy`_, `GitHub`_
   minimum-constraints-install.txt file that is included by the existing
   minimum-constraints.txt file. (issue #939)
 
+* The safety run for all dependencies now must succeed when the test workflow
+  is run for a release (i.e. branch name 'release_...').
+
 **Cleanup:**
 
 * Increased versions of GitHub Actions plugins to increase node.js runtime