jsonpatchx/.github/workflows/python-tests.yml at main · angela-tarantula/jsonpatchx · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
---
# Purpose: Python-only tests (ruff, ruff format, mypy, pytest, coverage comment).
# Non-Python lint/security/docs checks run in .github/workflows/lint.yml.
name: Python Tests

on:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]

permissions:
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    environment: codecov-automation
    permissions:
      contents: read
      pull-requests: write
    strategy:
      fail-fast: false
      matrix:
        python-version: ["3.12", "3.13", "3.14"]

    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
        with:
          egress-policy: audit

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          submodules: recursive

      - name: Setup uv
        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          python-version: ${{ matrix.python-version }}
          enable-cache: true
          cache-dependency-glob: |
            pyproject.toml
            uv.lock

      - name: Install Dependencies
        run: uv sync --frozen --no-default-groups --group ci

      - name: Ruff
        run: uv run ruff check

      - name: Ruff format
        run: uv run ruff format --check .

      - name: Mypy
        run: uv run mypy --python-version "${{ matrix.python-version }}" .

      - name: Test
        run: |
          uv run pytest \
            --cov=jsonpatchx \
            --cov-report=xml:coverage.xml

      # Dependabot PRs skip this upload. Supporting uploads there would require
      # an additional Dependabot-scoped CODECOV_TOKEN secret.
      - name: Upload coverage to Codecov
        if:
          ${{ github.event_name != 'pull_request' ||
          github.event.pull_request.user.login != 'dependabot[bot]' }}
        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          files: ./coverage.xml
          flags: py-${{ matrix.python-version }}
          token: ${{ secrets.CODECOV_TOKEN }}
          fail_ci_if_error: true

  # https://github.com/marketplace/actions/alls-green#why
  # For branch protection
  python-check:
    if: always()
    needs:
      - build
    runs-on: ubuntu-latest
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
        with:
          egress-policy: audit

      - name: Decide whether the needed jobs succeeded or failed
        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
        with:
          jobs: ${{ toJSON(needs) }}