-
Notifications
You must be signed in to change notification settings - Fork 2
136 lines (118 loc) · 3.78 KB
/
test.yml
File metadata and controls
136 lines (118 loc) · 3.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Tests
on:
workflow_dispatch:
pull_request:
push:
branches:
- main
jobs:
security:
name: Security
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Install uv
uses: astral-sh/setup-uv@v7
with:
enable-cache: true
- name: Install bandit
run: uv tool install bandit[toml]
- name: Run bandit security scan
run: bandit -r nac_yaml/ -ll -f json -o bandit-security-report.json
- name: Upload security report
uses: actions/upload-artifact@v7
if: always()
with:
name: bandit-security-report
path: bandit-security-report.json
lint:
name: Lint
runs-on: ubuntu-latest
timeout-minutes: 5
permissions:
contents: write # Required for dependabot to push lock file updates
steps:
- name: Checkout
uses: actions/checkout@v6
with:
token: ${{ secrets.GITHUB_TOKEN }}
ref: ${{ github.head_ref }}
- name: Install uv
uses: astral-sh/setup-uv@v7
with:
enable-cache: true
- name: Set up Python
run: uv python install 3.13
- name: Install dependencies
run: uv sync --extra dev
- name: Update lock file
if: github.actor == 'dependabot[bot]'
run: |
uv lock
if [[ -n $(git status --porcelain uv.lock) ]]; then
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add uv.lock
git commit -m "chore: update uv.lock [dependabot skip]"
git push
fi
- name: Check License Headers
run: bash scripts/license-headers.sh
- name: Pre-commit Checks
run: uv run pre-commit run --all-files
test:
name: Tests
runs-on: ubuntu-latest
timeout-minutes: 10
strategy:
matrix:
python:
- "3.10"
- "3.11"
- "3.12"
- "3.13"
- "3.14"
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Install uv
uses: astral-sh/setup-uv@v7
with:
enable-cache: true
- name: Set up Python
run: uv python install ${{ matrix.python }}
- name: Install dependencies and run tests
run: |
uv sync --extra dev
uv run pytest
notification:
name: Notification
if: always() && github.event_name != 'pull_request'
needs: [security, lint, test]
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Check Job Success
run: |
if [ ${{ needs.security.result }} == 'success' ] && [ ${{ needs.lint.result }} == 'success' ] && [ ${{ needs.test.result }} == 'success' ]; then
echo "All jobs succeeded"
echo "jobSuccess=success" >> $GITHUB_ENV
else
echo "Not all jobs succeeded"
echo "jobSuccess=fail" >> $GITHUB_ENV
fi
id: print_status
- name: Webex Notification
if: always()
uses: qsnyder/action-wxt@master
env:
TOKEN: ${{ secrets.WEBEX_TOKEN }}
ROOMID: ${{ secrets.WEBEX_ROOM_ID }}
MESSAGE: |
[**[${{ env.jobSuccess }}] ${{ github.repository }} #${{ github.run_number }}**](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
* Commit: [${{ github.event.head_commit.message }}](${{ github.event.head_commit.url }})[${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }})
* Author: ${{ github.event.sender.login }}
* Branch: ${{ github.ref }} ${{ github.head_ref }}
* Event: ${{ github.event_name }}