Skip to content

CI: fix sigstore pipeline step (#1330) #3533

CI: fix sigstore pipeline step (#1330)

CI: fix sigstore pipeline step (#1330) #3533

name: build
on: # cf. https://gh.neting.ccmunity/t/how-to-trigger-an-action-on-push-or-pull-request-but-not-both/16662
push:
branches:
- master
pull_request:
branches:
- master
jobs:
test:
strategy:
matrix:
python-version: ['3.8', '3.9', '3.10', '3.11', '3.12', '3.13']
platform: [ubuntu-latest, windows-latest]
runs-on: ${{ matrix.platform }}
steps:
- name: Checkout πŸ›ŽοΈ
uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }} πŸ”§
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
- name: Install system dependencies βš™οΈ
if: matrix.platform == 'ubuntu-latest'
run: sudo apt-get update --allow-releaseinfo-change && sudo apt-get install ghostscript libjpeg-dev
- name: Install qpdf βš™οΈ
if: matrix.platform == 'ubuntu-latest' && matrix.python-version != '3.9'
# We run the unit tests WITHOUT qpdf for a single parallel execution / Python version:
run: sudo apt-get update --allow-releaseinfo-change && sudo apt-get install qpdf
- name: Install Python dependencies βš™οΈ
run: |
python -m pip install --upgrade pip setuptools wheel
pip install --upgrade . -r test/requirements.txt -r docs/requirements.txt -r contributors/requirements.txt
- name: Statically checking code πŸ”Ž
if: matrix.python-version == '3.13' && matrix.platform == 'ubuntu-latest'
run: |
pip install --upgrade . -r test/linters-requirements.txt
black --check .
pylint fpdf test tutorial/tuto*.py
bandit -c .banditrc.yml -r contributors/ fpdf/ tutorial/
semgrep scan --config auto --error --strict --exclude-rule=python.lang.security.insecure-hash-function.insecure-hash-function fpdf
- name: Scan current project
if: matrix.python-version == '3.13' && matrix.platform == 'ubuntu-latest'
uses: anchore/scan-action@v3
with:
path: "."
fail-build: true
- name: Checking all PDF samples β˜‘
if: matrix.python-version == '3.13' && matrix.platform == 'ubuntu-latest'
run: |
# Using qpdf
find . -name '*.pdf' | xargs -n 1 sh -c 'qpdf --check --password=fpdf2 $0 || exit 255'
export PYTHONPATH=$PWD
# Using VeraPDF:
scripts/install-verapdf.sh
scripts/verapdf.py --process-all-test-pdf-files
scripts/verapdf.py --print-aggregated-report
# Using Datalogics PDF Checker:
scripts/install-pdfchecker.sh
scripts/pdfchecker.py --process-all-test-pdf-files
scripts/pdfchecker.py --print-aggregated-report
- name: Running tests β˜‘
env:
CHECK_EXEC_TIME: ${{ matrix.python-version == '3.9' && 'test-enabled' || '' }}
CHECK_RSS_MEMORY: ${{ matrix.python-version == '3.13' && 'test-enabled' || '' }}
run: |
# Ensuring there is no `generate=True` left remaining in calls to assert_pdf_equal:
grep -IRF generate=True test/ && exit 1
# Executing all tests:
pytest -vv --trace-memory-usage
- name: Running tests with the minimal versions of fpdf2 direct dependencies β˜‘
if: matrix.python-version == '3.8' && matrix.platform == 'ubuntu-latest'
run: |
# We ensure that those minimal versions remain compatible:
sed -i '/install_requires/,/\n/s/>=/==/' setup.cfg
pip install .
# Targetting only a subset of tests because: A) it's faster and B) some tests are dependant on a specific version of fonttools or Pillow
pytest -vv test/barcodes test/drawing test/errors test/image/test_load_image.py test/metadata test/shapes test/signing test/text_region test/utils
- name: Uploading coverage report to codecov.io β˜‘
if: matrix.python-version == '3.13' && matrix.platform == 'ubuntu-latest'
run: bash <(curl -s https://codecov.io/bash)
- name: Generating HTML documentation πŸ—οΈ
# As build_contributors_html_page.py can hang due to GitHub rate-limiting,
# we only execute this on master for now. And it should always be executed for one Python version only.
if: github.ref == 'refs/heads/master' && matrix.python-version == '3.13' && matrix.platform == 'ubuntu-latest'
env:
# Needed by contributors/build_contributors_html_page.py:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
mkdir -p public/
# Setting PDF manual version:
sed -i "s/author:.*/author: v$(python setup.py -V 2>/dev/null)/" mkdocs.yml
cp tutorial/notebook.ipynb docs/
mkdocs build
pdoc --html -o public/ fpdf --config "git_link_template='https://github.com/py-pdf/fpdf2/blob/{commit}/{path}#L{start_line}-L{end_line}'"
scripts/add_pdoc_to_search_index.py
cd contributors/ && PYTHONUNBUFFERED=1 ./build_contributors_html_page.py py-pdf/fpdf2
cp -t ../public/ contributors.html contributors-map-small.png
- name: Deploy documentation πŸš€
# GitHub Pages deployment should not be done for all Python versions,
# otherwise commits will conflict on the gh-pages branch:
if: github.ref == 'refs/heads/master' && matrix.python-version == '3.13' && matrix.platform == 'ubuntu-latest'
uses: peaceiris/actions-gh-pages@v3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: public/
publish:
if: github.ref == 'refs/heads/master'
runs-on: ubuntu-latest
environment:
name: pypi
url: https://pypi.org/p/fpdf2
permissions:
# Trusted publishing configured there: https://pypi.org/manage/project/fpdf2/settings/publishing/
id-token: write
steps:
- name: Checkout πŸ›ŽοΈ
uses: actions/checkout@v3
- name: Set up Python 3.13 πŸ”§
uses: actions/setup-python@v4
with:
python-version: '3.13'
- name: Building distributions for Pypi πŸ—οΈ
id: build
run: |
echo Versions already released on Pypi: $(curl -Ls 'https://pypi.org/pypi/fpdf2/json' | jq -r '.releases|keys[]')
pip install --upgrade setuptools twine wheel .
echo Current code version: $(python setup.py -V)
# Checking if current code version has already been released:
if ! curl -Ls 'https://pypi.org/pypi/fpdf2/json' | jq -r '.releases|keys[]' | grep "^$(python setup.py -V)\$"; then echo publish=yes >> "$GITHUB_OUTPUT"; python setup.py sdist bdist_wheel; twine check dist/*; fi
- name: Publish package distributions to PyPI πŸš€
if: steps.build.outputs.publish == 'yes'
uses: pypa/gh-action-pypi-publish@release/v1
# Doc: https://github.com/marketplace/actions/pypi-publish
with:
print-hash: true
- name: Generate & release sigstore signatures πŸ”‘
if: steps.build.outputs.publish == 'yes'
uses: sigstore/gh-action-sigstore-python@v3.0.0
# Doc: https://github.com/marketplace/actions/gh-action-sigstore-python
with:
inputs: ./dist/*.tar.gz ./dist/*.whl
# For this setting to work, this pipeline should be triggered by a "release" event:
release-signing-artifacts: true