Skip to content

Commit

Permalink
Build a documentation site with mkdocs to allow testing more reusable…
Browse files Browse the repository at this point in the history
… workflows (#28)

* docs: Add all necessary files for building the documentation with mkdocs

* docs: Update ignore settings

* docs: Add numbered lists to main Readme to enable easier visibility into the total number of actions/workflows in the repo

* docs: Added documentation around the GitHub Actions Environments used by the various reusable workflows

* ci: Test on windows to try to catch failures

* ci: Convert all references to tags in Workflows to commit SHAs

* docs: Update changelog
  • Loading branch information
nfelt14 authored Aug 30, 2024
1 parent b3a26c4 commit 4ad7e69
Show file tree
Hide file tree
Showing 48 changed files with 1,316 additions and 121 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@ jobs:
env:
PACKAGE_NAME: ${{ inputs.package-name }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
with:
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f
with:
python-version-file: pyproject.toml
- name: Install package to check
Expand All @@ -33,7 +33,7 @@ jobs:
griffe check --format=verbose --against="$(git rev-parse origin/main)" --search=src "$PACKAGE_NAME" 2>&1 | tee -a breaking_changes.md
- name: Finish writing summary file
run: echo "\`\`\`" >> breaking_changes.md
- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a
with:
name: breaking_changes
path: breaking_changes.md
8 changes: 4 additions & 4 deletions .github/workflows/_reusable-codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,14 @@ jobs:
language: ${{ fromJSON(inputs.languages-array) }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@be8b74c09c1778bcdbea38e1a45efea2cb73e18c
with:
languages: ${{ matrix.language }}
queries: ${{ inputs.codeql-queries }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@be8b74c09c1778bcdbea38e1a45efea2cb73e18c
with:
category: /language:${{matrix.language}}
# Check that all jobs passed
Expand All @@ -42,6 +42,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@v1.2.2
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe
with:
jobs: ${{ toJSON(needs) }}
6 changes: 3 additions & 3 deletions .github/workflows/_reusable-enforce-community-standards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,9 @@ jobs:
- .github/dependabot.@(yml|yaml)
- .github/workflows/codeql-analysis.@(yml|yaml)
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: Ensure ${{ matrix.filename }} exists
uses: andstor/file-existence-action@v3
uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6
with:
files: ${{ matrix.filename }}
ignore_case: false
Expand All @@ -36,6 +36,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@v1.2.2
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe
with:
jobs: ${{ toJSON(needs) }}
10 changes: 5 additions & 5 deletions .github/workflows/_reusable-package-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,10 @@ jobs:
id-token: write
attestations: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
with:
fetch-depth: 0
- uses: hynek/build-and-inspect-python-package@v2.8.0
- uses: hynek/build-and-inspect-python-package@2dbbf2b252d3a3c7cec7a810e3ed5983bd17b13a
id: build-pkg
with:
attest-build-provenance-github: ${{ !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' }}
Expand All @@ -54,12 +54,12 @@ jobs:
python-version: ${{ fromJSON(inputs.python-versions-array) }}
steps:
- name: Download built packages
uses: actions/download-artifact@v4
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
with:
name: Packages
path: dist
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f
with:
python-version: ${{ matrix.python-version }}
check-latest: true
Expand All @@ -80,6 +80,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@v1.2.2
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe
with:
jobs: ${{ toJSON(needs) }}
28 changes: 14 additions & 14 deletions .github/workflows/_reusable-package-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ jobs:
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: python-versions-array input missing
if: ${{ inputs.build-and-publish-python-package == true && (inputs.python-versions-array == null || inputs.python-versions-array == '') }}
run: |
Expand Down Expand Up @@ -124,7 +124,7 @@ jobs:
id-token: write
contents: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
with:
fetch-depth: 0
token: ${{ secrets.checkout-token }}
Expand All @@ -139,7 +139,7 @@ jobs:
previous-changelog-filepath: ${{ inputs.previous-changelog-filepath }}
previous-release-notes-filepath: ${{ inputs.previous-release-notes-filepath }}
- name: Python Semantic Release
uses: python-semantic-release/python-semantic-release@v9.8.7
uses: python-semantic-release/python-semantic-release@708671d0eb33bcbea78c5a3d81ae04c60deeddf3
id: release
with:
force: ${{ inputs.release-level }}
Expand All @@ -162,12 +162,12 @@ jobs:
id-token: write
attestations: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
with:
ref: main # Make sure to check out the latest commit on main, not the original commit that triggered the workflow
fetch-depth: 0
- name: Build package
uses: hynek/build-and-inspect-python-package@v2.8.0
uses: hynek/build-and-inspect-python-package@2dbbf2b252d3a3c7cec7a810e3ed5983bd17b13a
with:
attest-build-provenance-github: 'true'
# Upload the official package version to TestPyPI
Expand All @@ -182,12 +182,12 @@ jobs:
id-token: write
steps:
- name: Download built packages
uses: actions/download-artifact@v4
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
with:
name: Packages
path: dist
- name: Upload package to Test PyPI
uses: pypa/gh-action-pypi-publish@v1.9.0
uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0
with:
password: ${{ secrets.test-pypi-api-token }}
repository-url: https://test.pypi.org/legacy/
Expand All @@ -203,12 +203,12 @@ jobs:
id-token: write
steps:
- name: Download built packages
uses: actions/download-artifact@v4
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
with:
name: Packages
path: dist
- name: Upload package to PyPI
uses: pypa/gh-action-pypi-publish@v1.9.0
uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0
with:
password: ${{ secrets.pypi-api-token }}
# Upload the official package binaries to the GitHub Release
Expand All @@ -222,17 +222,17 @@ jobs:
id-token: write
contents: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
with:
ref: main # Make sure to check out the latest commit on main, not the original commit that triggered the workflow
fetch-depth: 0
- name: Download built packages
uses: actions/download-artifact@v4
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
with:
name: Packages
path: dist
- name: Publish package distributions to GitHub Releases
uses: python-semantic-release/upload-to-gh-release@v9.8.7
uses: python-semantic-release/upload-to-gh-release@17c75b706f81263690a0a0dc88d83415f783fc04
with:
root_options: -v --strict
github_token: ${{ secrets.GITHUB_TOKEN }}
Expand Down Expand Up @@ -260,13 +260,13 @@ jobs:
- ' --index-url=https://test.pypi.org/simple/ --extra-index-url=https://pypi.org/simple'
steps:
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f
with:
python-version: ${{ matrix.python-version }}
check-latest: true
- name: Test installing package
# A retry is used to allow for some downtime before the package is installable
uses: nick-fields/retry@v3
uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e
with:
timeout_minutes: 10
max_attempts: 5
Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/_reusable-package-testpypi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,15 +28,15 @@ jobs:
id-token: write
attestations: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
with:
fetch-depth: 0
- uses: tektronix/python-package-ci-cd/actions/create_unique_testpypi_version@v1.1.1
id: create-version
with:
package-name: ${{ inputs.package-name }}
- name: Build package
uses: hynek/build-and-inspect-python-package@v2.8.0
uses: hynek/build-and-inspect-python-package@2dbbf2b252d3a3c7cec7a810e3ed5983bd17b13a
with:
attest-build-provenance-github: 'true'
outputs:
Expand All @@ -51,12 +51,12 @@ jobs:
id-token: write
steps:
- name: Download built packages
uses: actions/download-artifact@v4
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
with:
name: Packages
path: dist
- name: Upload package to Test PyPI
uses: pypa/gh-action-pypi-publish@v1.9.0
uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0
with:
password: ${{ secrets.test-pypi-api-token }}
repository-url: https://test.pypi.org/legacy/
Expand All @@ -68,14 +68,14 @@ jobs:
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f
with:
python-version-file: pyproject.toml
- name: Test installing from test.pypi.org
# A retry is used to allow for some downtime before the package is installable
uses: nick-fields/retry@v3
uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e
with:
timeout_minutes: 10
max_attempts: 5
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/_reusable-publish-api-comparison.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
if: ${{ github.event.workflow_run.event == 'pull_request' && !contains(fromJSON('["skipped", "cancelled", "failed"]'), github.event.workflow_run.conclusion) }}
steps:
- name: Download and Extract Artifacts
uses: dawidd6/action-download-artifact@v6
uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11
with:
run_id: ${{ github.event.workflow_run.id }}
name: breaking_changes
Expand All @@ -25,11 +25,11 @@ jobs:
fi
- name: Fetch PR number
id: pr
uses: 8BitJonny/gh-get-current-pr@3.0.0
uses: 8BitJonny/gh-get-current-pr@08e737c57a3a4eb24cec6487664b243b77eb5e36
with:
sha: ${{ github.event.workflow_run.head_sha }}
- name: Publish API Breaking Changes Check Results
uses: marocchino/sticky-pull-request-comment@v2
uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31
if: ${{ env.BREAKING_CHANGES == 'true' }}
with:
header: breaking-api-changes
Expand All @@ -38,7 +38,7 @@ jobs:
path: artifacts/breaking_changes.md
- name: Add workflow link to comment
if: ${{ env.BREAKING_CHANGES == 'true' }}
uses: marocchino/sticky-pull-request-comment@v2
uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31
with:
header: breaking-api-changes
number: ${{ steps.pr.outputs.number }}
Expand All @@ -47,7 +47,7 @@ jobs:
<p><a href="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }}">Link to workflow run</a></p>
- name: Delete comment if no breaking changes are found
if: ${{ env.BREAKING_CHANGES == 'false' }}
uses: marocchino/sticky-pull-request-comment@v2
uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31
with:
header: breaking-api-changes
number: ${{ steps.pr.outputs.number }}
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/_reusable-publish-test-results.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,25 +22,25 @@ jobs:
os-name: ${{ fromJSON(inputs.operating-systems-array) }}
steps:
- name: Download and Extract Artifacts
uses: dawidd6/action-download-artifact@v6
uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11
with:
run_id: ${{ github.event.workflow_run.id }}
name: artifact_${{ matrix.os-name }}_tests
path: artifacts
- name: Fetch PR number
id: pr
uses: 8BitJonny/gh-get-current-pr@3.0.0
uses: 8BitJonny/gh-get-current-pr@08e737c57a3a4eb24cec6487664b243b77eb5e36
with:
sha: ${{ github.event.workflow_run.head_sha }}
- name: Publish Test Results
uses: marocchino/sticky-pull-request-comment@v2
uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31
with:
header: test-results-${{ matrix.os-name }}
number: ${{ steps.pr.outputs.number }}
recreate: true
path: artifacts/.results_tests/github_report.md
- name: Add workflow link to comment
uses: marocchino/sticky-pull-request-comment@v2
uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31
with:
header: test-results-${{ matrix.os-name }}
number: ${{ steps.pr.outputs.number }}
Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/_reusable-sbom-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,38 +11,38 @@ jobs:
create-and-scan-sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f
with:
python-version-file: pyproject.toml
- name: Create lockfile
run: |
pip install poetry
poetry lock
- name: Create SBOM
uses: anchore/sbom-action@v0
uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a
with:
format: spdx-json
output-file: ${{ github.event.repository.name }}-sbom.spdx.json
- uses: actions/attest-build-provenance@v1
- uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1
if: ${{ !(github.event.pull_request.head.repo.fork || github.event.workflow_call.pull_request.head.repo.fork) && github.actor != 'dependabot[bot]' }}
with:
subject-path: ${{ github.event.repository.name }}-sbom.spdx.json
- name: Scan SBOM
uses: anchore/scan-action@v4
uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5
id: scan
with:
sbom: ${{ github.event.repository.name }}-sbom.spdx.json
fail-build: true
severity-cutoff: low
- name: Upload SBOM scan SARIF report as a workflow artifact
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a
with:
name: sarif_artifact
path: ${{ steps.scan.outputs.sarif }}
if-no-files-found: error
- name: Upload SBOM scan SARIF report to GitHub UI Security tab
if: ${{ github.event_name != 'pull_request' }}
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@be8b74c09c1778bcdbea38e1a45efea2cb73e18c
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
Loading

0 comments on commit 4ad7e69

Please sign in to comment.