Refactor MSL authentication checks #2184
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Check, Build and Deploy | |
| "on": | |
| pull_request: | |
| branches: [main] | |
| push: | |
| branches: [main] | |
| tags: [v*] | |
| jobs: | |
| uv-check: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| enable-cache: true | |
| - name: Check uv.lock (ensure all dependencies up to date) | |
| run: uv lock --check | |
| flake8: # yamllint disable-line rule:key-ordering | |
| env: | |
| UV_FROZEN: true | |
| UV_NO_SYNC: true | |
| UV_PYTHON_DOWNLOADS: never | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Set Up Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: 3.14 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| enable-cache: true | |
| - name: Run Flake8 | |
| # TODO: Run from locked dependencies, once project's Python version has been updated to 3.14 | |
| run: uvx --python 3.14 --with "flake8-carrot>=0.1.4" --with "flake8-pyproject>=1.2" | |
| -- flake8 | |
| mypy: # yamllint disable-line rule:key-ordering | |
| env: | |
| UV_FROZEN: true | |
| UV_NO_SYNC: true | |
| UV_PYTHON_DOWNLOADS: never | |
| needs: [uv-check] | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| component: [package, tests] | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Set Up Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version-file: .python-version | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| enable-cache: true | |
| - name: Install mypy From Locked Dependencies | |
| run: | | |
| if [ "${{matrix.component}}" == "package" ]; then | |
| ARGS=() | |
| elif [ "${{matrix.component}}" == "tests" ]; then | |
| ARGS=("--group" "test") | |
| else | |
| echo "Error: Unknown matrix.component value: '${{matrix.component}}'" >&2 | |
| exit 1 | |
| fi | |
| uv sync --no-group dev --group type-check "${ARGS[@]}" | |
| - id: store-hashed-python-version | |
| name: Store Hashed Python Version | |
| run: echo "hashed_python_version=$(uv run -- python -VV | sha256sum | cut -d' ' -f1)" | |
| >> "$GITHUB_OUTPUT" | |
| - uses: actions/cache@v5 | |
| with: | |
| key: mypy|${{steps.store-hashed-python-version.outputs.hashed_python_version}}|${{matrix.component}} | |
| path: ./.mypy_cache | |
| - name: Run mypy # TODO: Add GitHub workflows output format | |
| run: | | |
| if [ "${{matrix.component}}" == "package" ]; then | |
| ARGS=("." "--exclude" "tests/") | |
| elif [ "${{matrix.component}}" == "tests" ]; then | |
| ARGS=("tests/") | |
| else | |
| echo "Error: Unknown matrix.component value: '${{matrix.component}}'" >&2 | |
| exit 1 | |
| fi | |
| uv run -- mypy "${ARGS[@]}" | |
| pre-commit: # yamllint disable-line rule:key-ordering | |
| env: | |
| UV_FROZEN: true | |
| UV_NO_SYNC: true | |
| UV_PYTHON_DOWNLOADS: never | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Add GB Locale | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y locales | |
| sudo locale-gen en_GB.UTF-8 | |
| shell: bash | |
| - name: Set Up Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version-file: .python-version | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| enable-cache: true | |
| - name: Install prek From Locked Dependencies | |
| run: uv sync --only-group pre-commit | |
| - id: store-hashed-python-version | |
| name: Store Hashed Python Version | |
| run: echo "hashed_python_version=$(uv run -- python -VV | sha256sum | cut -d' ' -f1)" | |
| >> "$GITHUB_OUTPUT" | |
| - uses: actions/cache@v5 | |
| with: | |
| key: prek|${{steps.store-hashed-python-version.outputs.hashed_python_version}}|${{hashFiles('.pre-commit-config.yaml')}} | |
| path: ~/.cache/prek | |
| - name: Setup pre-commit Environments | |
| run: uv run -- prek install-hooks | |
| - name: Run prek | |
| run: | | |
| set -o pipefail | |
| if [[ "${{github.event_name}}" == "push" && "${{github.ref_name}}" == "${{github.event.repository.default_branch}}" ]]; then | |
| uv run -- prek run --all-files --hook-stage manual --color never --skip ruff-check --skip uv-lock --skip gitlint-ci | tee /tmp/prek.log | |
| else | |
| uv run -- prek run --all-files --hook-stage manual --color never --skip ruff-check --skip uv-lock | tee /tmp/prek.log | |
| fi | |
| - name: Ensure No Warnings | |
| run: "if grep -q '^warning: ' /tmp/prek.log; then exit 1; fi" | |
| - if: ${{!cancelled()}} | |
| uses: pre-commit-ci/lite-action@v1.1.0 | |
| pymarkdown: # yamllint disable-line rule:key-ordering | |
| env: | |
| UV_FROZEN: true | |
| UV_NO_SYNC: true | |
| UV_PYTHON_DOWNLOADS: never | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Set Up Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version-file: .python-version | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| enable-cache: true | |
| - name: Install PyMarkdown From Locked Dependencies | |
| run: uv sync --only-group lint-format | |
| - name: Run PyMarkdown scan | |
| run: uv run -- pymarkdown scan . | |
| pytest: # yamllint disable-line rule:key-ordering | |
| env: | |
| UV_FROZEN: true | |
| UV_NO_SYNC: true | |
| UV_PYTHON_DOWNLOADS: never | |
| needs: [uv-check] | |
| permissions: | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Set Up Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version-file: .python-version | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| enable-cache: true | |
| - name: Install pytest From Locked Dependencies | |
| run: uv sync --no-group dev --group test | |
| - id: store-hashed-python-version | |
| name: Store Hashed Python Version | |
| run: echo "hashed_python_version=$(uv run -- python -VV | sha256sum | cut -d' ' -f1)" | |
| >> "$GITHUB_OUTPUT" | |
| - uses: actions/cache@v5 | |
| with: | |
| key: pytest|${{steps.store-hashed-python-version.outputs.hashed_python_version}} | |
| path: ./.pytest_cache | |
| - name: Run pytest | |
| run: uv run pytest --cov --cov-branch --cov-report=xml --junitxml=junit.xml | |
| - if: ${{!cancelled()}} | |
| name: Upload test results to Codecov | |
| uses: codecov/test-results-action@v1 | |
| with: | |
| use_oidc: true | |
| - if: ${{!cancelled()}} | |
| name: Upload coverage report to Codecov | |
| uses: codecov/codecov-action@v5 | |
| with: | |
| use_oidc: true | |
| ruff-lint: # yamllint disable-line rule:key-ordering | |
| env: | |
| UV_FROZEN: true | |
| UV_NO_SYNC: true | |
| UV_PYTHON_DOWNLOADS: never | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Set Up Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version-file: .python-version | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| with: | |
| enable-cache: true | |
| - name: Install ruff From Locked Dependencies | |
| run: uv sync --only-group lint-format | |
| - id: store-hashed-python-version | |
| name: Store Hashed Python Version | |
| run: echo "hashed_python_version=$(uv run -- python -VV | sha256sum | cut -d' ' -f1)" | |
| >> "$GITHUB_OUTPUT" | |
| - uses: actions/cache@v5 | |
| with: | |
| key: ruff|${{steps.store-hashed-python-version.outputs.hashed_python_version}} | |
| path: ./.ruff_cache | |
| - name: Run Ruff | |
| run: uv run -- ruff check --no-fix --output-format=github | |
| build-and-publish: # yamllint disable-line rule:key-ordering | |
| env: | |
| IMAGE_NAME: ${{github.repository}} | |
| REGISTRY: ghcr.io | |
| environment: publish | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name | |
| == 'CSSUoB/TeX-Bot-Py-V2' | |
| needs: [mypy, pre-commit, pymarkdown, pytest, ruff-lint, uv-check] | |
| permissions: | |
| attestations: write | |
| contents: read | |
| id-token: write | |
| packages: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v3.6.0 | |
| with: | |
| password: ${{secrets.GITHUB_TOKEN}} | |
| registry: ${{env.REGISTRY}} | |
| username: ${{github.actor}} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - id: docker-extract-metadata | |
| name: Extract metadata (tags, labels) for Docker | |
| uses: docker/metadata-action@v5.10.0 | |
| with: | |
| images: ${{env.REGISTRY}}/${{env.IMAGE_NAME}} | |
| tags: |- | |
| type=ref,event=branch,prefix=br- | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern=v{{major}},enable=${{!startsWith(github.ref, 'refs/tags/v0.')}} | |
| - id: build-and-publish | |
| name: Build and Publish | |
| uses: docker/build-push-action@v6 | |
| with: | |
| labels: ${{steps.docker-extract-metadata.outputs.labels}} | |
| push: true | |
| tags: ${{steps.docker-extract-metadata.outputs.tags}} | |
| - name: Generate Artifact Attestation | |
| uses: actions/attest-build-provenance@v3 | |
| with: | |
| push-to-registry: true | |
| subject-digest: ${{steps.build-and-publish.outputs.digest}} | |
| subject-name: ${{env.REGISTRY}}/${{env.IMAGE_NAME}} | |
| release: # yamllint disable-line rule:key-ordering | |
| if: github.ref_type == 'tag' | |
| needs: [build-and-publish] | |
| permissions: | |
| contents: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Create GitHub Release | |
| env: # yamllint disable-line rule:key-ordering | |
| GITHUB_TOKEN: ${{github.token}} | |
| run: gh release create '${{github.ref_name}}' --repo '${{github.repository}}' --verify-tag | |
| --generate-notes |