Skip to content

fix: github workflow vulnerable to script injection #916

fix: github workflow vulnerable to script injection

fix: github workflow vulnerable to script injection #916

Workflow file for this run

name: build
on:
push:
branches:
- '*'
tags-ignore:
- 'v[0-9]*'
pull_request:
workflow_call:
inputs:
skip_codecov:
type: boolean
required: false
default: false
jobs:
unittests:
runs-on: ubuntu-latest
# We want to run on external PRs, but not on our own internal PRs as they'll be run
# by the push to the branch.
if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
strategy:
matrix:
include:
- python-version: "3.10"
resolution: "lowest-direct"
- python-version: 3.13
resolution: "highest"
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install a specific version of uv
uses: astral-sh/setup-uv@v3
with:
version: "latest"
- name: Make uv use system python
run: echo "UV_SYSTEM_PYTHON=true" >> $GITHUB_ENV
- name: Install Packages
run: |
# Install as an editable so that the coverage path
# is predicable
uv pip install --resolution=${{ matrix.resolution }} -e ".[extra,test]"
- name: Environment Information
run: |
uv pip list
- name: Run Tests
run: |
coverage erase
make test
- name: List Directory
run: |
ls -la
- uses: actions/upload-artifact@v3
if: failure()
with:
name: result-images
path: tests/result_images/
if-no-files-found: ignore
# To change secrets
# https://app.codecov.io/github/has2k1/plotnine/settings
# https://github.com/has2k1/plotnine/settings/secrets/actions
- name: Upload coverage to Codecov
if: ${{ !inputs.skip_codecov }}
uses: codecov/codecov-action@v4
with:
name: "py${{ matrix.python-version }}"
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: true
lint-and-format:
runs-on: ubuntu-latest
# We want to run on external PRs, but not on our own internal PRs as they'll be run
# by the push to the branch.
if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
strategy:
matrix:
python-version: [3.13]
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install a specific version of uv
uses: astral-sh/setup-uv@v3
with:
version: "latest"
- name: Make uv use system python
run: echo "UV_SYSTEM_PYTHON=true" >> $GITHUB_ENV
- name: Install Packages
run: uv tool install ruff
- name: Environment Information
run: uv pip list
- name: Check lint with Ruff
shell: bash
run: |
make lint
- name: Check format with Ruff
shell: bash
run: |
make format
typecheck:
runs-on: ubuntu-latest
# We want to run on external PRs, but not on our own internal PRs as they'll be run
# by the push to the branch.
if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
strategy:
matrix:
python-version: [3.13]
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install a specific version of uv
uses: astral-sh/setup-uv@v3
with:
version: "latest"
- name: Make uv use system python
run: echo "UV_SYSTEM_PYTHON=true" >> $GITHUB_ENV
- name: Install Packages
run: |
uv pip install ".[extra, typing]"
- name: Environment Information
run: uv pip list
- name: Run Tests
run: make typecheck
call-build-documentation:
if: |
github.event_name == 'push' ||
github.event.pull_request.head.repo.full_name != github.repository
uses: ./.github/workflows/documentation.yml
build-website:
# Requires all the previous jobs to pass
needs: [unittests, lint-and-format, typecheck, call-build-documentation]
if: |
github.event_name == 'push' &&
github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- name: Build Website (Dev)
uses: peter-evans/repository-dispatch@v3
with:
token: ${{ secrets.PAT_PLOTNINE_WEBSITE }}
repository: has2k1/plotnine.org
event-type: push-plotnine-main