diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 4588c7ab7..0b727c6ca 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -14,12 +14,19 @@ on: branches: - main +permissions: + id-token: write + contents: read + pull-requests: write + env: HATCH_VERSION: 1.9.1 jobs: test-python: - runs-on: ubuntu-latest + runs-on: + group: databrickslabs-protected-runner-group + labels: linux-ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 @@ -46,10 +53,12 @@ jobs: uses: codecov/codecov-action@v5 with: codecov_yml_path: codecov.yml - token: ${{ secrets.CODECOV_TOKEN }} + use_oidc: true integration-python: - runs-on: ubuntu-latest + runs-on: + group: databrickslabs-protected-runner-group + labels: linux-ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 @@ -80,7 +89,9 @@ jobs: fmt-python: - runs-on: ubuntu-latest + runs-on: + group: databrickslabs-protected-runner-group + labels: linux-ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 @@ -104,7 +115,9 @@ jobs: git diff --exit-code python-no-pylint-disable: - runs-on: ubuntu-latest + runs-on: + group: databrickslabs-protected-runner-group + labels: linux-ubuntu-latest if: github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'synchronize') steps: - name: Checkout @@ -124,7 +137,9 @@ jobs: fi coverage-tests-with-make: - runs-on: ubuntu-latest + runs-on: + group: databrickslabs-protected-runner-group + labels: linux-ubuntu-latest env: INPUT_DIR_PARENT: . OUTPUT_DIR: ./test-reports diff --git a/codecov.yml b/codecov.yml index e289506a0..0eb4d895b 100644 --- a/codecov.yml +++ b/codecov.yml @@ -1,2 +1,12 @@ # We may add certain file to ignore in the codecov coverage report -ignore: +coverage: + status: + project: + default: + target: auto + threshold: 0.5% + patch: + default: + target: auto + threshold: 0.5% + ignore: