Skip to content

Commit

Permalink
Also have zizmor check for low-severity security issues
Browse files Browse the repository at this point in the history
  • Loading branch information
AlexWaygood committed Dec 10, 2024
1 parent ab26d9c commit 9faad62
Show file tree
Hide file tree
Showing 5 changed files with 26 additions and 39 deletions.
24 changes: 12 additions & 12 deletions .github/workflows/build-binaries.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,9 @@ jobs:
args: --out dist
- name: "Test sdist"
run: |
pip install dist/${{ env.PACKAGE_NAME }}-*.tar.gz --force-reinstall
${{ env.MODULE_NAME }} --help
python -m ${{ env.MODULE_NAME }} --help
pip install dist/${PACKAGE_NAME}-*.tar.gz --force-reinstall
"${MODULE_NAME}" --help
python -m "${MODULE_NAME}" --help
- name: "Upload sdist"
uses: actions/upload-artifact@v4
with:
Expand Down Expand Up @@ -125,7 +125,7 @@ jobs:
args: --release --locked --out dist
- name: "Test wheel - aarch64"
run: |
pip install dist/${{ env.PACKAGE_NAME }}-*.whl --force-reinstall
pip install dist/${PACKAGE_NAME}-*.whl --force-reinstall
ruff --help
python -m ruff --help
- name: "Upload wheels"
Expand Down Expand Up @@ -186,9 +186,9 @@ jobs:
if: ${{ !startsWith(matrix.platform.target, 'aarch64') }}
shell: bash
run: |
python -m pip install dist/${{ env.PACKAGE_NAME }}-*.whl --force-reinstall
${{ env.MODULE_NAME }} --help
python -m ${{ env.MODULE_NAME }} --help
python -m pip install dist/${PACKAGE_NAME}-*.whl --force-reinstall
"${MODULE_NAME}" --help
python -m "${MODULE_NAME}" --help
- name: "Upload wheels"
uses: actions/upload-artifact@v4
with:
Expand Down Expand Up @@ -236,9 +236,9 @@ jobs:
- name: "Test wheel"
if: ${{ startsWith(matrix.target, 'x86_64') }}
run: |
pip install dist/${{ env.PACKAGE_NAME }}-*.whl --force-reinstall
${{ env.MODULE_NAME }} --help
python -m ${{ env.MODULE_NAME }} --help
pip install dist/${PACKAGE_NAME}-*.whl --force-reinstall
"${MODULE_NAME}" --help
python -m "${MODULE_NAME}" --help
- name: "Upload wheels"
uses: actions/upload-artifact@v4
with:
Expand Down Expand Up @@ -382,8 +382,8 @@ jobs:
run: |
apk add python3
python -m venv .venv
.venv/bin/pip3 install ${{ env.PACKAGE_NAME }} --no-index --find-links dist/ --force-reinstall
.venv/bin/${{ env.MODULE_NAME }} --help
.venv/bin/pip3 install "${PACKAGE_NAME}" --no-index --find-links dist/ --force-reinstall
.venv/bin/${MODULE_NAME} --help
- name: "Upload wheels"
uses: actions/upload-artifact@v4
with:
Expand Down
9 changes: 5 additions & 4 deletions .github/workflows/build-docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -87,9 +87,10 @@ jobs:
outputs: type=image,name=${{ env.RUFF_BASE_IMG }},push-by-digest=true,name-canonical=true,push=${{ inputs.plan != '' && !fromJson(inputs.plan).announcement_tag_is_implicit }}

- name: Export digests
env:
digest: ${{ steps.build.outputs.digest }}
run: |
mkdir -p /tmp/digests
digest="${{ steps.build.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
- name: Upload digests
Expand Down Expand Up @@ -143,7 +144,7 @@ jobs:
run: |
docker buildx imagetools create \
$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.RUFF_BASE_IMG }}@sha256:%s ' *)
$(printf '${RUFF_BASE_IMG}@sha256:%s ' *)
docker-publish-extra:
name: Publish additional Docker image based on ${{ matrix.image-mapping }}
Expand Down Expand Up @@ -182,7 +183,7 @@ jobs:
# Generate Dockerfile content
cat <<EOF > Dockerfile
FROM ${BASE_IMAGE}
COPY --from=${{ env.RUFF_BASE_IMG }}:latest /ruff /usr/local/bin/ruff
COPY --from=${RUFF_BASE_IMG}:latest /ruff /usr/local/bin/ruff
ENTRYPOINT []
CMD ["/usr/local/bin/ruff"]
EOF
Expand Down Expand Up @@ -288,4 +289,4 @@ jobs:
docker buildx imagetools create \
"${annotations[@]}" \
$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.RUFF_BASE_IMG }}@sha256:%s ' *)
$(printf '${RUFF_BASE_IMG}@sha256:%s ' *)
28 changes: 8 additions & 20 deletions .github/workflows/publish-docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,13 +49,11 @@ jobs:
- name: "Set branch name"
run: |
version="${{ env.version }}"
display_name="${{ env.display_name }}"
timestamp="$(date +%s)"
# create branch_display_name from display_name by replacing all
# characters disallowed in git branch names with hyphens
branch_display_name="$(echo "$display_name" | tr -c '[:alnum:]._' '-' | tr -s '-')"
branch_display_name="$(echo "${display_name}" | tr -c '[:alnum:]._' '-' | tr -s '-')"
echo "branch_name=update-docs-$branch_display_name-$timestamp" >> $GITHUB_ENV
echo "timestamp=$timestamp" >> $GITHUB_ENV
Expand Down Expand Up @@ -93,22 +91,18 @@ jobs:
run: mkdocs build --strict -f mkdocs.public.yml

- name: "Clone docs repo"
run: |
version="${{ env.version }}"
git clone https://${{ secrets.ASTRAL_DOCS_PAT }}@github.com/astral-sh/docs.git astral-docs
run: git clone https://${{ secrets.ASTRAL_DOCS_PAT }}@github.com/astral-sh/docs.git astral-docs

- name: "Copy docs"
run: rm -rf astral-docs/site/ruff && mkdir -p astral-docs/site && cp -r site/ruff astral-docs/site/

- name: "Commit docs"
working-directory: astral-docs
run: |
branch_name="${{ env.branch_name }}"
git config user.name "astral-docs-bot"
git config user.email "[email protected]"
git checkout -b $branch_name
git checkout -b "${branch_name}"
git add site/ruff
git commit -m "Update ruff documentation for $version"
Expand All @@ -117,12 +111,8 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.ASTRAL_DOCS_PAT }}
run: |
version="${{ env.version }}"
display_name="${{ env.display_name }}"
branch_name="${{ env.branch_name }}"
# set the PR title
pull_request_title="Update ruff documentation for $display_name"
pull_request_title="Update ruff documentation for "${display_name}""
# Delete any existing pull requests that are open for this version
# by checking against pull_request_title because the new PR will
Expand All @@ -131,12 +121,12 @@ jobs:
xargs -I {} gh pr close {}
# push the branch to GitHub
git push origin $branch_name
git push origin "${branch_name}"
# create the PR
gh pr create --base main --head $branch_name \
gh pr create --base main --head "${branch_name}" \
--title "$pull_request_title" \
--body "Automated documentation update for $display_name" \
--body "Automated documentation update for "${display_name}"" \
--label "documentation"
- name: "Merge Pull Request"
Expand All @@ -145,9 +135,7 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.ASTRAL_DOCS_PAT }}
run: |
branch_name="${{ env.branch_name }}"
# auto-merge the PR if the build was triggered by a release. Manual builds should be reviewed by a human.
# give the PR a few seconds to be created before trying to auto-merge it
sleep 10
gh pr merge --squash $branch_name
gh pr merge --squash "${branch_name}"
2 changes: 1 addition & 1 deletion .github/workflows/sync_typeshed.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
with:
repository: python/typeshed
path: typeshed
persist-credentials: true
persist-credentials: false
- name: Setup git
run: |
git config --global user.name typeshedbot
Expand Down
2 changes: 0 additions & 2 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -95,8 +95,6 @@ repos:
# `release.yml` is autogenerated by `dist`; security issues need to be fixed there
# (https://opensource.axo.dev/cargo-dist/)
exclude: .github/workflows/release.yml
# We could consider enabling the low-severity warnings, but they're noisy
args: [--min-severity=medium]

- repo: https://github.com/python-jsonschema/check-jsonschema
rev: 0.30.0
Expand Down

0 comments on commit 9faad62

Please sign in to comment.