Release v3.5.0
#3768
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Lint | |
| "on": | |
| workflow_call: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| concurrency: | |
| # Group workflow jobs so new commits cancels in-progress execution triggered by previous commits. | |
| # Source: https://mail.python.org/archives/list/pypa-committers@python.org/thread/PCBCQMJF64JGRBOX7E2EE4YLKHT4DI55/ | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} | |
| cancel-in-progress: true | |
| jobs: | |
| project-metadata: | |
| name: Project metadata | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| python_files: ${{ steps.project-metadata.outputs.python_files }} | |
| is_poetry_project: ${{ steps.project-metadata.outputs.is_poetry_project }} | |
| mypy_params: ${{ steps.project-metadata.outputs.mypy_params }} | |
| steps: | |
| - uses: actions/checkout@v4.1.6 | |
| with: | |
| # Checkout pull request HEAD commit to ignore actions/checkout's merge commit. Fallback to push SHA. | |
| ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
| # We're going to browse all new commits. | |
| fetch-depth: 0 | |
| - name: Hack setup-python cache | |
| id: setup_python_hack | |
| # XXX Create an empty pyproject.toml if this file (or any *requirements.txt) can't be found in repository. | |
| # This hack fix an issue with setup-python, which ends up with this error in non-Python repos: | |
| # | |
| # Run actions/setup-python@v5.1.0 | |
| # with: | |
| # python-version: 3.12 | |
| # cache: pip | |
| # cache-dependency-path: | | |
| # **/pyproject.toml | |
| # requirements/*.txt | |
| # Installed versions | |
| # Successfully set up CPython (3.12.1) | |
| # Error: No file in /home/runner/work/awesome-iam/awesome-iam matched to | |
| # [requirements/*.txt or **/pyproject.toml], make sure you have checked out the target repository | |
| # | |
| # This has been reported at: https://github.com/actions/setup-python/issues/807 | |
| # In the future this might be addressed by: https://github.com/actions/setup-python/pull/762 | |
| # or https://github.com/actions/setup-python/issues/751 | |
| if: hashFiles('requirements/*.txt', '**/pyproject.toml') == '' | |
| run: | | |
| touch ./pyproject.toml | |
| echo "tmp_deps_file=true" >> "$GITHUB_OUTPUT" | |
| - uses: actions/setup-python@v5.1.0 | |
| with: | |
| python-version: "3.12" | |
| cache: "pip" | |
| cache-dependency-path: | | |
| **/pyproject.toml | |
| requirements/*.txt | |
| - name: Remove setup-python hack | |
| if: steps.setup_python_hack.outputs.tmp_deps_file | |
| run: | | |
| rm ./pyproject.toml | |
| - name: Install uv | |
| run: | | |
| python -m pip install uv | |
| - name: Install Poetry from pinned requirements.txt | |
| # uv needs a venv. See: https://github.com/astral-sh/uv/issues/1374 | |
| run: | | |
| uv venv --system | |
| uv pip install -r https://raw.githubusercontent.com/kdeldycke/workflows/main/requirements/metadata.txt | |
| - name: Project metadata | |
| id: project-metadata | |
| env: | |
| GITHUB_CONTEXT: ${{ toJSON(github) }} | |
| run: > | |
| source .venv/bin/activate && python -c "$(curl -fsSL | |
| https://raw.githubusercontent.com/kdeldycke/workflows/main/.github/metadata.py)" | |
| mypy-lint: | |
| needs: | |
| - project-metadata | |
| # Skip linting on prepare-release branch as it points to a tagged URL that does not exist yet. | |
| if: github.head_ref != 'prepare-release' && needs.project-metadata.outputs.python_files | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4.1.6 | |
| - uses: actions/setup-python@v5.1.0 | |
| with: | |
| python-version: "3.12" | |
| cache: "pip" | |
| cache-dependency-path: | | |
| **/pyproject.toml | |
| requirements/*.txt | |
| - name: Install pip | |
| run: | | |
| python -m pip install --upgrade pip | |
| - name: Install Mypy | |
| run: > | |
| python -m pip install --requirement | |
| https://raw.githubusercontent.com/kdeldycke/workflows/main/requirements/mypy.txt | |
| - name: Install Poetry | |
| if: fromJSON(needs.project-metadata.outputs.is_poetry_project) | |
| run: > | |
| python -m pip install --requirement | |
| https://raw.githubusercontent.com/kdeldycke/workflows/main/requirements/build.txt | |
| - name: Install dependencies with Poetry | |
| # Install project with Poetry if supported, so we can benefits from dependencies on typing stubs. | |
| if: fromJSON(needs.project-metadata.outputs.is_poetry_project) | |
| run: | | |
| poetry install --no-interaction | |
| - name: Install dependencies with pip | |
| if: ${{ ! fromJSON(needs.project-metadata.outputs.is_poetry_project) }} | |
| run: > | |
| python -m pip install --requirement | |
| https://raw.githubusercontent.com/kdeldycke/workflows/main/requirements.txt | |
| - name: Run Poetry's Mypy | |
| if: fromJSON(needs.project-metadata.outputs.is_poetry_project) | |
| run: > | |
| poetry run mypy ${{ needs.project-metadata.outputs.mypy_params }} | |
| ${{ needs.project-metadata.outputs.python_files }} | |
| - name: Run vanilla Mypy | |
| if: ${{ ! fromJSON(needs.project-metadata.outputs.is_poetry_project) }} | |
| # --color-output - Force colorized output as in CI, Mypy defaults to no color. | |
| run: > | |
| mypy --color-output ${{ needs.project-metadata.outputs.mypy_params }} | |
| ${{ needs.project-metadata.outputs.python_files }} | |
| lint-yaml: | |
| # Skip linting on prepare-release branch as it points to a tagged URL that does not exist yet. | |
| if: github.head_ref != 'prepare-release' | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4.1.6 | |
| - name: Hack setup-python cache | |
| id: setup_python_hack | |
| # XXX Create an empty pyproject.toml if this file (or any *requirements.txt) can't be found in repository. | |
| # This hack fix an issue with setup-python, which ends up with this error in non-Python repos: | |
| # | |
| # Run actions/setup-python@v5.1.0 | |
| # with: | |
| # python-version: 3.12 | |
| # cache: pip | |
| # cache-dependency-path: | | |
| # **/pyproject.toml | |
| # requirements/*.txt | |
| # Installed versions | |
| # Successfully set up CPython (3.12.1) | |
| # Error: No file in /home/runner/work/awesome-iam/awesome-iam matched to | |
| # [requirements/*.txt or **/pyproject.toml], make sure you have checked out the target repository | |
| # | |
| # This has been reported at: https://github.com/actions/setup-python/issues/807 | |
| # In the future this might be addressed by: https://github.com/actions/setup-python/pull/762 | |
| # or https://github.com/actions/setup-python/issues/751 | |
| if: hashFiles('requirements/*.txt', '**/pyproject.toml') == '' | |
| run: | | |
| touch ./pyproject.toml | |
| echo "tmp_deps_file=true" >> "$GITHUB_OUTPUT" | |
| - uses: actions/setup-python@v5.1.0 | |
| with: | |
| python-version: "3.12" | |
| cache: "pip" | |
| cache-dependency-path: | | |
| **/pyproject.toml | |
| requirements/*.txt | |
| - name: Remove setup-python hack | |
| if: steps.setup_python_hack.outputs.tmp_deps_file | |
| run: | | |
| rm ./pyproject.toml | |
| - name: Install pip | |
| run: | | |
| python -m pip install --upgrade pip | |
| - name: Install yamllint | |
| run: > | |
| python -m pip install --requirement | |
| https://raw.githubusercontent.com/kdeldycke/workflows/main/requirements/yamllint.txt | |
| - name: Run yamllint | |
| run: | | |
| yamllint --strict --config-data "{rules: {line-length: {max: 120}}}" --format github . | |
| lint-zsh: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4.1.6 | |
| - name: Install Zsh | |
| run: | | |
| sudo apt update | |
| sudo apt install --yes zsh | |
| - name: Lint | |
| run: | | |
| find . -iname "*.sh" -exec zsh --no-exec "{}" \; | |
| lint-github-action: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4.1.6 | |
| - name: Install actionlint | |
| id: install_actionlint | |
| run: | | |
| bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) | |
| - name: Install shellcheck | |
| run: | | |
| sudo apt update | |
| sudo apt install --yes shellcheck | |
| - name: Install problem matcher | |
| # Source: https://github.com/rhysd/actionlint/blob/main/docs/usage.md#problem-matchers | |
| run: > | |
| curl -fsSL --output ./.github/labeller-file-based.yaml | |
| https://raw.githubusercontent.com/rhysd/actionlint/main/.github/actionlint-matcher.json | |
| - name: Register problem matcher | |
| run: | | |
| echo "::add-matcher::.github/labeller-file-based.yaml" | |
| - name: Run actionlint | |
| # XXX actionlint triggers this error: | |
| # Error: .github/workflows/release.yaml:198:27: | |
| # property "workflow_update_github_pat" is not defined in object type {actions_runner_debug: string; | |
| # actions_step_debug: string; github_token: string; pypi_token: string} [expression] | |
| # See: https://github.com/rhysd/actionlint/issues/148 | |
| run: > | |
| ${{ steps.install_actionlint.outputs.executable }} | |
| -color | |
| -ignore 'property "workflow_update_github_pat" is not defined in .+' | |
| broken-links: | |
| # Skip checks on prepare-release branch as it contains commits in changelog and documentation that points to a tag | |
| # that does not exist yet, rendering URLs artificially broken. Also skips the merge commit of the prepare-release | |
| # branch, as if the URLs are good, the tag is created asynchronously by release.yaml:git-tag job. And as a | |
| # precautionary measure, just skip any event that contains a post-release bump commit. | |
| if: > | |
| github.head_ref != 'prepare-release' | |
| && github.ref != 'refs/heads/prepare-release' | |
| && (! contains(github.event.commits.*.message, '[changelog] Post-release version bump')) | |
| runs-on: ubuntu-22.04 | |
| # XXX We need to manually manage the life-cycle of issues created in this job because the create-issue-from-file | |
| # action blindly creates issues ad-nauseam. See: https://github.com/peter-evans/create-issue-from-file/issues/298 . | |
| # This was also discussed at: https://github.com/lycheeverse/lychee-action/issues/74#issuecomment-1587089689 | |
| steps: | |
| - uses: actions/checkout@v4.1.6 | |
| - uses: lycheeverse/lychee-action@v1.10.0 | |
| with: | |
| # XXX Skip HN because of rate-limiting. | |
| # See: https://github.com/lycheeverse/lychee/issues/989#issuecomment-1587208730 | |
| # https://github.com/lycheeverse/lychee/pull/1147 | |
| args: > | |
| --exclude ycombinator.com | |
| --base . | |
| --verbose | |
| --no-progress | |
| './**/*.md' './**/*.html' './**/*.rst' | |
| - name: Install hub | |
| run: | | |
| sudo apt install --yes hub | |
| - name: List open issues | |
| id: open_issues | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: > | |
| echo "issues=$( | |
| hub issue | |
| --state open | |
| --creator "github-actions[bot]" | |
| --format $'%I %t\t' | |
| --sort created )" >> "$GITHUB_OUTPUT" | |
| - name: Print open issues | |
| run: | | |
| echo "Open issues: ${{ steps.open_issues.outputs.issues }}" | |
| - name: Filter issues | |
| id: issue_groups | |
| shell: python | |
| run: | | |
| import os | |
| from pathlib import Path | |
| exit_code = os.getenv("lychee_exit_code") | |
| print(f"Lychee exit code: {exit_code!r} (type: {type(exit_code)})") | |
| broken_links_found = bool(int(exit_code)) | |
| if broken_links_found: | |
| print("Broken links found: create or update an issue.") | |
| else: | |
| print("No broken link found: close all open issues.") | |
| open_issues = """${{ steps.open_issues.outputs.issues }}""" | |
| update_issue = "" | |
| close_issues = set() | |
| for entry in (e.strip() for e in open_issues.split("\t") if e.strip()): | |
| print(f"Processing {entry!r} ...") | |
| number, title = entry.split(" ", 1) | |
| if title != "Broken links": | |
| print(f"{entry!r} is not a broken links issue, skip it.") | |
| continue | |
| if broken_links_found and not update_issue: | |
| print(f"Issue #{number} is the last open issue.") | |
| update_issue = number | |
| else: | |
| print(f"Issue #{number} is an old open issue.") | |
| close_issues.add(number) | |
| output = f"broken_links_found={str(broken_links_found).lower()}\n" | |
| output += f"update_issue={update_issue}\n" | |
| output += f"close_issues={' '.join(close_issues)}\n" | |
| env_file = Path(os.getenv("GITHUB_OUTPUT")) | |
| env_file.write_text(output) | |
| - name: Print issue groups | |
| run: | | |
| echo "Broken links found: ${{ steps.issue_groups.outputs.broken_links_found }}" | |
| echo "Issue to update: ${{ steps.issue_groups.outputs.update_issue }}" | |
| echo "Issues to close: ${{ steps.issue_groups.outputs.close_issues }}" | |
| - name: Close old issues | |
| if: steps.issue_groups.outputs.close_issues | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| NUMBER_LIST="${{ steps.issue_groups.outputs.close_issues }}" | |
| for number in $NUMBER_LIST; do | |
| hub issue update "$number" --state closed; | |
| done | |
| - name: Get label | |
| if: fromJSON(steps.issue_groups.outputs.broken_links_found) | |
| id: get_label | |
| run: > | |
| echo "label=${{ startsWith(github.event.repository.name, 'awesome-') | |
| && '🩹 fix link' || '📚 documentation' }}" >> "$GITHUB_OUTPUT" | |
| - name: Create or update issue | |
| if: fromJSON(steps.issue_groups.outputs.broken_links_found) | |
| uses: peter-evans/create-issue-from-file@v5.0.0 | |
| with: | |
| title: "Broken links" | |
| issue-number: ${{ steps.issue_groups.outputs.update_issue }} | |
| content-filepath: ./lychee/out.md | |
| labels: ${{ steps.get_label.outputs.label }} | |
| lint-awesome: | |
| name: Lint Awesome list | |
| if: > | |
| startsWith(github.event.repository.name, 'awesome-') | |
| && github.event.repository.name != 'awesome-template' | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4.1.6 | |
| with: | |
| # Fetch all history to please linter's age checks. | |
| fetch-depth: 0 | |
| - run: | | |
| npx awesome-lint --version | |
| npx awesome-lint | |
| check-secrets: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4.1.6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: gitleaks/gitleaks-action@v2.3.4 | |
| with: | |
| config-path: .github/gitleaks.toml | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |