Workflow security fixes (#2023) #1058
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test Upstream Dependencies | |
on: | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- CHANGELOG.rst | |
- README.rst | |
- pyproject.toml | |
- src/xclim/__init__.py | |
schedule: | |
- cron: "0 0 * * *" # Daily “At 00:00” UTC | |
workflow_dispatch: # allows you to trigger the workflow run manually | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
permissions: | |
contents: read | |
jobs: | |
upstream-dev: | |
name: test-upstream-dev (Python${{ matrix.python-version }}) | |
runs-on: ubuntu-latest | |
permissions: | |
issues: write | |
if: | | |
(github.event_name == 'schedule') || | |
(github.event_name == 'workflow_dispatch') || | |
(github.event_name == 'push') | |
strategy: | |
fail-fast: false | |
matrix: | |
python-version: [ "3.12" ] | |
testdata-cache: [ '~/.cache/xclim-testdata' ] | |
defaults: | |
run: | |
shell: bash -l {0} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.electricitymap.org:443 | |
api.github.com:443 | |
api.green-coding.io:443 | |
api.securityscorecards.dev:443 | |
conda.anaconda.org:443 | |
dap.service.does.not.exist:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
ip-api.com:80 | |
ipapi.co:443 | |
objects.githubusercontent.com:443 | |
proxy.golang.org:4433 | |
pypi.org:443 | |
raw.githubusercontent.com:443 | |
repo.anaconda.com:443 | |
sum.golang.org:443 | |
- name: Start Measurement | |
uses: green-coding-solutions/eco-ci-energy-estimation@86f1b2ee12db687bca0d15160a529bb64a7b60d9 # v4.0.0 | |
with: | |
task: start-measurement | |
branch: ${{ github.head_ref || github.ref_name }} | |
- name: Checkout Repository | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: 0 # Fetch all history for all branches and tags. | |
persist-credentials: false | |
- name: Setup Conda (Micromamba) with Python${{ matrix.python-version }} | |
uses: mamba-org/setup-micromamba@06375d89d211a1232ef63355742e9e2e564bc7f7 # v2.0.2 | |
with: | |
cache-downloads: true | |
cache-environment: true | |
environment-file: environment.yml | |
create-args: >- | |
eigen | |
pybind11 | |
pytest-reportlog | |
python=${{ matrix.python-version }} | |
- name: Micromamba version | |
run: | | |
echo "micromamba: $(micromamba --version)" | |
- name: Install upstream versions and SBCK | |
run: | | |
# git-based dependencies cannot be installed from hashes | |
python -m pip install -r CI/requirements_upstream.txt | |
python -m pip install "sbck @ git+https://github.com/yrobink/SBCK-python.git@master" | |
- name: Install xclim | |
run: | | |
python -m pip install --no-user --no-deps --editable . | |
- name: Check versions | |
run: | | |
micromamba list | |
xclim show_version_info | |
python -m pip check || true | |
- name: Setup Python Measurement | |
uses: green-coding-solutions/eco-ci-energy-estimation@86f1b2ee12db687bca0d15160a529bb64a7b60d9 # v4.0.0 | |
with: | |
task: get-measurement | |
label: 'Environment Setup (Upstream, Python${{ matrix.python-version }})' | |
continue-on-error: true | |
- name: Test Data Caching | |
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |
with: | |
path: | | |
${{ matrix.testdata-cache }} | |
key: ${{ runner.os }}-xclim-testdata-upstream-${{ hashFiles('pyproject.toml', 'tox.ini') }} | |
- name: Run Tests | |
if: success() | |
id: status | |
run: | | |
python -m pytest --numprocesses=logical --durations=10 --cov=xclim --cov-report=term-missing --report-log output-${{ matrix.python-version }}-log.jsonl | |
- name: Generate and publish the report | |
if: | | |
failure() | |
&& steps.status.outcome == 'failure' | |
&& github.event_name == 'schedule' | |
&& github.repository_owner == 'Ouranosinc' | |
uses: xarray-contrib/issue-from-pytest-log@f94477e45ef40e4403d7585ba639a9a3bcc53d43 # v1.3.0 | |
with: | |
issue-title: "⚠️ Nightly upstream-dev CI failed for Python${{ matrix.python-version }} ⚠️" | |
log-path: output-${{ matrix.python-version }}-log.jsonl | |
- name: Tests measurement | |
uses: green-coding-solutions/eco-ci-energy-estimation@86f1b2ee12db687bca0d15160a529bb64a7b60d9 # v4.0.0 | |
with: | |
task: get-measurement | |
label: 'Testing and Reporting (Upstream, Python${{ matrix.python-version }})' | |
continue-on-error: true | |
- name: Show Energy Results | |
uses: green-coding-solutions/eco-ci-energy-estimation@86f1b2ee12db687bca0d15160a529bb64a7b60d9 # v4.0.0 | |
with: | |
task: display-results | |
continue-on-error: true |