CI #578
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # .github/workflows/ci.yml | |
| name: CI | |
| on: | |
| workflow_run: | |
| workflows: ["gate"] | |
| types: [requested, completed] | |
| # push: | |
| # branches: [ "main", "dev/robgruen/workflow_updates" ] | |
| # pull_request_target: | |
| # branches: [ "main" ] | |
| workflow_dispatch: # manual run | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| pull-requests: read | |
| contents: read | |
| id-token: write | |
| actions: read | |
| jobs: | |
| ci: | |
| environment: | |
| name: build-pipeline | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, windows-latest] | |
| python-version: ['3.12', '3.13', '3.14'] | |
| task: [check, test, format] | |
| exclude: | |
| - os: windows-latest | |
| python-version: '3.13' | |
| - os: windows-latest | |
| python-version: '3.14' | |
| runs-on: ${{ matrix.os }} | |
| name: ${{ matrix.os }} ${{ matrix.task }} (py ${{ matrix.python-version }}) | |
| # Only run this job if the Gate workflow succeeded or if manually triggered | |
| if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} | |
| steps: | |
| # The following two steps (permissions checks) ensure that only users with write access can run this workflow on a PR (except the merge queue bot) | |
| # PRs from forks we check the permissions of the user that triggered the workflow (github.triggering_actor) | |
| # This means that if a user without write access opens a PR from a fork, they cannot run this workflow | |
| # Users with write access can still run this workflow on a PR from a fork | |
| # For PRs from the same repo, we allow the workflow to run as normal | |
| - name: Get User Permission | |
| if: ${{ github.event_name == 'pull_request_target' || github.triggering_actor != 'github-merge-queue[bot]' }} | |
| id: checkAccess | |
| uses: actions-cool/check-user-permission@v2 | |
| with: | |
| require: write | |
| username: ${{ github.triggering_actor }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Check User Permission | |
| if: ${{ (github.event_name == 'pull_request_target' || github.triggering_actor != 'github-merge-queue[bot]') && steps.checkAccess.outputs.require-result == 'false' }} | |
| run: | | |
| echo "${{ github.triggering_actor }} does not have permissions on this repo." | |
| echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}" | |
| echo "Job originally triggered by ${{ github.actor }}" | |
| exit 1 | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha || github.ref }} | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v7 | |
| - name: Install Dependencies | |
| shell: bash | |
| run: | | |
| uv sync --extra dev | |
| - name: Run Check | |
| shell: bash | |
| if: matrix.task == 'check' | |
| run: | | |
| uv run pyright src test tools gmail | |
| - name: Run Format | |
| shell: bash | |
| if: matrix.task == 'format' | |
| run: | | |
| uv run black -tpy312 -tpy313 -tpy314 src test tools gmail demo --check | |
| - name: Login to Azure | |
| if: matrix.task == 'test' | |
| uses: azure/login@v2.2.0 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENTID }} | |
| tenant-id: ${{ secrets.AZURE_TENANTID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }} | |
| - name: Get Keys | |
| if: matrix.task == 'test' | |
| run: | | |
| uv run python tools/get_keys.py --vault build-pipeline-kv | |
| - name: Run Test | |
| shell: bash | |
| if: matrix.task == 'test' | |
| run: | | |
| uv run pytest | |
| - name: Clean up Keys | |
| run: | | |
| node -e "try{require('fs').unlinkSync('./.env');}catch(e){}" |