Python/.github/workflows/python.yml at 3adb190cf713fd1e79f4fd98d67e459d93bda615 · geekcomputers/Python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
name: Code Quality & Auto-Format Checks

on:
  pull_request:
     types: [opened, synchronize, reopened]
  push:
    branches: [ main, master ]
  pull_request:
    branches: [ main, master ]

env:
  PYTHON_VERSION: '3.13.7'

jobs:
  # Phase 1: Ruff Auto-Format (no dependency file references)
  ruff-auto-format:
    name: "📝 Ruff Auto-Format"
    runs-on: ubuntu-latest
    permissions:
      contents: write  # For auto-commit
      pull-requests: read
    outputs:
      changes_made: ${{ steps.format-check.outputs.changes_made }}
    steps:
      - name: Checkout repository (critical for file access)
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          fetch-depth: 0
          ref: ${{ github.head_ref || github.ref }}
          path: .  # Ensure repo is in default working dir

      - name: Set up Python (no cache based on dependency files)
        uses: actions/setup-python@v4
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          # Removed `cache-dependency-path` (no requirements/pyproject to reference)
          cache: 'pip'  # Still caches pip packages (e.g., ruff) for speed

      - name: Install ruff (direct install, no dependency files)
        run: pip install ruff
        env:
          PIP_DISABLE_PIP_VERSION_CHECK: 1

      - name: Run ruff format & check changes
        id: format-check
        run: |
          ruff format .
          if git diff --quiet --exit-code; then
            echo "changes_made=false" >> $GITHUB_OUTPUT
          else
            echo "changes_made=true" >> $GITHUB_OUTPUT
          fi

      - name: Auto-commit & push formatting changes
        if: steps.format-check.outputs.changes_made == 'true'
        run: |
          git config --local user.name "GitHub Actions"
          git config --local user.email "actions@github.com"
          git add . && git commit -m "[auto] Fix code format with ruff" && git push

  # Phase 2: Setup Check Tools (no dependency file checks)
  setup-check-tools:
    name: "⚙️ Setup Check Tools"
    needs: ruff-auto-format
    if: >
      (github.event_name == 'push') ||
      (github.event.pull_request &&
       (needs.ruff-auto-format.outputs.changes_made == 'true' ||
        github.event.pull_request.merged == true))
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          path: .
          fetch-depth: 1

      - name: Set up Python (no dependency file cache)
        uses: actions/setup-python@v4
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'pip'  # Caches tools (codespell/bandit) for downstream jobs

      - name: Install check tools (direct install, no dependency files)
        run: |
          pip install codespell bandit mypy ruff pytest
        env:
          PIP_DISABLE_PIP_VERSION_CHECK: 1

  # --- Non-blocking Checks (no dependency file references) ---
  spell-check:
    name: "🔍 Spell Check (Non-Blocking)"
    needs: setup-check-tools
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          path: .
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'pip'
      - name: Run codespell
        run: codespell --skip="*.json,*.lock,*.csv" --ignore-words-list="xxx,yyy,zzz" --quiet-level=2 || true

  security-scan:
    name: "🔒 Security Scan (Non-Blocking)"
    needs: setup-check-tools
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          path: .
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'pip'
      - name: Run bandit
        run: bandit -r . -f human -o bandit-results.txt -f json -o bandit-results.json || true

  type-check:
    name: "🎯 Type Check (Non-Blocking)"
    needs: setup-check-tools
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          path: .
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'pip'
      - name: Run mypy
        run: mypy --ignore-missing-imports --show-error-codes . || true

  # --- Blocking Checks ---
  lint-check:
    name: "🧹 Lint Check (Blocking)"
    needs: setup-check-tools
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          path: .
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'pip'
      - name: Run ruff check
        run: ruff check --output-format=concise .

    unit-tests:
    name: "🧪 Unit Tests (Blocking)"
    needs: setup-check-tools
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          path: .
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: 'pip'
      - name: Run pytest
        run: pytest  # Adjust test command if your tests are in a subfolder (e.g., pytest tests/)

  # --- CodeQL Analysis ---
  codeql-analysis:
    name: "🛡️ CodeQL Security Analysis"
    needs: setup-check-tools
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          path: .
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2
        with:
          languages: python
      - name: Autobuild
        uses: github/codeql-action/autobuild@v2
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2

  # --- Final Summary ---
  all-checks-summary:
    name: "✅ All Checks Summary"
    needs: [spell-check, security-scan, type-check, lint-check, unit-tests, codeql-analysis]
    if: always()
    runs-on: ubuntu-latest
    steps:
      - name: Print summary
        run: |
          echo "Ruff auto-format changes: ${{ needs.ruff-auto-format.outputs.changes_made }}"
          if [[ "${{ contains(needs.lint-check.result, 'failure') || contains(needs.unit-tests.result, 'failure') }}" == "true" ]]; then
            echo "❌ Critical failure (lint/tests) - Fix required"
            exit 1
          else
            echo "✅ No critical failures"
          fi