feat: Removes mutation of .pre-commit-config.yaml by seCureLI (#264) #700
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow will install Python dependencies, run tests and lint with a single version of Python | |
| # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python | |
| # These jobs are specifically designed to test the codebase | |
| # and ensure that basic contributing from both mac and windows will work | |
| # Once both windows and mac builds are successful, the next steps will | |
| # - using semantic-version will version the code, pushing the version back to the repo | |
| # - push a package to pypi | |
| # - push a formula to the homebrew repo | |
| name: secureliCI | |
| on: | |
| push | |
| jobs: | |
| build-windows: | |
| runs-on: windows-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set up Python 3.9 | |
| id: setup-python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: "3.9" | |
| - name: Set Up Project | |
| run: | | |
| pip install poetry | |
| poetry install | |
| - name: Run Tests | |
| run: | | |
| poetry run poe precommit | |
| # Both of these lines error when run on a windows image, more research required as to why | |
| # poetry run poe coverage | |
| # poetry run secureli build | |
| build-linux: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Get App Token | |
| uses: tibdex/github-app-token@v1 | |
| id: app_token | |
| with: | |
| app_id: 360953 | |
| private_key: ${{ secrets.ACTIONHELPER }} | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Validate Branch name | |
| run: ./scripts/get-current-branch.sh | |
| - name: Set up Python 3.9 | |
| id: setup-python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: "3.9" | |
| - name: Set Up Project | |
| run: | | |
| pip install poetry | |
| poetry install | |
| - name: Run Tests | |
| run: | | |
| export GH_TOKEN=${{ secrets.ADMIN_TOKEN_SASCHA }} | |
| poetry run poe precommit | |
| poetry run poe coverage | |
| poetry run secureli build | |
| secureli-release-noop: | |
| needs: [ build-linux, build-windows ] | |
| if: github.ref != 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| concurrency: release | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Python Semantic Release | |
| uses: relekang/python-semantic-release@master | |
| with: | |
| root_options: -vv --noop | |
| secureli-release: | |
| needs: [ build-linux, build-windows ] | |
| if: github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| concurrency: release | |
| permissions: | |
| id-token: write | |
| contents: write | |
| outputs: | |
| uploaded: ${{ steps.upload.outputs.uploaded }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.ADMIN_TOKEN_SASCHA }} | |
| - name: Python Semantic Release | |
| id: release | |
| uses: python-semantic-release/python-semantic-release@v8.0.4 | |
| with: | |
| github_token: ${{ secrets.ADMIN_TOKEN_SASCHA }} | |
| - name: Upload assets to GitHub Releases | |
| id: upload | |
| run: | | |
| if [[ -d dist ]]; then | |
| if [[ -n "$(find ./dist -name 'secureli*' -print -quit)" ]]; then | |
| export GH_TOKEN=${{ secrets.ADMIN_TOKEN_SASCHA }} | |
| gh release upload ${{ steps.release.outputs.tag }} ./dist/secureli* | |
| echo "uploaded=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "uploaded=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| else | |
| echo "uploaded=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Display Output | |
| run: echo uploaded=${{ steps.upload.outputs.uploaded }} | |
| secureli-publish: | |
| name: Upload release to PyPI | |
| if: github.ref == 'refs/heads/main' && needs.secureli-release.outputs.uploaded == 'true' | |
| runs-on: ubuntu-latest | |
| needs: secureli-release | |
| permissions: | |
| id-token: write # IMPORTANT: this permission is mandatory for trusted publishing | |
| steps: | |
| - name: Display Inputs | |
| run: echo uploaded=${{ needs.secureli-release.outputs.uploaded }} | |
| - name: Checkout seCureLI Repo | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: main | |
| fetch-depth: 0 | |
| - run: | | |
| pip install poetry | |
| poetry install | |
| poetry build | |
| - name: Publish package distributions to PyPI | |
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| with: | |
| skip-existing: true | |
| deploy: | |
| name: Upload Homebrew Formula | |
| if: github.ref == 'refs/heads/main' && needs.secureli-release.outputs.uploaded == 'true' | |
| runs-on: ubuntu-latest | |
| needs: secureli-release | |
| steps: | |
| - name: Display Inputs | |
| run: echo uploaded=${{ needs.secureli-release.outputs.uploaded }} | |
| - name: Get App Token | |
| uses: tibdex/github-app-token@v1 | |
| id: app_token | |
| with: | |
| app_id: 360953 | |
| private_key: ${{ secrets.ACTIONHELPER }} | |
| - uses: actions/checkout@v3 | |
| with: | |
| ref: main | |
| fetch-depth: 0 | |
| - name: Checkout seCureLI Homebrew Repo | |
| uses: actions/checkout@v3 | |
| with: | |
| repository: slalombuild/homebrew-secureli | |
| token: ${{ secrets.ADMIN_TOKEN_SASCHA }} | |
| path: homebrew-secureli | |
| ref: main | |
| fetch-depth: 0 | |
| - name: Homebrew Formula Generation | |
| env: | |
| GH_TOKEN: ${{ secrets.ADMIN_TOKEN_SASCHA }} | |
| run: ./scripts/secureli-deployment.sh |