safety run for all dependencies now must succeed for releases

Signed-off-by: Andreas Maier <maiera@de.ibm.com>
zhmcclient · Mar 21, 2024 · 270bfc5 · 270bfc5
1 parent da3746c
commit 270bfc5
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 7 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -130,6 +130,22 @@ jobs:
       PIP_DISABLE_PIP_VERSION_CHECK: 1
       PIP_NO_PYTHON_VERSION_WARNING: 1
     steps:
+    - name: Set run type (normal, scheduled, release)
+      id: set-run-type
+      uses: actions/github-script@v6
+      with:
+        result-encoding: string
+        script: |
+          var result
+          if ("${{ github.event_name }}" == "schedule") {
+            result = "scheduled"
+          } else if ("${{ github.head_ref }}".match(/^release_/)) {
+            result = "release"
+          } else {
+            result = "normal"
+          }
+          console.log(result)
+          return result
     - name: Checkout repo
       uses: actions/checkout@v3
       with:
@@ -141,6 +157,7 @@ jobs:
     - name: Display environment
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make env
     - name: Display initial Python packages
@@ -150,59 +167,61 @@ jobs:
     - name: Display platform
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make platform
     - name: Install the package and its dependents
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make install
     - name: Show installed package versions
-      env:
-        PACKAGE_LEVEL: ${{ matrix.package_level }}
       run: |
         echo "Installed Python packages:"
         pip list
     - name: Development setup
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make develop
     - name: Show installed package versions
-      env:
-        PACKAGE_LEVEL: ${{ matrix.package_level }}
       run: |
         echo "Installed Python packages:"
         pip list
     - name: Show package dependency tree
-      env:
-        PACKAGE_LEVEL: ${{ matrix.package_level }}
       run: |
         echo "Package dependency tree of installed Python packages:"
         pipdeptree --all
     - name: Run build
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make build
     - name: Run builddoc
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make builddoc
     - name: Run check
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make check
     - name: Run pylint
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make pylint
     - name: Run test
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
         # TESTCASES: TestParseArgs
       run: |
         make test
@@ -211,6 +230,7 @@ jobs:
       if: runner.os == 'Linux'
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make docker
     - name: Send coverage result to coveralls.io
@@ -227,11 +247,13 @@ jobs:
     - name: Run check_reqs
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make check_reqs
     - name: Run safety
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make safety
 

diff --git a/Makefile b/Makefile
@@ -40,6 +40,11 @@ ifndef PACKAGE_LEVEL
   PACKAGE_LEVEL := latest
 endif
 
+# Run type (normal, scheduled, release)
+ifndef RUN_TYPE
+  RUN_TYPE := normal
+endif
+
 # Determine OS platform make runs on.
 ifeq ($(OS),Windows_NT)
   ifdef PWD
@@ -263,7 +268,7 @@ ifeq ($(python_version),3.6)
 else
 	@echo "Makefile: Running Safety"
 	-$(call RM_FUNC,$@)
-	-safety check --policy-file $(safety_all_policy_file) -r minimum-constraints.txt --full-report
+	bash -c "safety check --policy-file $(safety_all_policy_file) -r minimum-constraints.txt --full-report || test '$(RUN_TYPE)' != 'release' || exit 1"
 	echo "done" >$@
 	@echo "Makefile: Done running Safety"
 endif

diff --git a/docs/changes.rst b/docs/changes.rst
@@ -69,6 +69,9 @@ Released: not yet
   minimum-constraints-install.txt file that is included by the existing
   minimum-constraints.txt file. (issue #64)
 
+* The safety run for all dependencies now must succeed when the test workflow
+  is run for a release (i.e. branch name 'release_...').
+
 **Cleanup:**
 
 * Increased versions of GitHub Actions plugins to increase node.js runtime