CI: Harden GHA configuration (#308) #932
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | name: tests | |
| permissions: | |
| contents: read | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - "v*" # Push events to matching v*, i.e. v1.0, v20.15.10 | |
| pull_request: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| merge_group: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| pre-commit: | |
| name: precommit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 | |
| with: | |
| python-version: "3.x" | |
| - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 | |
| with: | |
| extra_args: --hook-stage manual --all-files | |
| test: | |
| name: ${{ matrix.platform }} py${{ matrix.python-version }} | |
| runs-on: ${{ matrix.platform }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| platform: [ubuntu-latest, macos-latest, windows-latest] | |
| python-version: ['3.10', '3.11', '3.12'] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| # these libraries enable testing on Qt on linux | |
| - uses: tlambert03/setup-qt-libs@19e4ef2d781d81f5f067182e228b54ec90d23b76 # v1 | |
| # strategy borrowed from vispy for installing opengl libs on windows | |
| - name: Install Windows OpenGL | |
| if: runner.os == 'Windows' | |
| run: | | |
| git clone --depth 1 https://github.com/pyvista/gl-ci-helpers.git | |
| powershell gl-ci-helpers/appveyor/install_opengl.ps1 | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install tox tox-gh-actions | |
| # this runs the platform-specific tests declared in tox.ini | |
| - name: Test with tox | |
| run: python -m tox | |
| - name: Upload pytest test results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: pytest-results-${{ matrix.platform }} py${{ matrix.python-version }} | |
| path: reports/ | |
| # Use always() to always run this step to publish test results when there are test failures | |
| if: ${{ always() }} | |
| - name: Coverage | |
| uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5 | |
| # Don't run coverage on merge queue CI to avoid duplicating reports | |
| # to codecov. See https://github.com/matplotlib/napari-matplotlib/issues/155 | |
| if: github.event_name != 'merge_group' | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| fail_ci_if_error: false | |
| deploy: | |
| # this will run when you have tagged a commit, starting with "v*" | |
| # and requires that you have put your twine API key in your | |
| # github secrets (see readme for details) | |
| needs: [test] | |
| runs-on: ubuntu-latest | |
| if: contains(github.ref, 'tags') | |
| environment: pypi-deploy | |
| permissions: | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.x" | |
| - name: Install build | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install --upgrade build | |
| - name: Build package | |
| run: | | |
| git tag | |
| python -m build . | |
| - name: Publish package | |
| uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 |