From d35482141cda48d010c4fe71b71b07fa2303eb45 Mon Sep 17 00:00:00 2001 From: "@zimeg" Date: Thu, 22 May 2025 00:32:50 -0700 Subject: [PATCH 1/2] ci: pin actions workflow step hashes and use minimum permissions --- .github/workflows/flake8.yml | 38 +++++++++++++++------------ .github/workflows/py_compile.yml | 45 +++++++++++++++++++------------- .github/workflows/pytype.yml | 38 +++++++++++++++------------ 3 files changed, 71 insertions(+), 50 deletions(-) diff --git a/.github/workflows/flake8.yml b/.github/workflows/flake8.yml index 677f469..eecd8bf 100644 --- a/.github/workflows/flake8.yml +++ b/.github/workflows/flake8.yml @@ -2,7 +2,8 @@ name: Lint validation using flake8 on: push: - branches: [ main ] + branches: + - main pull_request: jobs: @@ -11,19 +12,24 @@ jobs: timeout-minutes: 5 strategy: matrix: - python-version: ['3.9'] + python-version: + - "3.9" + permissions: + contents: read steps: - - uses: actions/checkout@v2 - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 - with: - python-version: ${{ matrix.python-version }} - - name: Install dependencies - run: | - pip install -U pip - pip install -e ".[testing]" - # We manually upgrade it to make the builds stable - pip install "flake8==6.1.0" - - name: Run flake8 - run: | - flake8 slack_discovery_sdk/ + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + with: + persist-credentials: false + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4 + with: + python-version: ${{ matrix.python-version }} + - name: Install dependencies + run: | + pip install -U pip + pip install -e ".[testing]" + # We manually upgrade it to make the builds stable + pip install "flake8==6.1.0" + - name: Run flake8 + run: | + flake8 slack_discovery_sdk/ diff --git a/.github/workflows/py_compile.yml b/.github/workflows/py_compile.yml index 7be69ac..fb78a4f 100644 --- a/.github/workflows/py_compile.yml +++ b/.github/workflows/py_compile.yml @@ -2,7 +2,8 @@ name: Sytanx check using py_compile on: push: - branches: [ main ] + branches: + - main pull_request: jobs: build: @@ -10,21 +11,29 @@ jobs: timeout-minutes: 5 strategy: matrix: - python-version: ['3.7', '3.8', '3.9', '3.10', '3.11'] + python-version: + - "3.11" + - "3.10" + - "3.9" + - "3.8" + - "3.7" + permissions: + contents: read steps: - - uses: actions/checkout@v2 - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 - with: - python-version: ${{ matrix.python-version }} - - name: Install dependencies - run: | - pip install -U pip - pip install -e ".[testing]" - - name: Run py_compile for main code - run: | - find slack_discovery_sdk -name '*.py' | xargs python -m py_compile - - name: Run py_compile for test code - run: | - find tests -name '*.py' | xargs python -m py_compile - + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + with: + persist-credentials: false + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4 + with: + python-version: ${{ matrix.python-version }} + - name: Install dependencies + run: | + pip install -U pip + pip install -e ".[testing]" + - name: Run py_compile for main code + run: | + find slack_discovery_sdk -name '*.py' | xargs python -m py_compile + - name: Run py_compile for test code + run: | + find tests -name '*.py' | xargs python -m py_compile diff --git a/.github/workflows/pytype.yml b/.github/workflows/pytype.yml index da7f039..7cda0e6 100644 --- a/.github/workflows/pytype.yml +++ b/.github/workflows/pytype.yml @@ -2,7 +2,8 @@ name: Type hint validation using pytype on: push: - branches: [ main ] + branches: + - main pull_request: jobs: @@ -11,19 +12,24 @@ jobs: timeout-minutes: 5 strategy: matrix: - python-version: ['3.9'] + python-version: + - "3.9" + permissions: + contents: read steps: - - uses: actions/checkout@v2 - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v2 - with: - python-version: ${{ matrix.python-version }} - - name: Install dependencies - run: | - pip install -U pip - pip install -e ".[testing]" - # As pytype can change its behavior in newer versions, we manually upgrade it - pip install "pytype==2023.9.27" - - name: Run pytype - run: | - pytype slack_discovery_sdk/ + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + with: + persist-credentials: false + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4 + with: + python-version: ${{ matrix.python-version }} + - name: Install dependencies + run: | + pip install -U pip + pip install -e ".[testing]" + # As pytype can change its behavior in newer versions, we manually upgrade it + pip install "pytype==2023.9.27" + - name: Run pytype + run: | + pytype slack_discovery_sdk/ From 8627c8d62e4e8650adf9c5fa6b048af688c02633 Mon Sep 17 00:00:00 2001 From: "@zimeg" Date: Thu, 22 May 2025 00:40:33 -0700 Subject: [PATCH 2/2] ci: use a pinned version of the ubuntu runner for supported python version --- .github/workflows/py_compile.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/py_compile.yml b/.github/workflows/py_compile.yml index fb78a4f..b85ca32 100644 --- a/.github/workflows/py_compile.yml +++ b/.github/workflows/py_compile.yml @@ -7,16 +7,16 @@ on: pull_request: jobs: build: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 timeout-minutes: 5 strategy: matrix: python-version: - - "3.11" - - "3.10" - - "3.9" - - "3.8" - "3.7" + - "3.8" + - "3.9" + - "3.10" + - "3.11" permissions: contents: read steps: