chore(deps): Bump the minor-and-patch group with 4 updates #6446
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Gating | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| inputs: {} | |
| jobs: | |
| tests: | |
| name: Unit tests | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"] | |
| container: | |
| image: python:${{ matrix.python-version }}-slim | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| # We need to install git inside the container otherwise the checkout action will use Git | |
| # REST API and the .git directory won't be present which fails due to setuptools-scm. | |
| # We also need to install curl and gpg to download and verify the codecov token. | |
| apt-get update && apt-get install --no-install-recommends --no-install-suggests -y curl git gpg | |
| pip install --upgrade pip nox | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Test with nox | |
| run: | | |
| # Disable Git's safe.directory mechanism as some unit tests do clone repositories | |
| git config --global --add safe.directory '*' | |
| nox -s "python-${{ matrix.python-version }}" | |
| - name: Upload coverage reports to Codecov | |
| if: matrix.python-version == '3.10' | |
| uses: codecov/codecov-action@v6 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| linters: | |
| name: Linters | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| container: | |
| image: python:3.10-slim | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| # We need to install git inside the container otherwise the checkout action will use Git | |
| # REST API and the .git directory won't be present which fails due to setuptools-scm | |
| apt-get update && apt-get install --no-install-recommends --no-install-suggests -y git | |
| pip install --upgrade pip nox | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run linters | |
| run: nox -s lint | |
| hadolint: | |
| name: Hadolint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: hadolint/hadolint-action@v3.3.0 | |
| with: | |
| dockerfile: Dockerfile | |
| # Ignore list: | |
| # * DL3041 - Specify version with dnf install -y <package>-<version> | |
| ignore: DL3041 | |
| failure-threshold: warning | |
| - uses: hadolint/hadolint-action@v3.3.0 | |
| with: | |
| dockerfile: tests/integration/Containerfile.test | |
| ignore: DL3006 | |
| failure-threshold: warning | |
| markdownlint: | |
| name: Markdownlint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: tj-actions/changed-files@v47 | |
| id: changed-files | |
| with: | |
| files: "**/*.md" | |
| separator: "," | |
| - uses: DavidAnson/markdownlint-cli2-action@v23 | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| with: | |
| globs: ${{ steps.changed-files.outputs.all_changed_files }} | |
| separator: "," | |
| build-image: | |
| name: Build container image and run integration tests on it | |
| # TODO: Replace this with ubuntu-latest once GH completes the migration of the VM runners to | |
| # ubuntu 24.04 and respect the YAML tag (revert the commit that added this) | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Free up disk space | |
| run: | | |
| echo "Disk space before cleanup:" | |
| df -h / | |
| # Android consumes >12G disk space | |
| sudo rm -rf /usr/local/lib/android | |
| echo "Disk space after cleanup:" | |
| df -h / | |
| - name: Install required packages | |
| run: | | |
| python3 -m venv /var/tmp/venv | |
| /var/tmp/venv/bin/pip3 install --upgrade pip nox podman-compose requests typer tenacity | |
| - name: add checkout action... | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Start Nexus test server | |
| run: | | |
| /var/tmp/venv/bin/podman-compose -f tests/nexusserver/docker-compose.yml up -d | |
| /var/tmp/venv/bin/python tests/nexusserver/configure.py | |
| # Verify basic TLS | |
| status=$(curl -sSI \ | |
| --output /dev/null \ | |
| --write-out "%{http_code}" \ | |
| --retry-delay 1 \ | |
| --retry 30 \ | |
| --retry-all-errors \ | |
| -u hermeto-user:hermeto-pass \ | |
| --cacert tests/certificates/CA.crt \ | |
| https://127.0.0.1:8443/service/rest/v1/status) | |
| [[ "${status}" == "200" ]] || exit 1 | |
| # Verify mTLS rejects unauthenticated access | |
| status=$(curl -sSI \ | |
| --output /dev/null \ | |
| --write-out "%{http_code}" \ | |
| --cacert tests/certificates/CA.crt \ | |
| https://127.0.0.1:8444/service/rest/v1/status) | |
| [[ "${status}" != "200" ]] || exit 1 | |
| # Verify mTLS with client certificate | |
| status=$(curl -sSI \ | |
| --output /dev/null \ | |
| --write-out "%{http_code}" \ | |
| --cacert tests/certificates/CA.crt \ | |
| --key tests/certificates/client.key \ | |
| --cert tests/certificates/client.crt \ | |
| https://127.0.0.1:8444/service/rest/v1/status) | |
| [[ "${status}" == "200" ]] || exit 1 | |
| - name: Build container image | |
| run: | | |
| podman build -t "hermeto:${{ github.sha }}" . | |
| - name: Check image created and application version | |
| run: | | |
| podman images | grep 'hermeto' | |
| podman run -t "hermeto:${{ github.sha }}" --version | |
| - name: Run integration tests on built image | |
| env: | |
| HERMETO_TEST_IMAGE: localhost/hermeto:${{ github.sha }} | |
| HERMETO_TEST_LOCAL_NEXUS: "1" | |
| run: | | |
| git config --global --add safe.directory "*" | |
| /var/tmp/venv/bin/nox -s integration-tests -- -n auto |