do not persist checkout credentials in GitHub workflows #16255
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Syntax reference https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions | |
# Environment reference https://help.github.com/en/actions/reference/virtual-environments-for-github-hosted-runners | |
name: scriptcheck | |
on: | |
push: | |
branches: | |
- 'main' | |
- 'releases/**' | |
- '2.*' | |
tags: | |
- '2.*' | |
pull_request: | |
permissions: | |
contents: read | |
jobs: | |
build: | |
# 'ubuntu-22.04' removes Python 3.6 so keep the previous LTS version | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: ccache | |
uses: hendrikmuhs/[email protected] | |
with: | |
key: ${{ github.workflow }}-${{ runner.os }} | |
- name: Cache Cppcheck | |
uses: actions/cache@v4 | |
with: | |
path: cppcheck | |
key: ${{ runner.os }}-scriptcheck-cppcheck-${{ github.sha }} | |
- name: build cppcheck | |
run: | | |
export PATH="/usr/lib/ccache:/usr/local/opt/ccache/libexec:$PATH" | |
make -j$(nproc) -s CXXFLAGS="-w" | |
strip -s ./cppcheck | |
scriptcheck: | |
needs: build | |
# 'ubuntu-22.04' removes Python 3.6 so keep the previous LTS version | |
runs-on: ubuntu-20.04 | |
strategy: | |
matrix: | |
python-version: [3.6, 3.7, 3.8, 3.9, '3.10', '3.11', '3.12', '3.13'] | |
include: | |
- python-version: '3.13' | |
python-latest: true | |
fail-fast: false | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
# TODO: bailout on error | |
- name: Restore Cppcheck | |
uses: actions/cache@v4 | |
with: | |
path: cppcheck | |
key: ${{ runner.os }}-scriptcheck-cppcheck-${{ github.sha }} | |
- name: Set up Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
check-latest: true | |
- name: Install missing software on ubuntu | |
run: | | |
sudo apt-get update | |
sudo apt-get install tidy libxml2-utils | |
- name: Install missing software on ubuntu (Python 3) | |
run: | | |
# shellcheck cannot be installed via pip | |
# ERROR: Could not find a version that satisfies the requirement shellcheck (from versions: none) | |
# ERROR: No matching distribution found for shellcheck | |
sudo apt-get install shellcheck | |
python -m pip install pip --upgrade | |
python -m pip install natsort | |
python -m pip install pexpect | |
python -m pip install 'pylint<=3.3.0' | |
python -m pip install unittest2 | |
python -m pip install pytest | |
python -m pip install pygments | |
python -m pip install requests | |
python -m pip install psutil | |
python -m pip install setuptools | |
- name: run Shellcheck | |
if: matrix.python-latest | |
run: | | |
find . -name "*.sh" | xargs shellcheck --exclude SC2002,SC2013,SC2034,SC2035,SC2043,SC2046,SC2086,SC2089,SC2090,SC2129,SC2211,SC2231 | |
- name: run pylint | |
if: matrix.python-latest | |
run: | | |
shopt -s globstar | |
pylint --jobs $(nproc) --py-version 3.6 addons/**/*.py htmlreport/cppcheck-htmlreport htmlreport/**/*.py test/**/*.py tools/**/*.py | |
- name: check .json files | |
if: matrix.python-latest | |
run: | | |
find . -name '*.json' | xargs -n 1 python -m json.tool > /dev/null | |
- name: Validate | |
if: matrix.python-latest | |
run: | | |
make -j$(nproc) validateCFG validatePlatforms validateRules | |
- name: check python syntax | |
run: | | |
shopt -s globstar | |
python -m py_compile addons/**/*.py | |
python -m py_compile htmlreport/cppcheck-htmlreport | |
python -m py_compile htmlreport/**/*.py | |
python -m py_compile test/**/*.py | |
python -m py_compile tools/**/*.py | |
- name: compile addons | |
run: | | |
python -m compileall ./addons | |
- name: test matchcompiler | |
run: | | |
python tools/test_matchcompiler.py | |
# we cannot specify -Werror since xml/etree/ElementTree.py in Python 3.9/3.10 contains an unclosed file | |
- name: test addons | |
if: matrix.python-version == '3.9' || matrix.python-version == '3.10' | |
run: | | |
python -m pytest --strict-markers -vv addons/test | |
env: | |
PYTHONPATH: ./addons | |
- name: test addons | |
if: matrix.python-version != '3.9' && matrix.python-version != '3.10' | |
run: | | |
python -m pytest -Werror --strict-markers -vv addons/test | |
env: | |
PYTHONPATH: ./addons | |
- name: test htmlreport (standalone) | |
run: | | |
test/tools/htmlreport/test_htmlreport.py | |
cd test/tools/htmlreport | |
./check.sh | |
# Python 3.5 and 3.6 are excluded as they are not supported by setuptools-scm package for getting | |
# package version | |
- name: test htmlreport (pip) | |
if: matrix.python-version != '3.5' && matrix.python-version != '3.6' | |
run: | | |
python -m venv venv | |
source venv/bin/activate | |
python -m pip install -U pip | |
pip install ./htmlreport/ | |
which cppcheck-htmlreport | |
PIP_PACKAGE_TEST=1 test/tools/htmlreport/test_htmlreport.py | |
cd test/tools/htmlreport | |
./check.sh | |
- name: test reduce | |
run: | | |
python -m pytest -Werror --strict-markers -vv tools/reduce_test.py | |
env: | |
PYTHONPATH: ./tools | |
- name: test donate_cpu_lib | |
run: | | |
python -m pytest -Werror --strict-markers -vv tools/donate_cpu_lib_test.py | |
env: | |
PYTHONPATH: ./tools | |
- name: test donate_cpu_server | |
run: | | |
python -m pytest -Werror --strict-markers -vv tools/donate_cpu_server_test.py | |
env: | |
PYTHONPATH: ./tools | |
dmake: | |
strategy: | |
matrix: | |
os: [ubuntu-22.04, macos-13, windows-2022] | |
fail-fast: false | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: run dmake | |
run: | | |
make -j2 CXXFLAGS="-w" run-dmake | |
- name: check diff | |
run: | | |
git diff --exit-code |