copier-python-package-template/template/.github/workflows/ci.yaml.jinja at f8815df5e2743855cf8bdf4893782f7edd128fcf · LabAutomationAndScreening/copier-python-package-template · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
{% raw %}name: CI

on:
  push:
    branches-ignore:
      - 'gh-readonly-queue/**' # don't run (again) when on these special branches created during merge groups; the `on: merge_group` already triggers it.
  merge_group:

env:
  PYTHONUNBUFFERED: True
  PRE_COMMIT_HOME: ${{ github.workspace }}/.precommit_cache

permissions:
  id-token: write # needed to assume OIDC roles (e.g. for downloading from CodeArtifact)
  contents: read # need to explicitly provide this whenever defining permissions because the default value is 'none' for anything not explicitly set when permissions are defined

jobs:
  get-values:
    uses: ./.github/workflows/get-values.yaml
    permissions:
      contents: write # needed updating dependabot branches

  lint:
    needs: [ get-values ]
    name: Pre-commit
    uses: ./.github/workflows/pre-commit.yaml
    permissions:
      contents: write # needed for mutex
      id-token: write # needed to assume OIDC roles (e.g. for downloading from CodeArtifact)
    with:
      python-version: {% endraw %}{{ python_version }}{% raw %}

  test:
    needs: [ lint ]
    strategy:
      matrix:
        os:
          - "{% endraw %}{{ gha_linux_runner }}{% raw %}"
{% endraw %}{% if use_windows_in_ci %}          - {{ gha_windows_runner }}{% endif %}{% raw %}
        python-version:
{% endraw %}{% for item in python_ci_versions %}
          - {{ item }}
{% endfor %}{% raw %}
        include:
          - os: "{% endraw %}{{ gha_linux_runner }}{% raw %}"
            python-version: "{% endraw %}{{ python_ci_versions[0] }}{% raw %}"
            JOB_MATCHING_DEV_ENV: true

    runs-on: ${{ matrix.os }}
    timeout-minutes: {% endraw %}{{ gha_medium_timeout_minutes }}{% raw %}
    env:
      UV_PYTHON: ${{ matrix.python-version }}
    steps:
      - name: Checkout code
        uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %}

      - name: Install python tooling
        uses: ./.github/actions/install_deps
        with:
          python-version: ${{ matrix.python-version }}{% endraw %}{% if python_package_registry == "AWS CodeArtifact" %}{% raw %}
          code-artifact-auth-role-name: CoreInfraBaseAccess
          code-artifact-auth-role-account-id: {% endraw %}{{ aws_central_infrastructure_account_id }}{% raw %}
          code-artifact-auth-region: {% endraw %}{{ aws_org_home_region }}{% endif %}{% raw %}

      - name: Unit test
        run: uv run pytest tests/unit --cov-report=xml --durations=5

{% endraw %}{% if use_codecov %}{% raw %}      - name: Upload coverage to Codecov
        # only upload coverage from fastest job
        if: ${{ matrix.JOB_MATCHING_DEV_ENV && github.actor != 'dependabot[bot]' }} # dependabot by default doesn't have access to the necessary secret...and dependabot should never be changing coverage anyway so it's fine not uploading it
        uses: codecov/codecov-action@v5.1.1
        with:
          files: ./coverage.xml
          flags: unittests
          env_vars: OS,PYTHON
          name: codecov-umbrella
          fail_ci_if_error: true
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: {% endraw %}{{ full_repo_url | replace("https://github.com/", "") }}{% raw %}{% endraw %}{% endif %}{% raw %}

{% endraw %}{% if is_frozen_executable %}{% raw %}  executable:
    needs: [ test ]
    strategy:
      matrix:
        os:
          - "{% endraw %}{{ gha_linux_runner }}{% raw %}"
{% endraw %}{% if use_windows_in_exe_ci %}          - {{ gha_windows_runner }}{% endif %}{% raw %}
        python-version:
{% endraw %}{% for item in python_ci_versions %}
          - {{ item }}
{% endfor %}{% raw %}
    runs-on: ${{ matrix.os }}
    timeout-minutes: {% endraw %}{{ gha_medium_timeout_minutes }}{% raw %}
    env:
      UV_PYTHON: ${{ matrix.python-version }}

    steps:
      - name: Checkout code
        uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %}
      - name: Install python tooling
        uses: ./.github/actions/install_deps
        with:
          python-version: ${{ matrix.python-version }}{% endraw %}{% if python_package_registry == "AWS CodeArtifact" %}{% raw %}
          code-artifact-auth-role-name: CoreInfraBaseAccess
          code-artifact-auth-role-account-id: {% endraw %}{{ aws_central_infrastructure_account_id }}{% raw %}
          code-artifact-auth-region: {% endraw %}{{ aws_org_home_region }}{% endif %}{% raw %}

      - name: Build executable
        run: uv run pyinstaller pyinstaller.spec --log-level=DEBUG
      - name: Upload executable artifact
        uses: actions/upload-artifact@{% endraw %}{{ gha_upload_artifact }}{% raw %}
        with:
          name: exe-${{ matrix.os }}-${{ matrix.python-version }}
          path: dist/
          if-no-files-found: error{% endraw %}{% endif %}{% raw %}


{% endraw %}{% if create_docs %}{% raw %}
  build-docs:
    needs: [ lint ]
    strategy:
      matrix:
        python-version:
{% endraw %}{% for item in python_ci_versions %}
          - {{ item }}
{% endfor %}{% raw %}

    runs-on: {% endraw %}{{ gha_linux_runner }}{% raw %}
    timeout-minutes: {% endraw %}{{ gha_medium_timeout_minutes }}{% raw %}
    env:
      UV_PYTHON: ${{ matrix.python-version }}

    steps:
      - name: Checkout code
        uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %}

      - name: Install python tooling
        uses: ./.github/actions/install_deps
        with:
          python-version: ${{ matrix.python-version }}{% endraw %}{% if python_package_registry == "AWS CodeArtifact" %}{% raw %}
          code-artifact-auth-role-name: CoreInfraBaseAccess
          code-artifact-auth-role-account-id: "{% endraw %}{{ aws_central_infrastructure_account_id }}{% raw %}"
          code-artifact-auth-region: {% endraw %}{{ aws_org_home_region }}{% endif %}{% raw %}

      - name: Build docs
        working-directory: ./docs
        run: uv run make html SPHINXOPTS="-W"
{% endraw %}{% endif %}{% raw %}

  required-check:
    runs-on: {% endraw %}{{ gha_linux_runner }}{% raw %}
    permissions:
      statuses: write # needed for updating status on Dependabot PRs
    needs:
      - test
      - get-values{% endraw %}{% if create_docs %}
      - build-docs{% endif %}{% if is_frozen_executable %}
      - executable{% endif %}{% raw %}
    if: always()
    timeout-minutes: {% endraw %}{{ gha_short_timeout_minutes }}{% raw %}
    steps:
      - name: fail if prior job failure
        if: needs.test.result != 'success'{% endraw %}{% if create_docs %} || needs.build-docs.result != 'success'{% endif %}{% if is_frozen_executable %} || needs.executable.result != 'success'{% endif %}{% raw %}
        run: |
          exit 1
      - name: Mark updated Dependabot commit of devcontainer hash as succeeded
        if: needs.get-values.outputs.dependabot-commit-created == 'true'
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          gh api \
            -X POST -H "Accept: application/vnd.github.v3+json" \
            "/repos/${{ github.repository }}/statuses/${{ needs.get-values.outputs.new-dependabot-sha }}" \
            -f state=success -f context="required-check" -f description="Initial CI run passed" \
            -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"{% endraw %}