oak-python-starter/.github/workflows/ci.yml at main · oaknational/oak-python-starter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
name: CI

# Run the same blocking gate sequence in CI that contributors run locally, so
# the remote signal and the local signal can never disagree. The workflow calls
# the single `check-ci` command surface verbatim rather than re-encoding the
# gate steps in YAML.
on:
  push:
    branches: [main]
  pull_request:

# Least privilege: the gates only read the checked-out tree.
permissions:
  contents: read

# Supersede in-flight runs for the same ref so pushes do not pile up.
concurrency:
  group: ci-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  check:
    name: Quality gates
    runs-on: ubuntu-latest
    # Override the top-level read-only default: this job also uploads coverage to
    # GitHub Code Quality, which needs code-quality:write.
    permissions:
      contents: read
      code-quality: write
    steps:
      - name: Check out the repository
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Install uv
        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
        with:
          enable-cache: true
          cache-dependency-glob: uv.lock

      - name: Provision the pinned Python toolchain
        run: uv python install

      - name: Sync the locked environment
        run: uv sync --locked

      - name: Run the full CI gate sequence
        run: uv run python -m oaknational.python_repo_template.devtools check-ci

      # Derive a Cobertura report from the coverage data the check-ci `coverage`
      # gate already wrote (no second test run), then publish it to GitHub Code
      # Quality so coverage shows on pull requests. Both steps are gated to
      # non-fork events: a forked PR's token cannot write coverage, so there is
      # nothing to generate for it either.
      - name: Generate the Cobertura coverage report
        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
        run: uv run coverage xml

      - name: Upload coverage to GitHub Code Quality
        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
        uses: actions/upload-code-coverage@abb5995db9e0199b0e2bb9dbd136fce4cb1ec4d3 # v1
        with:
          file: coverage.xml
          language: Python
          label: code-coverage/pytest
          # Best-effort while GitHub Code Quality is a preview the org must enable:
          # a failed upload must not turn the gate run red. Remove this once the
          # feature is GA and enabled for the organisation.
          fail-on-error: false

  # Secret scanning runs alongside (not inside) check-ci: gitleaks is a Go
  # binary, not a uv package, so the venv cannot carry it and `uv sync` stays
  # sufficient for the gate sequence. We install the pinned binary directly and
  # verify its checksum rather than using gitleaks-action (which needs a
  # GITLEAKS_LICENSE for org repos and stops working when Node 20 runners are
  # retired). The version is pinned in lockstep with the pre-commit mirror via
  # tools/repo_audit_contract.toml; audit_secret_scanning enforces the match.
  secret-scan:
    name: Secret scanning (gitleaks)
    runs-on: ubuntu-latest
    # Least privilege, stated explicitly so a future top-level change cannot
    # silently widen this job's token.
    permissions:
      contents: read
    steps:
      - name: Check out the repository
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Install the pinned gitleaks binary
        run: |
          set -euo pipefail
          # Single literal version; the archive name is derived from it so a
          # partial bump fails loudly at the checksum step rather than silently
          # fetching a stale or wrong asset.
          GITLEAKS_VERSION=v8.30.1
          GITLEAKS_SHA256=551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb
          ARCHIVE="gitleaks_${GITLEAKS_VERSION#v}_linux_x64.tar.gz"
          curl -sSfL -o "$ARCHIVE" \
            "https://github.com/gitleaks/gitleaks/releases/download/${GITLEAKS_VERSION}/${ARCHIVE}"
          echo "${GITLEAKS_SHA256}  ${ARCHIVE}" | sha256sum --check --strict
          tar -xzf "$ARCHIVE" gitleaks
          sudo install gitleaks /usr/local/bin/gitleaks
          gitleaks version

      # Scans the checked-out working tree (not full git history); see the
      # secret-scanning section of docs/dev-tooling.md for the scope boundary.
      - name: Scan the working tree for secrets
        run: gitleaks dir . --config=.gitleaks.toml --redact --no-banner --exit-code=1