Skip to content

do not persist checkout credentials in GitHub workflows #16255

do not persist checkout credentials in GitHub workflows

do not persist checkout credentials in GitHub workflows #16255

Workflow file for this run

# Syntax reference https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions
# Environment reference https://help.github.com/en/actions/reference/virtual-environments-for-github-hosted-runners
name: scriptcheck
on:
push:
branches:
- 'main'
- 'releases/**'
- '2.*'
tags:
- '2.*'
pull_request:
permissions:
contents: read
jobs:
build:
# 'ubuntu-22.04' removes Python 3.6 so keep the previous LTS version
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: ccache
uses: hendrikmuhs/[email protected]
with:
key: ${{ github.workflow }}-${{ runner.os }}
- name: Cache Cppcheck
uses: actions/cache@v4
with:
path: cppcheck
key: ${{ runner.os }}-scriptcheck-cppcheck-${{ github.sha }}
- name: build cppcheck
run: |
export PATH="/usr/lib/ccache:/usr/local/opt/ccache/libexec:$PATH"
make -j$(nproc) -s CXXFLAGS="-w"
strip -s ./cppcheck
scriptcheck:
needs: build
# 'ubuntu-22.04' removes Python 3.6 so keep the previous LTS version
runs-on: ubuntu-20.04
strategy:
matrix:
python-version: [3.6, 3.7, 3.8, 3.9, '3.10', '3.11', '3.12', '3.13']
include:
- python-version: '3.13'
python-latest: true
fail-fast: false
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
# TODO: bailout on error
- name: Restore Cppcheck
uses: actions/cache@v4
with:
path: cppcheck
key: ${{ runner.os }}-scriptcheck-cppcheck-${{ github.sha }}
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
check-latest: true
- name: Install missing software on ubuntu
run: |
sudo apt-get update
sudo apt-get install tidy libxml2-utils
- name: Install missing software on ubuntu (Python 3)
run: |
# shellcheck cannot be installed via pip
# ERROR: Could not find a version that satisfies the requirement shellcheck (from versions: none)
# ERROR: No matching distribution found for shellcheck
sudo apt-get install shellcheck
python -m pip install pip --upgrade
python -m pip install natsort
python -m pip install pexpect
python -m pip install 'pylint<=3.3.0'
python -m pip install unittest2
python -m pip install pytest
python -m pip install pygments
python -m pip install requests
python -m pip install psutil
python -m pip install setuptools
- name: run Shellcheck
if: matrix.python-latest
run: |
find . -name "*.sh" | xargs shellcheck --exclude SC2002,SC2013,SC2034,SC2035,SC2043,SC2046,SC2086,SC2089,SC2090,SC2129,SC2211,SC2231
- name: run pylint
if: matrix.python-latest
run: |
shopt -s globstar
pylint --jobs $(nproc) --py-version 3.6 addons/**/*.py htmlreport/cppcheck-htmlreport htmlreport/**/*.py test/**/*.py tools/**/*.py
- name: check .json files
if: matrix.python-latest
run: |
find . -name '*.json' | xargs -n 1 python -m json.tool > /dev/null
- name: Validate
if: matrix.python-latest
run: |
make -j$(nproc) validateCFG validatePlatforms validateRules
- name: check python syntax
run: |
shopt -s globstar
python -m py_compile addons/**/*.py
python -m py_compile htmlreport/cppcheck-htmlreport
python -m py_compile htmlreport/**/*.py
python -m py_compile test/**/*.py
python -m py_compile tools/**/*.py
- name: compile addons
run: |
python -m compileall ./addons
- name: test matchcompiler
run: |
python tools/test_matchcompiler.py
# we cannot specify -Werror since xml/etree/ElementTree.py in Python 3.9/3.10 contains an unclosed file
- name: test addons
if: matrix.python-version == '3.9' || matrix.python-version == '3.10'
run: |
python -m pytest --strict-markers -vv addons/test
env:
PYTHONPATH: ./addons
- name: test addons
if: matrix.python-version != '3.9' && matrix.python-version != '3.10'
run: |
python -m pytest -Werror --strict-markers -vv addons/test
env:
PYTHONPATH: ./addons
- name: test htmlreport (standalone)
run: |
test/tools/htmlreport/test_htmlreport.py
cd test/tools/htmlreport
./check.sh
# Python 3.5 and 3.6 are excluded as they are not supported by setuptools-scm package for getting
# package version
- name: test htmlreport (pip)
if: matrix.python-version != '3.5' && matrix.python-version != '3.6'
run: |
python -m venv venv
source venv/bin/activate
python -m pip install -U pip
pip install ./htmlreport/
which cppcheck-htmlreport
PIP_PACKAGE_TEST=1 test/tools/htmlreport/test_htmlreport.py
cd test/tools/htmlreport
./check.sh
- name: test reduce
run: |
python -m pytest -Werror --strict-markers -vv tools/reduce_test.py
env:
PYTHONPATH: ./tools
- name: test donate_cpu_lib
run: |
python -m pytest -Werror --strict-markers -vv tools/donate_cpu_lib_test.py
env:
PYTHONPATH: ./tools
- name: test donate_cpu_server
run: |
python -m pytest -Werror --strict-markers -vv tools/donate_cpu_server_test.py
env:
PYTHONPATH: ./tools
dmake:
strategy:
matrix:
os: [ubuntu-22.04, macos-13, windows-2022]
fail-fast: false
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: run dmake
run: |
make -j2 CXXFLAGS="-w" run-dmake
- name: check diff
run: |
git diff --exit-code