Skip to content

Use pinning and hash checking for security #202

Use pinning and hash checking for security

Use pinning and hash checking for security #202

Workflow file for this run

name: CI
on:
pull_request:
branches:
- main
push:
branches:
- main
jobs:
test:
name: Tests
runs-on: ubuntu-latest
container: ghcr.io/iqm-finland/kqcircuits
strategy:
fail-fast: false
matrix:
klayout_version: [0.28.1, 1.latest]
steps:
- uses: actions/checkout@v2
- name: Init KQCircuits
run: ci/init_kqc.sh
- name: Select KLayout version
run: pip install --force-reinstall "klayout<=${{ matrix.klayout_version }}"
- name: Run tests
run: tox -e matrix
- name: Upload test results
if: always()
uses: actions/upload-artifact@v2
with:
name: Test results (KLayout=${{ matrix.klayout_version }})
path: test_report.xml
test_non_linux:
name: Tests (non-🐧)
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [windows-latest, macos-latest]
klayout_version: [0.28.1, 1.latest]
exclude:
- os: macos-latest
klayout_version: 0.28.1
steps:
- uses: actions/checkout@v2
- name: macOS setup
run: |
brew install python
ln -s -f /usr/local/bin/python3.7 /usr/local/bin/python
if: ${{ matrix.os == 'macos-latest' }}
- name: Init KQCircuits
run: pip3 install -e "klayout_package/python[docs,tests]" --only-binary=klayout
continue-on-error: true
- name: Select KLayout version
run: pip3 install --force-reinstall --only-binary=klayout "klayout<=${{matrix.klayout_version }}"
- name: Run tests
run: tox -e matrix
- name: Upload test results
if: always()
uses: actions/upload-artifact@v2
with:
name: Test results (${{ matrix.os }} KLayout=${{ matrix.klayout_version }})
path: test_report.xml
publish_test_results:
name: Publish test results
needs: [ test, test_non_linux ]
runs-on: ubuntu-latest
if: success() || failure()
steps:
- name: Download test results
uses: actions/download-artifact@v2
with:
path: artifacts
- name: Publish test results
uses: EnricoMi/publish-unit-test-result-action@v1
with:
files: artifacts/**/*.xml
check_name: Test results
static_analysis:
name: Static code analysis
runs-on: ubuntu-latest
container: ghcr.io/iqm-finland/kqcircuits
steps:
- uses: actions/checkout@v2
- name: Init KQCircuits
run: ci/init_kqc.sh
- name: Run static code analysis
run: tox -e static_analysis
shellcheck:
name: Shellcheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run ShellCheck
uses: ludeeus/action-shellcheck@master
verify_documentation:
name: Verify documentation
runs-on: ubuntu-latest
container: ghcr.io/iqm-finland/kqcircuits
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0 # fetch tags as well
- name: Init KQCircuits
run: ci/init_kqc.sh
- name: Make docs
run: |
cd docs
make html SPHINXOPTS="-W --keep-going"
- name: Docs to artifact
uses: actions/upload-artifact@v2
if: always()
with:
name: docs
path: docs/_build/html/
check_copyright_headers:
name: Check copyright headers
runs-on: ubuntu-latest
container: ghcr.io/iqm-finland/kqcircuits
steps:
- uses: actions/checkout@v2
- name: Run copyright headers check
run: >
python ci/check_copyright_headers.py --exclude-paths
klayout_package/python/kqcircuits/_static_version.py
klayout_package/python/kqcircuits/_version.py
check_license:
name: Check license
runs-on: ubuntu-latest
container: ghcr.io/iqm-finland/kqcircuits
steps:
- uses: actions/checkout@v2
- name: Run license check
run: sha256sum -c ci/license_manifest.txt
verify_layer_properties:
name: Verify layer properties
runs-on: ubuntu-latest
container: ghcr.io/iqm-finland/kqcircuits
steps:
- uses: actions/checkout@v2
- name: Init KQCircuits
run: ci/init_kqc.sh
- name: Run check_layer_props.py
run: python util/check_layer_props.py
pypi_package_build_and_publish:
name: Build & Publish kqcircuits 🐍 📦
needs: [ verify_documentation, verify_layer_properties, test, test_non_linux, shellcheck]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build and test
run: |
git fetch --unshallow --tags
echo "GIT_TAG=$(git tag --contains HEAD | grep -P '^v\d+\.\d+\.\d+.*')" >> $GITHUB_ENV
python -m pip install --upgrade build twine
cd klayout_package/python
python -m build
python -m twine check dist/*
- name: Publish to PyPI
if: env.GIT_TAG
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ secrets.PYPI_API_TOKEN }}
repository_url: https://upload.pypi.org/legacy/
packages_dir: klayout_package/python/dist/
pages:
name: Deploy documentation
needs: [ check_copyright_headers, check_license, verify_documentation ]
runs-on: ubuntu-latest
container: ghcr.io/iqm-finland/kqcircuits
if: ${{ github.ref == 'refs/heads/main' }}
steps:
- uses: actions/checkout@v2
- name: Download docs artifact
uses: actions/download-artifact@v2
with:
name: docs
path: public
- name: Add redirect and 404
run: |
mkdir -p public/_build/html
cp public/_static/redirect.html public/_build/html/index.html
cp public/_static/404.html public/404.html
- name: Install rsync # https://github.com/JamesIves/github-pages-deploy-action#using-a-container-
run: apt-get update && apt-get install -y rsync
- name: Upload pages
uses: JamesIves/github-pages-deploy-action@v4.3.3
with:
branch: gh-pages
folder: public