-
Notifications
You must be signed in to change notification settings - Fork 13
102 lines (92 loc) · 3.93 KB
/
local-python-checks.yml
File metadata and controls
102 lines (92 loc) · 3.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
## Copyright (C) 2025 - 2026 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Authored by Claude (Anthropic).
name: Lint scripts
on:
push:
branches: [master]
pull_request:
branches: [master]
workflow_dispatch:
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
lint:
runs-on: ubuntu-24.04
timeout-minutes: 10
## Fork-PR guard. Forked PRs need maintainer review before they
## consume CI time / could exfiltrate the (limited) GITHUB_TOKEN.
if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
strategy:
fail-fast: false
matrix:
include:
## Trust root for the four images below: Docker Official
## Images program. Each image's hub.docker.com page lists
## the publisher attestation ('Maintained by: the Debian
## Project' / 'Maintained by: Canonical Ltd.') and links
## to the build sources:
## https://hub.docker.com/_/debian
## https://hub.docker.com/_/ubuntu
## Digests below were resolved from the registry manifest
## API at pin time (verification step, not trust source).
- image: debian:stable@sha256:e969bc4a6af81e66bf2ee7e79cecb24885929111d5eddb97dd80bed3b90a5e93
- image: debian:testing@sha256:e0c4680937ec5c89f44b977ebd8bff697e6d0d5157b46f6d6592d46fa08dbaf3
- image: debian:unstable@sha256:d124ce29f8bbe23f6d17598a61d0b61d888d4863ecb6aa1049eecebc6f825f6c
## ubuntu:latest is currently 24.04, which uses a Python version
## that does not support the `newline` argument of Path.read_text()
# - image: ubuntu:latest@sha256:...
- image: ubuntu:rolling@sha256:4a9232cc47bf99defcc8860ef6222c99773330367fcecbf21ba2edb0b810a31e
container:
image: ${{ matrix.image }}
steps:
- name: Install git for actions/checkout
## Minimal container images do not ship git but actions/checkout
## needs it to populate '.git/'. Inline because checkout has not
## yet run and ci/ scripts are not on disk yet.
run: |
apt-get update -qq
apt-get install -y --no-install-recommends git ca-certificates
## https://github.com/actions/checkout/releases/tag/v6.0.2
## > de0fac2e4500dabe0009e67214ff5f5447ce83dd
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Install linters
run: ci/lint-install.sh
- name: Build helper-scripts deb
run: ci/lint-build.sh
- name: Clone trojan-source corpus
run: ci/lint-clone-trojan-source.sh
- name: Run tests
run: ci/lint-tests.sh
- name: Checkout developer-meta-files (summary script)
if: always()
## Needed for ci/step-summary-emit.sh. helper-scripts does
## not vendor a copy; checkout @master keeps the org's
## single source of truth. Matches the pattern in
## local-python-fuzz.yml.
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: org-ai-assisted/developer-meta-files
ref: master
path: .dmf
persist-credentials: false
- name: Emit step summary
if: always()
## One panel per matrix leg (distinct check name in the
## Actions UI). matrix.image is a static workflow literal,
## but routed through env: anyway to keep the convention
## uniform (matches developer-meta-files#87).
env:
JOB_STATUS: ${{ job.status }}
IMAGE: ${{ matrix.image }}
run: |
./.dmf/ci/step-summary-emit.sh \
--tool 'Lint scripts' \
--column-header field \
--row "outcome=${JOB_STATUS}" \
--row "image=${IMAGE}"