fix test #127
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Code Quality (PR-Mandatory) | ||
| # Trigger explicitly for PRs + retain push events | ||
| on: | ||
| push: | ||
| branches: [ main, master ] | ||
| pull_request: | ||
| branches: [ main, master ] | ||
| types: [ opened, synchronize, reopened ] # Trigger on PR create/update/reopen | ||
| env: | ||
| PYTHON_VERSION: '3.13.7' | ||
| jobs: | ||
| # 1. PR-Adapted: Ruff Auto-Formatting (critical: commits to PR source branch) | ||
| ruff-auto-format-pr: | ||
| name: "📝 Ruff Format (PR-Safe)" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write # Required for auto-commits to PRs | ||
| pull-requests: read # Required to fetch PR branch info | ||
| outputs: | ||
| changes_made: ${{ steps.format-check.outputs.changes_made }} | ||
| steps: | ||
| - name: Checkout PR Source Branch | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} # Works for internal PRs; use PAT for forked PRs | ||
| fetch-depth: 0 | ||
| ref: ${{ github.head_ref }} # Force checkout PR source branch (not target main) | ||
| path: . | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: ${{ env.PYTHON_VERSION }} | ||
| cache: 'pip' # Cache pip packages for faster installs | ||
| - name: Install ruff | ||
| run: pip install ruff | ||
| env: | ||
| PIP_DISABLE_PIP_VERSION_CHECK: 1 # Skip pip version check to speed up installs | ||
| - name: Run ruff format & detect changes | ||
| id: format-check | ||
| run: | | ||
| ruff format . | ||
| if git diff --quiet --exit-code; then | ||
| echo "changes_made=false" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "changes_made=true" >> $GITHUB_OUTPUT | ||
| git diff --name-only # Show modified files in PR logs for review | ||
| fi | ||
| - name: Auto-commit format changes to PR | ||
| if: steps.format-check.outputs.changes_made == 'true' | ||
| run: | | ||
| git config --local user.name "GitHub Actions (PR Format)" | ||
| git config --local user.email "[email protected]" | ||
| git add . | ||
| git commit -m "[PR-auto] Fix code formatting with ruff" | ||
| git push # Pushes to PR source branch; PR updates automatically | ||
| # 2. PR Control: Run checks only if PR has format changes or is merged | ||
| setup-checks-pr: | ||
| name: "⚙️ Setup Tools (PR-Triggered)" | ||
| needs: ruff-auto-format-pr | ||
| # Condition: Run on push OR PR (with format changes OR merged status) | ||
| if: > | ||
| (github.event_name == 'push') || | ||
| (github.event_name == 'pull_request' && | ||
| (needs.ruff-auto-format-pr.outputs.changes_made == 'true' || | ||
| github.event.pull_request.merged == true)) | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout PR Source Branch | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.head_ref || github.ref }} # Use PR source branch (or push branch) | ||
| path: . | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: ${{ env.PYTHON_VERSION }} | ||
| cache: 'pip' | ||
| - name: Install check tools directly (no dependency files) | ||
| run: pip install codespell bandit mypy ruff pytest | ||
| env: | ||
| PIP_DISABLE_PIP_VERSION_CHECK: 1 | ||
| # 3. PR Checks: All tools synced to PR "Checks" tab | ||
| spell-check-pr: | ||
| name: "🔍 Spell Check (PR)" | ||
| needs: setup-checks-pr | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout PR Source Branch | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.head_ref }} | ||
| path: . | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: ${{ env.PYTHON_VERSION }} | ||
| cache: 'pip' | ||
| - name: Run codespell (Non-Blocking in PR) | ||
| run: codespell --skip="*.json,*.lock,*.csv" --ignore-words-list="xxx,yyy,zzz" --quiet-level=2 || true | ||
| security-check-pr: | ||
| name: "🔒 Security Check (PR)" | ||
| needs: setup-checks-pr | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout PR Source Branch | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.head_ref }} | ||
| path: . | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: ${{ env.PYTHON_VERSION }} | ||
| cache: 'pip' | ||
| - name: Run bandit (Non-Blocking in PR) | ||
| run: bandit -r . -f human -o bandit-pr-results.txt -f json -o bandit-pr-results.json || true | ||
| type-check-pr: | ||
| name: "🎯 Type Check (PR)" | ||
| needs: setup-checks-pr | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout PR Source Branch | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.head_ref }} | ||
| path: . | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: ${{ env.PYTHON_VERSION }} | ||
| cache: 'pip' | ||
| - name: Run mypy (Non-Blocking in PR) | ||
| run: mypy --ignore-missing-imports --show-error-codes . || true | ||
| lint-check-pr: | ||
| name: "🧹 Lint Check (PR-Blocking)" | ||
| needs: setup-checks-pr | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout PR Source Branch | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.head_ref }} | ||
| path: . | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: ${{ env.PYTHON_VERSION }} | ||
| cache: 'pip' | ||
| - name: Run ruff check (Blocking in PR: Fix lint errors first) | ||
| run: ruff check --output-format=concise . | ||
| test-pr: | ||
| name: "🧪 Unit Tests (PR-Blocking)" | ||
| needs: setup-checks-pr | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout PR Source Branch | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.head_ref }} | ||
| path: . | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: ${{ env.PYTHON_VERSION }} | ||
| cache: 'pip' | ||
| - name: Run pytest (Blocking in PR: Fix test failures first) | ||
| run: pytest | ||
| # 4. PR Security Analysis: CodeQL results synced to PR "Security" tab | ||
| codeql-pr: | ||
| name: "🛡️ CodeQL (PR)" | ||
| needs: setup-checks-pr | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write # Required to sync results to PR Security tab | ||
| steps: | ||
| - name: Checkout PR Source Branch | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.head_ref }} | ||
| path: . | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v2 | ||
| with: | ||
| languages: python | ||
| - name: Autobuild | ||
| uses: github/codeql-action/autobuild@v2 | ||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v2 | ||
| # 5. PR Summary: Clear status in PR "Checks" tab | ||
| pr-checks-summary: | ||
| name: "✅ PR All Checks Summary" | ||
| needs: [spell-check-pr, security-check-pr, type-check-pr, lint-check-pr, test-pr, codeql-pr] | ||
| if: always() | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Print PR Check Summary | ||
| run: | | ||
| echo "PR Source Branch: ${{ github.head_ref }}" | ||
| echo "Formatting Changes Applied: ${{ needs.ruff-auto-format-pr.outputs.changes_made }}" | ||
| # Block PR merge if critical checks (lint/tests) fail | ||
| if [[ "${{ contains(needs.lint-check-pr.result, 'failure') || contains(needs.test-pr.result, 'failure') }}" == "true" ]]; then | ||
| echo "❌ Critical PR Checks Failed (lint/tests) - Fix Before Merging" | ||
| exit 1 | ||
| else | ||
| echo "✅ Critical PR Checks Passed - Non-blocking issues (spelling/type) are optional to fix" | ||
| fi | ||
