Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MAINT - CI improvements (security and maintenance) #2077

Open
wants to merge 27 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 19 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
890ee6f
:construction_worker: Update release workflow
trallard Nov 21, 2024
e89a490
:construction_worker: Add check for docs links
trallard Nov 21, 2024
865158a
:wrench: Add linkcheck for docs
trallard Nov 21, 2024
e93cf6c
:construction_worker: Separate docs CI into another workflow
trallard Nov 21, 2024
0095423
:wrench: Add ignores and redirects to conf
trallard Nov 21, 2024
e70a1d3
:pencil2: Fix URLs in the docs
trallard Nov 22, 2024
18e2198
:wrench: Update tox command for linkchecks
trallard Nov 22, 2024
53dafed
Remove needs - CI workflow
trallard Nov 25, 2024
74f4a1a
Merge branch 'main' into trallard/maintenance-ql-improvements
trallard Dec 10, 2024
76b95ca
:closed_lock_with_key: Change workflow trigger to workflow_call
trallard Dec 10, 2024
6e7851c
:lock: Ensure proper variable escaping in docs workflow
trallard Dec 10, 2024
3e0899d
:arrow_up: Upgrade runners OS and Python versions
trallard Dec 10, 2024
d61186f
Add coverage required permissions
trallard Dec 10, 2024
e9bd826
Add actions scope to permissions:
trallard Dec 10, 2024
21d7a24
:construction_worker: Add GitHub attestations to release workflow
trallard Dec 10, 2024
e560340
:lock: Add static analysis for GH actions with Zizmor
trallard Dec 10, 2024
9b31a14
:construction_worker: Pin our reusable action to a hash
trallard Dec 11, 2024
560ecfe
Add environment and pinned actions to release workflow
trallard Dec 11, 2024
2a7fca4
Add more comments to workflows
trallard Dec 12, 2024
8ecc548
:fire: Remove accidentally commited file
trallard Dec 12, 2024
3864d38
Remove setup-dev action
trallard Dec 12, 2024
741131c
Fix more URLs
trallard Dec 12, 2024
3bb97dd
Remove pin in STB
trallard Dec 12, 2024
1121c37
Change dependabot frequency
trallard Dec 16, 2024
a7e2f69
Finish changing to SHA for GitHub actions
trallard Dec 16, 2024
90f9d1a
Update linkcheck config
trallard Dec 16, 2024
9adae6d
Ignore unsplash for link check
trallard Dec 16, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/actions/set-dev-env/action.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# Reusable action to set our PST development environment
# DO NOT use for release jobs since we cache dependencies
name: Setup PST CI environment
description: Create a PST dev environment

Expand Down
123 changes: 45 additions & 78 deletions .github/workflows/CI.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Testing (pytest, a11y-tests), profiling, and coverage checks for PST
name: continuous-integration

# Concurrency group that uses the workflow name and PR number if available
Expand All @@ -21,6 +22,9 @@ on:
branches:
- main
pull_request:
branches:
- "*"
# allows this to be used as a composite action in other workflows
workflow_call:
# allow manual triggering of the workflow, while debugging
workflow_dispatch:
Expand All @@ -31,10 +35,12 @@ jobs:
strategy:
fail-fast: true
matrix:
# https://github.com/actions/runner-images
# macos-14==latest
# ubuntu-20.04==latest
os: ["ubuntu-latest", "ubuntu-24.04", "macos-14", "windows-latest"]
python-version: ["3.9", "3.10", "3.11", "3.12"]
# ubuntu-24.04==latest
# windows-2022==latest
os: ["ubuntu-latest", "ubuntu-22.04", "macos-14", "windows-latest"]
python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
sphinx-version: [""]
include:
# oldest Python version with the oldest Sphinx version
Expand All @@ -59,11 +65,15 @@ jobs:
steps:
- name: "Checkout repository πŸ›Ž"
uses: actions/checkout@v4
with:
persist-credentials: false

- name: "Setup CI environment πŸ› "
uses: ./.github/actions/set-dev-env
uses: pydata/pydata-sphinx-theme/.github/actions/set-dev-env@01731d0cc57768b9eff1c97f38909932ecd7e7d1
with:
python-version: ${{ matrix.python-version }}
pandoc: true

- name: "Run tests βœ…"
shell: bash
run: |
Expand All @@ -77,6 +87,7 @@ jobs:
else
python -Im tox run -e compile-assets,i18n-compile,py$(echo ${{ matrix.python-version }} | tr -d .)-tests
fi

- name: "Upload coverage data to GH artifacts πŸ“€"
if: matrix.python-version == '3.12' && matrix.os == 'ubuntu-latest' && matrix.sphinx-version == 'dev'
uses: actions/upload-artifact@v4
Expand All @@ -93,101 +104,42 @@ jobs:
steps:
- name: "Checkout repository πŸ›Ž"
uses: actions/checkout@v4
with:
persist-credentials: false

- name: "Setup CI environment πŸ› "
uses: ./.github/actions/set-dev-env
uses: pydata/pydata-sphinx-theme/.github/actions/set-dev-env@01731d0cc57768b9eff1c97f38909932ecd7e7d1
with:
python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
pandoc: true
graphviz: true

- name: "Run accessibility tests with playwright 🎭"
# build PST, build docs, then run a11y-tests
run: python -Im tox run -m a11y

# Build our docs (PST) on major OSes and check for warnings
build-site:
name: "build PST docs"
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
python-version: ["3.12"]
include:
# oldest Python version with the oldest Sphinx version
- os: ubuntu-latest
python-version: "3.9"
sphinx-version: "6.1"
runs-on: ${{ matrix.os }}
steps:
- name: "Checkout repository πŸ›Ž"
uses: actions/checkout@v4
- name: "Setup CI environment πŸ› "
uses: ./.github/actions/set-dev-env
with:
python-version: ${{ matrix.python-version }}
pandoc: true
graphviz: true
- name: "Build docs and check for warnings πŸ“–"
shell: bash
run: |
# check if there is a specific Sphinx version to build with
# example substitution: tox run -e py39-sphinx61-docs
if [ -n "${{matrix.sphinx-version}}" ]; then
python -Im tox run -e py$(echo ${{ matrix.python-version }} | tr -d .)-sphinx$(echo ${{ matrix.sphinx-version }} | tr -d .)-docs
# build with the default Sphinx version
# example substitution: tox run -e py312-docs
else
python -Im tox run -e py$(echo ${{ matrix.python-version }} | tr -d .)-docs
fi

# Run Lighthouse audits on the built site (kitchen-sink only)
lighthouse-audit:
needs: build-site
runs-on: ubuntu-latest
env:
DOCS_DIR: "audit"
steps:
- name: "Checkout repository πŸ›Ž"
uses: actions/checkout@v4
- name: "Setup CI environment πŸ› "
uses: ./.github/actions/set-dev-env
with:
python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
- name: "Copy kitchen sink to a tiny site"
run: |
mkdir -p ${{ env.DOCS_DIR }}/site
cp -r docs/examples/kitchen-sink ${{ env.DOCS_DIR }}/site/kitchen-sink
printf "Test\n====\n\n.. toctree::\n\n kitchen-sink/index\n" > ${{ env.DOCS_DIR }}/site/index.rst
echo 'html_theme = "pydata_sphinx_theme"' > ${{ env.DOCS_DIR }}/site/conf.py
echo '.. toctree::\n :glob:\n\n *' >> ${{ env.DOCS_DIR }}/site/index.rst

# build docs without checking for warnings
python -Im tox run -e docs-no-checks

- name: "Audit with Lighthouse πŸ”¦"
uses: treosh/lighthouse-ci-action@v12
with:
configPath: ".github/workflows/lighthouserc.json"
temporaryPublicStorage: true
uploadArtifacts: true
runs: 3 # Multiple runs to reduce variance

coverage:
name: "Check coverage"
needs: run-pytest
runs-on: ubuntu-latest
# avoid running this on schedule, releases, or workflow_call
if: github.event_name != 'schedule' && github.event_name != 'release' && github.event_name != 'workflow_call'
# avoid running this on schedule, releases, workflow_call, or workflow_dispatch
if: github.event_name != 'schedule' && github.event_name != 'release' && github.event_name != 'workflow_call' && github.event_name != 'workflow_dispatch'
permissions:
contents: write
pull-requests: write
steps:
- name: "Checkout repository πŸ›Ž"
uses: actions/checkout@v4
with:
persist-credentials: false

- name: "Setup CI environment πŸ› "
uses: ./.github/actions/set-dev-env
uses: pydata/pydata-sphinx-theme/.github/actions/set-dev-env@01731d0cc57768b9eff1c97f38909932ecd7e7d1
with:
python-version: ${{ env.DEFAULT_PYTHON_VERSION }}

- run: python -Im pip install --upgrade coverage[toml]

- name: "Download coverage data πŸ“₯"
uses: actions/download-artifact@v4
with:
Expand Down Expand Up @@ -229,23 +181,38 @@ jobs:
path: python-coverage-comment-action.txt

profiling:
needs: [build-site, run-pytest]
needs: [run-pytest]
runs-on: ubuntu-latest
steps:
- name: "Checkout repository πŸ›Ž"
uses: actions/checkout@v4
with:
persist-credentials: false

- name: "Setup CI environment πŸ› "
uses: ./.github/actions/set-dev-env
uses: pydata/pydata-sphinx-theme/.github/actions/set-dev-env@01731d0cc57768b9eff1c97f38909932ecd7e7d1
with:
# 3.12 is not supported by py-spy yet
python-version: "3.11"

- name: "Run profiling with py-spy πŸ•΅οΈβ€β™‚οΈ"
# profiling needs to be run as sudo
run: python -m tox run -e py311-profile-docs -- -o docbuild_profile.svg
continue-on-error: true

- name: "Upload profiling data to GH artifacts πŸ“€"
uses: actions/upload-artifact@v4
with:
name: profile-results
path: docbuild_profile.svg
if-no-files-found: ignore

# Calling the coverage-comment action from the main CI workflow
# we might want to pin the SHA once merged
coverage-comment:
uses: ./.github/workflows/coverage.yml
needs: [coverage]
permissions:
contents: write
pull-requests: write
actions: read
11 changes: 5 additions & 6 deletions .github/workflows/coverage.yml
Original file line number Diff line number Diff line change
@@ -1,14 +1,11 @@
name: Post coverage comment

on:
workflow_run:
workflows: ["continuous-integration"]
types:
- completed
workflow_call:

jobs:
test:
name: "Run tests & display coverage"
name: "Display code coverage"
runs-on: ubuntu-latest
if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
permissions:
Expand All @@ -20,9 +17,11 @@ jobs:
id: get-run
uses: octokit/[email protected]
with:
route: GET /repos/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }}
route: GET /repos/"${REPO}"/actions/runs/"${WORKFLOW_RUN_ID}"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ github.repository }}
WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }}

# this needs the .coverage file so we download from the CI workflow artifacts
- name: "Download coverage data πŸ“₯"
Expand Down
131 changes: 131 additions & 0 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
# This workflow is checks that the documentation can be built across multiple OSes, Python, and Sphinx versions.
# It also checks for broken links in the documentation and runs Lighthouse audits on the built site.

name: docs-checks

# Concurrency group that uses the workflow name and PR number if available
# or commit SHA as a fallback. If a new build is triggered under that
# concurrency group while a previous build is running it will be canceled.
# Repeated pushes to a PR will cancel all previous builds, while multiple
# merges to main will not cancel.
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true

env:
FORCE_COLOR: "1" # Make tools pretty
DEFAULT_PYTHON_VERSION: "3.12" # keep in sync with tox.ini
PIP_DISABLE_PIP_VERSION_CHECK: "1" # Don't check for pip updates

on:
push:
branches:
- main
pull_request:
branches:
- "*"
# allows this to be used as a composite action in other workflows
workflow_call:
# allow manual triggering of the workflow, while debugging
workflow_dispatch:

jobs:
# Build our docs (PST) on major OSes and check for warnings
build-site:
name: "build PST docs"
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
python-version: ["3.12", "3.13"]
include:
# oldest Python version with the oldest Sphinx version
- os: ubuntu-latest
python-version: "3.9"
sphinx-version: "6.1"
runs-on: ${{ matrix.os }}
steps:
- name: "Checkout repository πŸ›Ž"
uses: actions/checkout@v4
with:
persist-credentials: false

- name: "Setup CI environment πŸ› "
uses: pydata/pydata-sphinx-theme/.github/actions/set-dev-env@01731d0cc57768b9eff1c97f38909932ecd7e7d1
with:
python-version: ${{ matrix.python-version }}
pandoc: true
graphviz: true

- name: "Build docs and check for warnings πŸ“–"
shell: bash
run: |
# check if there is a specific Sphinx version to build with
# example substitution: tox run -e py39-sphinx61-docs
if [ -n "${{matrix.sphinx-version}}" ]; then
python -Im tox run -e py$(echo ${{ matrix.python-version }} | tr -d .)-sphinx$(echo ${{ matrix.sphinx-version }} | tr -d .)-docs
# build with the default Sphinx version
# example substitution: tox run -e py312-docs
else
python -Im tox run -e py$(echo ${{ matrix.python-version }} | tr -d .)-docs
fi

# Run Lighthouse audits on the built site (kitchen-sink only)
lighthouse-audit:
needs: build-site
runs-on: ubuntu-latest
steps:
- name: "Checkout repository πŸ›Ž"
uses: actions/checkout@v4
with:
persist-credentials: false

- name: "Setup CI environment πŸ› "
uses: pydata/pydata-sphinx-theme/.github/actions/set-dev-env@01731d0cc57768b9eff1c97f38909932ecd7e7d1
with:
python-version: ${{ env.DEFAULT_PYTHON_VERSION }}

- name: "Copy kitchen sink to a tiny site"
run: |
# ensuring proper scaping of the variable
docs_dir="${DOCS_DIR}"
mkdir -p $docs_dir/site
cp -r docs/examples/kitchen-sink $docs_dir/site/kitchen-sink
printf "Test\n====\n\n.. toctree::\n\n kitchen-sink/index\n" > $docs_dir/site/index.rst
echo 'html_theme = "pydata_sphinx_theme"' > $docs_dir/site/conf.py
echo '.. toctree::\n :glob:\n\n *' >> $docs_dir/site/index.rst

# build docs without checking for warnings
python -Im tox run -e docs-no-checks
env:
DOCS_DIR: "audit"

- name: "Audit with Lighthouse πŸ”¦"
uses: treosh/lighthouse-ci-action@v12
with:
configPath: ".github/workflows/lighthouserc.json"
temporaryPublicStorage: true
uploadArtifacts: true
runs: 3 # Multiple runs to reduce variance

# Check for broken links in our docs
link-check:
runs-on: ubuntu-latest
steps:
- name: "Checkout repository πŸ›Ž"
uses: actions/checkout@v4
with:
persist-credentials: false

- name: "Setup CI environment πŸ› "
uses: pydata/pydata-sphinx-theme/.github/actions/set-dev-env@01731d0cc57768b9eff1c97f38909932ecd7e7d1

- name: "Check for broken links πŸ”—"
run: python -Im tox -e docs-linkcheck

- name: "Upload file with broken links πŸ“€"
uses: actions/upload-artifact@v4
with:
name: broken-links
path: docs/_build/linkcheck/output.txt
if: ${{ always() }}
Loading
Loading