Safety run for all dependencies now must succeed when releasing

Details: * The safety run for all dependencies now must succeed when the test workflow is run for a release (i.e. branch name 'release_...'). Signed-off-by: Andreas Maier <maiera@de.ibm.com>
zhmcclient · Mar 20, 2024 · 6a2d9c9 · 6a2d9c9
1 parent 52e8f47
commit 6a2d9c9
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 16 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -131,6 +131,22 @@ jobs:
       PIP_DISABLE_PIP_VERSION_CHECK: 1
       PIP_NO_PYTHON_VERSION_WARNING: 1
     steps:
+    - name: Set run type (normal, scheduled, release)
+      id: set-run-type
+      uses: actions/github-script@v6
+      with:
+        result-encoding: string
+        script: |
+          var result
+          if ("${{ github.event_name }}" == "schedule") {
+            result = "scheduled"
+          } else if ("${{ github.head_ref }}".match(/^release_/)) {
+            result = "release"
+          } else {
+            result = "normal"
+          }
+          console.log(result)
+          return result
     - name: Checkout repo
       uses: actions/checkout@v4
       with:
@@ -146,59 +162,61 @@ jobs:
     - name: Display platform and env vars
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make platform env
     - name: Install the package and its dependents
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make install
     - name: Show installed package versions
-      env:
-        PACKAGE_LEVEL: ${{ matrix.package_level }}
       run: |
         echo "Installed Python packages:"
         pip list
     - name: Development setup
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make develop
     - name: Show installed package versions
-      env:
-        PACKAGE_LEVEL: ${{ matrix.package_level }}
       run: |
         echo "Installed Python packages:"
         pip list
     - name: Show package dependency tree
-      env:
-        PACKAGE_LEVEL: ${{ matrix.package_level }}
       run: |
         echo "Package dependency tree of installed Python packages:"
         python -m pipdeptree --all
     - name: Run build
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make build
     - name: Run builddoc
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make builddoc
     - name: Run check
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make check
     - name: Run pylint
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make pylint
     - name: Run test
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
         # TESTCASES: test_cpc.py
       run: |
         make test
@@ -216,11 +234,13 @@ jobs:
     - name: Run check_reqs
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make check_reqs
     - name: Run safety
       env:
         PACKAGE_LEVEL: ${{ matrix.package_level }}
+        RUN_TYPE: ${{ steps.set-run-type.outputs.result }}
       run: |
         make safety
 

diff --git a/Makefile b/Makefile
@@ -48,6 +48,11 @@ else
   endif
 endif
 
+# Run type (normal, scheduled, release)
+ifndef RUN_TYPE
+  RUN_TYPE := normal
+endif
+
 # Determine OS platform make runs on.
 ifeq ($(OS),Windows_NT)
   ifdef PWD
@@ -524,7 +529,7 @@ ifeq ($(python_mn_version),3.6)
 else
 	@echo "Makefile: Running Safety"
 	-$(call RM_FUNC,$@)
-	-safety check --policy-file $(safety_all_policy_file) -r minimum-constraints.txt --full-report
+	bash -c "safety check --policy-file $(safety_all_policy_file) -r minimum-constraints.txt --full-report || test '$(RUN_TYPE)' != 'release' || exit 1"
 	echo "done" >$@
 	@echo "Makefile: Done running Safety"
 endif

diff --git a/docs/changes.rst b/docs/changes.rst
@@ -47,6 +47,9 @@ Released: not yet
   minimum-constraints-install.txt file that is included by the existing
   minimum-constraints.txt file.
 
+* The safety run for all dependencies now must succeed when the test workflow
+  is run for a release (i.e. branch name 'release_...').
+
 **Cleanup:**
 
 **Known issues:**

diff --git a/docs/development.rst b/docs/development.rst
@@ -428,14 +428,27 @@ local clone of the zhmccli Git repo.
 
         make authors
 
-7.  Commit your changes and push the topic branch to the remote repo:
+7.  Run the Safety tool:
+
+    .. code-block:: sh
+
+        RUN_TYPE=release make safety
+
+    When releasing a version, the safety run for all dependencies will fail
+    if there are any safety issues reported. In normal and scheduled runs,
+    safety issues reported for all dependencies will be ignored.
+
+    If the safety run fails, you need to fix the safety issues that are
+    reported.
+
+8.  Commit your changes and push the topic branch to the remote repo:
 
     .. code-block:: sh
 
         git commit -asm "Release ${MNU}"
         git push --set-upstream origin release_${MNU}
 
-8.  On GitHub, create a Pull Request for branch ``release_M.N.U``.
+9.  On GitHub, create a Pull Request for branch ``release_M.N.U``.
 
     Important: When creating Pull Requests, GitHub by default targets the
     ``master`` branch. When releasing based on a stable branch, you need to
@@ -450,19 +463,19 @@ local clone of the zhmccli Git repo.
     tests for all defined environments, since it discovers by the branch name
     that this is a PR for a release.
 
-9.  On GitHub, once the checks for that Pull Request have succeeded, merge the
+10. On GitHub, once the checks for that Pull Request have succeeded, merge the
     Pull Request (no review is needed). This automatically deletes the branch
     on GitHub.
 
     If the PR did not succeed, fix the issues.
 
-10. On GitHub, close milestone ``M.N.U``.
+11. On GitHub, close milestone ``M.N.U``.
 
     Verify that the milestone has no open items anymore. If it does have open
     items, investigate why and fix. If the milestone does not have open items
     anymore, close the milestone.
 
-11. Publish the package
+12. Publish the package
 
     .. code-block:: sh
 
@@ -478,7 +491,7 @@ local clone of the zhmccli Git repo.
     Github, and finally creates a new stable branch on Github if the master
     branch was released.
 
-12. Verify the publishing
+13. Verify the publishing
 
     Wait for the "publish" workflow for the new release to have completed:
     https://github.com/zhmcclient/zhmccli/actions/workflows/publish.yml

diff --git a/minimum-constraints-install.txt b/minimum-constraints-install.txt
@@ -1,4 +1,4 @@
-# Pip constraints file for imstall.
+# Pip constraints file for install.
 #
 # This constraints file specifies constraints that match the minimum versions
 # specified in the requirements files for install. The reason

diff --git a/minimum-constraints.txt b/minimum-constraints.txt
@@ -4,8 +4,6 @@
 # specified in the requirements files for install and development. The reason
 # for this approach is that in the CI systems, we want to be able to test with
 # the minimum package versions in order to catch any incorrect minimum versions
-# (see zhmcclient issue #199 as one example where a minimum version was
-# missing).
 
 # Make sure that the package versions in minimum-constraints.txt are also
 # the minimum versions required in requirements.txt and dev-requirements.txt.