Merge pull request #1 from ori-platform/security/supply-chain-hardening #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| id-token: none | |
| jobs: | |
| test: | |
| name: Test (Python ${{ matrix.python-version }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| python-version: ["3.11", "3.12"] | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Guard supply-chain invariants | |
| run: python scripts/check_workflows.py | |
| - name: Install hash-locked dependencies | |
| run: | | |
| python -m pip install --require-hashes -r requirements-dev.txt | |
| python -m pip install --no-deps -e . | |
| - name: Pre-commit (lint + format + hygiene) | |
| env: | |
| SKIP: no-commit-to-branch | |
| run: | | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| FROM_REF="${{ github.event.pull_request.base.sha }}" | |
| TO_REF="${{ github.event.pull_request.head.sha }}" | |
| else | |
| FROM_REF="${{ github.event.before }}" | |
| TO_REF="${{ github.sha }}" | |
| fi | |
| if ! git cat-file -e "${FROM_REF}^{commit}" 2>/dev/null || ! git cat-file -e "${TO_REF}^{commit}" 2>/dev/null; then | |
| pre-commit run --show-diff-on-failure --all-files | |
| exit $? | |
| fi | |
| if echo "$FROM_REF" | grep -Eq '^0+$'; then | |
| pre-commit run --show-diff-on-failure --all-files | |
| else | |
| pre-commit run --show-diff-on-failure --from-ref "$FROM_REF" --to-ref "$TO_REF" | |
| fi | |
| - name: Run tests | |
| run: pytest -q | |
| - name: Run ruff lint | |
| run: ruff check . | |
| - name: Run ruff format check | |
| run: ruff format --check . | |
| - name: Run mypy | |
| run: mypy ori_sdk | |
| - name: Audit pinned Python dependencies | |
| run: | | |
| python -m pip_audit -r requirements.txt | |
| python -m pip_audit -r requirements-dev.txt | |
| - name: Generate SBOM | |
| if: matrix.python-version == '3.12' | |
| run: | | |
| python -m cyclonedx_py requirements requirements.txt \ | |
| --pyproject pyproject.toml \ | |
| --output-reproducible \ | |
| --of JSON \ | |
| -o sbom-sdk.json | |
| - name: Upload SBOM | |
| if: matrix.python-version == '3.12' | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: sbom-sdk | |
| path: sbom-sdk.json | |
| if-no-files-found: error |