Skip to content

Merge pull request #1 from ori-platform/security/supply-chain-hardening #8

Merge pull request #1 from ori-platform/security/supply-chain-hardening

Merge pull request #1 from ori-platform/security/supply-chain-hardening #8

Workflow file for this run

name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
id-token: none
jobs:
test:
name: Test (Python ${{ matrix.python-version }})
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version: ["3.11", "3.12"]
steps:
- name: Harden runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: ${{ matrix.python-version }}
- name: Guard supply-chain invariants
run: python scripts/check_workflows.py
- name: Install hash-locked dependencies
run: |
python -m pip install --require-hashes -r requirements-dev.txt
python -m pip install --no-deps -e .
- name: Pre-commit (lint + format + hygiene)
env:
SKIP: no-commit-to-branch
run: |
if [ "${{ github.event_name }}" = "pull_request" ]; then
FROM_REF="${{ github.event.pull_request.base.sha }}"
TO_REF="${{ github.event.pull_request.head.sha }}"
else
FROM_REF="${{ github.event.before }}"
TO_REF="${{ github.sha }}"
fi
if ! git cat-file -e "${FROM_REF}^{commit}" 2>/dev/null || ! git cat-file -e "${TO_REF}^{commit}" 2>/dev/null; then
pre-commit run --show-diff-on-failure --all-files
exit $?
fi
if echo "$FROM_REF" | grep -Eq '^0+$'; then
pre-commit run --show-diff-on-failure --all-files
else
pre-commit run --show-diff-on-failure --from-ref "$FROM_REF" --to-ref "$TO_REF"
fi
- name: Run tests
run: pytest -q
- name: Run ruff lint
run: ruff check .
- name: Run ruff format check
run: ruff format --check .
- name: Run mypy
run: mypy ori_sdk
- name: Audit pinned Python dependencies
run: |
python -m pip_audit -r requirements.txt
python -m pip_audit -r requirements-dev.txt
- name: Generate SBOM
if: matrix.python-version == '3.12'
run: |
python -m cyclonedx_py requirements requirements.txt \
--pyproject pyproject.toml \
--output-reproducible \
--of JSON \
-o sbom-sdk.json
- name: Upload SBOM
if: matrix.python-version == '3.12'
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: sbom-sdk
path: sbom-sdk.json
if-no-files-found: error