Skip to content

Fix SARIF-formatter severity levels #9333

Fix SARIF-formatter severity levels

Fix SARIF-formatter severity levels #9333

Workflow file for this run

---
name: tox
on:
push: # only publishes pushes to the main branch to TestPyPI
branches: # any integration branch but not tag
- "main"
pull_request:
branches:
- "main"
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true
env:
FORCE_COLOR: 1 # tox, pytest, ansible-lint
PY_COLORS: 1
jobs:
prepare:
name: prepare
runs-on: ubuntu-22.04
outputs:
matrix: ${{ steps.generate_matrix.outputs.matrix }}
steps:
- name: Determine matrix
id: generate_matrix
uses: coactions/dynamic-matrix@v1
with:
min_python: "3.9"
max_python: "3.12"
other_names: |
lint
pkg
hook
docs
schemas
eco
pre
py310-devel
platforms: linux,macos
test-action:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Self test for ansible-lint@${{ github.action_ref || 'main' }}
uses: ./
with:
# basically we only lint linter own configuration, which should be passing.
args: .ansible-lint
build:
name: ${{ matrix.name }}
runs-on: ${{ matrix.os || 'ubuntu-22.04' }}
needs:
- prepare
- test-action
defaults:
run:
shell: ${{ matrix.shell || 'bash'}}
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.prepare.outputs.matrix) }}
# max-parallel: 5
# The matrix testing goal is to cover the *most likely* environments
# which are expected to be used by users in production. Avoid adding a
# combination unless there are good reasons to test it, like having
# proof that we failed to catch a bug by not running it. Using
# distribution should be preferred instead of custom builds.
env:
# Number of expected test passes, safety measure for accidental skip of
# tests. Update value if you add/remove tests.
PYTEST_REQPASS: 831
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # needed by setuptools-scm
submodules: true
- name: Set pre-commit cache
uses: actions/cache@v3
if: ${{ matrix.passed_name == 'lint' }}
with:
path: |
~/.cache/pre-commit
key: pre-commit-${{ matrix.name || matrix.passed_name }}-${{ hashFiles('.pre-commit-config.yaml') }}
- name: Set ansible cache(s)
uses: actions/cache@v3
with:
path: |
.cache/eco
examples/playbooks/collections/ansible_collections
~/.cache/ansible-compat
~/.ansible/collections
~/.ansible/roles
key: ${{ matrix.name || matrix.passed_name }}-${{ hashFiles('tools/test-eco.sh', 'requirements.yml', 'examples/playbooks/collections/requirements.yml') }}
- name: Set up Python ${{ matrix.python_version || '3.9' }}
if: "!contains(matrix.shell, 'wsl')"
uses: actions/setup-python@v4
with:
cache: pip
python-version: ${{ matrix.python_version || '3.9' }}
- uses: actions/setup-node@v3
with:
node-version: 18
cache: "npm"
cache-dependency-path: test/schemas/package-lock.json
- name: Run ./tools/test-setup.sh
run: ./tools/test-setup.sh
- name: Install tox
run: |
python3 -m pip install --upgrade pip
python3 -m pip install --upgrade "tox>=4.0.0"
- name: Log installed dists
run: python3 -m pip freeze --all
- name: Initialize tox envs ${{ matrix.passed_name }}
run: python3 -m tox --notest --skip-missing-interpreters false -vv -e ${{ matrix.passed_name }}
timeout-minutes: 5 # average is under 1, but macos can be over 3
# sequential run improves browsing experience (almost no speed impact)
- name: tox -e ${{ matrix.passed_name }}
run: python3 -m tox -e ${{ matrix.passed_name }}
- name: Combine coverage data
if: ${{ startsWith(matrix.passed_name, 'py') }}
# produce a single .coverage file at repo root
run: tox -e coverage
- name: Upload coverage data
if: ${{ startsWith(matrix.passed_name, 'py') }}
uses: codecov/codecov-action@v3
with:
name: ${{ matrix.passed_name }}
fail_ci_if_error: false # see https://github.com/codecov/codecov-action/issues/598
token: ${{ secrets.CODECOV_TOKEN }}
verbose: true # optional (default = false)
- name: Archive logs
uses: actions/upload-artifact@v3
with:
name: logs.zip
path: .tox/**/log/
# https://github.com/actions/upload-artifact/issues/123
continue-on-error: true
- name: Report failure if git reports dirty status
run: |
git checkout HEAD -- src/ansiblelint/schemas/__store__.json
if [[ -n $(git status -s) ]]; then
# shellcheck disable=SC2016
echo -n '::error file=git-status::'
printf '### Failed as git reported modified and/or untracked files\n```\n%s\n```\n' "$(git status -s)" | tee -a "$GITHUB_STEP_SUMMARY"
exit 99
fi
# https://github.com/actions/toolkit/issues/193
codeql:
name: codeql
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ["python"]
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"
check: # This job does nothing and is only used for the branch protection
if: always()
permissions:
pull-requests: write # allow codenotify to comment on pull-request
needs:
- build
- test-action
runs-on: ubuntu-latest
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@release/v1
with:
jobs: ${{ toJSON(needs) }}
- name: Check out src from Git
uses: actions/checkout@v4
- name: Notify repository owners about lint change affecting them
uses: sourcegraph/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# https://github.com/sourcegraph/codenotify/issues/19
continue-on-error: true