From 0b99937b86e98b88a131d9508162d283669570d8 Mon Sep 17 00:00:00 2001 From: Matthew Feickert Date: Thu, 30 May 2024 14:15:35 -0500 Subject: [PATCH 1/5] PR 2479 --- .github/workflows/lower-bound-requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lower-bound-requirements.yml b/.github/workflows/lower-bound-requirements.yml index 4b170d67ac..1c762efb64 100644 --- a/.github/workflows/lower-bound-requirements.yml +++ b/.github/workflows/lower-bound-requirements.yml @@ -26,7 +26,7 @@ jobs: - name: Install dependencies and force lowest bound run: | - python -m pip install --upgrade pip setuptools wheel + python -m pip install --upgrade pip 'setuptools<70.0.0' wheel python -m pip --no-cache-dir install --constraint tests/constraints.txt .[test] - name: List installed Python packages From 21dd591fa0fd3a00fc1227dd1b43167cd8aabe3f Mon Sep 17 00:00:00 2001 From: Matthew Feickert Date: Thu, 30 May 2024 14:17:03 -0500 Subject: [PATCH 2/5] PR 2489 --- .github/workflows/release_tests.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/release_tests.yml b/.github/workflows/release_tests.yml index f5c1904260..89162bf60f 100644 --- a/.github/workflows/release_tests.yml +++ b/.github/workflows/release_tests.yml @@ -10,6 +10,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: pypi_release: @@ -45,6 +48,10 @@ jobs: - name: Canary test public API run: | + # Override the ini option for filterwarnings with an empty list to disable error on filterwarnings + # as testing the latest release API still works, not the release is warning free. + # Though still show warnings by setting warning control to 'default'. + export PYTHONWARNINGS='default' pytest tests/test_public_api.py # FIXME: c.f. https://github.com/proycon/codemetapy/issues/24 From cff5eed8d8ac02e372e9ba594d887285fd3d9d7d Mon Sep 17 00:00:00 2001 From: Matthew Feickert Date: Thu, 30 May 2024 14:18:02 -0500 Subject: [PATCH 3/5] PR 2481 --- .github/workflows/publish-package.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml index eeb8131afa..7f798b3616 100644 --- a/.github/workflows/publish-package.yml +++ b/.github/workflows/publish-package.yml @@ -25,6 +25,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: build: name: Build Python distribution @@ -32,7 +35,6 @@ jobs: permissions: id-token: write attestations: write - contents: read steps: - uses: actions/checkout@v4 From 4c603d8fc6f1cea6f344616c78bb445039a66e18 Mon Sep 17 00:00:00 2001 From: Matthew Feickert Date: Thu, 30 May 2024 14:21:47 -0500 Subject: [PATCH 4/5] Update permissions changes --- .github/workflows/bump-version.yml | 5 +++++ .github/workflows/ci.yml | 3 +++ .github/workflows/codeql-analysis.yml | 7 +++++++ .github/workflows/dependencies-head.yml | 3 +++ .github/workflows/docker.yml | 6 ++++++ .github/workflows/docs.yml | 3 +++ .github/workflows/lint.yml | 3 +++ .github/workflows/lower-bound-requirements.yml | 3 +++ .github/workflows/merged.yml | 3 +++ .github/workflows/notebooks.yml | 5 ++++- .github/workflows/semantic-pr-check.yml | 6 ++++++ 11 files changed, 46 insertions(+), 1 deletion(-) diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 3a5b1f0142..e63bf7c940 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -33,8 +33,13 @@ on: description: 'Perform a dry run to check' default: true +permissions: + contents: read + jobs: bump-version: + permissions: + contents: write # for Git to git push runs-on: ubuntu-latest if: github.repository == 'scikit-hep/pyhf' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 588d759f5e..6088875367 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,6 +15,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: test: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7d680f58d3..507b0c7808 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -15,8 +15,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: analyze: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/analyze to upload SARIF results name: Analyze runs-on: ubuntu-latest diff --git a/.github/workflows/dependencies-head.yml b/.github/workflows/dependencies-head.yml index 849cf6fea4..feaf00a5ec 100644 --- a/.github/workflows/dependencies-head.yml +++ b/.github/workflows/dependencies-head.yml @@ -10,6 +10,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: release-candidates: diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index bd9b5527f4..e3b4616fa3 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -20,9 +20,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: docker: name: Build, test, and publish Docker images to Docker Hub + permissions: + contents: read + packages: write # for docker to push to registry runs-on: ubuntu-latest steps: diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 365aeff43b..c434195821 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -14,6 +14,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: build: name: Build docs diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index fdce2d7b28..5cc93cb35c 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -8,6 +8,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: lint: diff --git a/.github/workflows/lower-bound-requirements.yml b/.github/workflows/lower-bound-requirements.yml index 1c762efb64..dd1593b164 100644 --- a/.github/workflows/lower-bound-requirements.yml +++ b/.github/workflows/lower-bound-requirements.yml @@ -6,6 +6,9 @@ on: - cron: '1 0 * * *' workflow_dispatch: +permissions: + contents: read + jobs: test: diff --git a/.github/workflows/merged.yml b/.github/workflows/merged.yml index 3923caaffe..cce0e42670 100644 --- a/.github/workflows/merged.yml +++ b/.github/workflows/merged.yml @@ -5,6 +5,9 @@ on: types: [closed] workflow_dispatch: +permissions: + contents: read + jobs: binder: name: Trigger Binder build diff --git a/.github/workflows/notebooks.yml b/.github/workflows/notebooks.yml index 29d6df0605..50580dfa86 100644 --- a/.github/workflows/notebooks.yml +++ b/.github/workflows/notebooks.yml @@ -10,6 +10,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: test: @@ -41,4 +44,4 @@ jobs: # Override the ini option for filterwarnings with an empty list to disable error # on filterwarnings as testing for notebooks to run with the latest API, not if # Jupyter infrastructure is warning free. - pytest --override-ini filterwarnings= tests/test_notebooks.py + pytest --verbose --override-ini filterwarnings= tests/test_notebooks.py diff --git a/.github/workflows/semantic-pr-check.yml b/.github/workflows/semantic-pr-check.yml index 143ec8377e..f7f0d13283 100644 --- a/.github/workflows/semantic-pr-check.yml +++ b/.github/workflows/semantic-pr-check.yml @@ -11,9 +11,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.number }} cancel-in-progress: true +permissions: + contents: read + jobs: main: + permissions: + pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs + statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR name: Validate PR title runs-on: ubuntu-latest From 097f13b605546d365aafebacd50834b70994349d Mon Sep 17 00:00:00 2001 From: Matthew Feickert Date: Thu, 30 May 2024 14:33:43 -0500 Subject: [PATCH 5/5] Add CI for windows --- .github/workflows/ci-windows.yml | 50 ++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .github/workflows/ci-windows.yml diff --git a/.github/workflows/ci-windows.yml b/.github/workflows/ci-windows.yml new file mode 100644 index 0000000000..0dbef41600 --- /dev/null +++ b/.github/workflows/ci-windows.yml @@ -0,0 +1,50 @@ +name: CI on Windows + +on: + # Run daily at 1:23 UTC + schedule: + - cron: '23 1 * * *' + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + test: + + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [windows-latest] + python-version: ['3.9', '3.10', '3.11', '3.12'] + + steps: + - uses: actions/checkout@v4 + + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v5 + with: + python-version: ${{ matrix.python-version }} + + - name: Install dependencies + run: | + python -m pip install uv + uv pip install --system --upgrade pip setuptools wheel + uv pip install --system --upgrade '.[all,test]' + + - name: List installed Python packages + run: python -m pip list + + - name: Test with pytest and coverage + # FIXME: ignore tests/test_scripts.py as runner breaks on Windows currently + run: | + coverage run --module pytest --ignore tests/test_scripts.py --ignore tests/contrib --ignore tests/benchmarks --ignore tests/test_notebooks.py + + - name: Coverage report for core project + run: | + coverage report + coverage xml