summaryrefslogtreecommitdiff
path: root/.github
diff options
context:
space:
mode:
authorMichael Howitz <mh@gocept.com>2021-08-30 10:13:24 +0200
committerMichael Howitz <mh@gocept.com>2021-08-30 10:13:24 +0200
commita30909b918595d41936b3bf3d549be2becd99f1d (patch)
treeefe93f9eb24005c42cdcc2f5195e0c213011926e /.github
parent347d187367a4d96f4b9ba70c4a5f9aa4efa6197c (diff)
downloadzope-security-a30909b918595d41936b3bf3d549be2becd99f1d.tar.gz
Configuring for c-code
Diffstat (limited to '.github')
-rw-r--r--.github/workflows/tests.yml450
1 files changed, 450 insertions, 0 deletions
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
new file mode 100644
index 0000000..3422aa2
--- /dev/null
+++ b/.github/workflows/tests.yml
@@ -0,0 +1,450 @@
+# Generated from:
+# https://github.com/zopefoundation/meta/tree/master/config/c-code
+###
+# Initially copied from
+# https://github.com/actions/starter-workflows/blob/main/ci/python-package.yml
+# And later based on the version jamadden updated at
+# gevent/gevent, and then at zodb/relstorage and zodb/perfmetrics
+#
+# Original comment follows.
+###
+###
+# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+###
+
+###
+# Important notes on GitHub actions:
+#
+# - We only get 2,000 free minutes a month (private repos)
+# - We only get 500MB of artifact storage
+# - Cache storage is limited to 7 days and 5GB.
+# - macOS minutes are 10x as expensive as Linux minutes
+# - windows minutes are twice as expensive.
+#
+# So keep those workflows light. Note: Currently, they seem to be free
+# and unlimited for open source projects. But for how long...
+#
+# In December 2020, github only supports x86/64. If we wanted to test
+# on other architectures, we can use docker emulation, but there's no
+# native support. It works, but is slow.
+#
+# Another major downside: You can't just re-run the job for one part
+# of the matrix. So if there's a transient test failure that hit, say, 3.8,
+# to get a clean run every version of Python runs again. That's bad.
+# https://github.community/t/ability-to-rerun-just-a-single-job-in-a-workflow/17234/65
+
+name: tests
+
+
+# Triggers the workflow on push or pull request events and periodically
+on:
+ push:
+ pull_request:
+ schedule:
+ - cron: '0 12 * * 0' # run once a week on Sunday
+ # Allow to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+env:
+ # Weirdly, this has to be a top-level key, not ``defaults.env``
+ PYTHONHASHSEED: 8675309
+ PYTHONUNBUFFERED: 1
+ PYTHONDONTWRITEBYTECODE: 1
+ PYTHONDEVMODE: 1
+ PYTHONFAULTHANDLER: 1
+ ZOPE_INTERFACE_STRICT_IRO: 1
+
+ PIP_UPGRADE_STRATEGY: eager
+ # Don't get warnings about Python 2 support being deprecated. We
+ # know. The env var works for pip 20.
+ PIP_NO_PYTHON_VERSION_WARNING: 1
+ PIP_NO_WARN_SCRIPT_LOCATION: 1
+
+ CFLAGS: -Ofast -pipe
+ CXXFLAGS: -Ofast -pipe
+ # Uploading built wheels for releases.
+ # TWINE_PASSWORD is encrypted and stored directly in the
+ # github repo settings.
+ TWINE_USERNAME: __token__
+
+ ###
+ # caching
+ # This is where we'd set up ccache, but this compiles so fast its not worth it.
+ ###
+
+
+jobs:
+ # Because sharing code/steps is so hard, and because it can be
+ # extremely valuable to be able to get binary wheels without
+ # uploading to PyPI and even if there is some failure, (e.g., for
+ # other people to test/debug), the strategy is to divide the process
+ # into several different jobs. The first builds and saves the binary
+ # wheels. It has dependent jobs that download and install the wheel
+ # to run tests, build docs, and perform linting. Building the
+ # manylinux wheels is an independent set of jobs.
+ #
+ # This division is time-saving for projects that take awhile to
+ # build, but somewhat less of a clear-cut win given how quick this
+ # is to compile (at least at this writing).
+ build-package:
+ # Sigh. Note that the matrix must be kept in sync
+ # with `test`, and `docs` must use a subset.
+ runs-on: ${{ matrix.os }}
+ strategy:
+ matrix:
+ python-version:
+ - 2.7
+ - 3.5
+ - pypy-2.7
+ - pypy-3.6
+ - 3.6
+ - 3.7
+ - 3.8
+ - 3.9
+ os: [ubuntu-20.04, macos-latest]
+ exclude:
+ - os: macos-latest
+ python-version: pypy-2.7
+ - os: macos-latest
+ python-version: pypy-3.6
+ - os: macos-latest
+ python-version: 3.5
+
+ steps:
+ - name: checkout
+ uses: actions/checkout@v2
+ - name: Set up Python ${{ matrix.python-version }}
+ uses: actions/setup-python@v2
+ with:
+ python-version: ${{ matrix.python-version }}
+ ###
+ # Caching.
+ # This actually *restores* a cache and schedules a cleanup action
+ # to save the cache. So it must come before the thing we want to use
+ # the cache.
+ ###
+ - name: Get pip cache dir
+ id: pip-cache
+ run: |
+ echo "::set-output name=dir::$(pip cache dir)"
+
+ - name: pip cache
+ uses: actions/cache@v2
+ with:
+ path: ${{ steps.pip-cache.outputs.dir }}
+ key: ${{ runner.os }}-pip-${{ matrix.python-version }}
+ restore-keys: |
+ ${{ runner.os }}-pip-
+
+ - name: Install Build Dependencies
+ run: |
+ pip install -U pip
+ pip install -U setuptools wheel twine cffi
+ pip install -U coveralls coverage
+
+ - name: Build zope.security
+ run: |
+ # Next, build the wheel *in place*. This helps ccache, and also lets us cache the configure
+ # output (pip install uses a random temporary directory, making this difficult).
+ python setup.py build_ext -i
+ python setup.py bdist_wheel
+ # Also install it, so that we get dependencies in the (pip) cache.
+ pip install -U coverage
+ pip install -U 'faulthandler; python_version == "2.7" and platform_python_implementation == "CPython"'
+ pip install .[test]
+
+ - name: Check zope.security build
+ run: |
+ ls -l dist
+ twine check dist/*
+ - name: Upload zope.security wheel
+ uses: actions/upload-artifact@v2
+ with:
+ name: zope.security-${{ runner.os }}-${{ matrix.python-version }}.whl
+ path: dist/*whl
+ - name: Publish package to PyPI (mac)
+ # We cannot 'uses: pypa/gh-action-pypi-publish@v1.4.1' because
+ # that's apparently a container action, and those don't run on
+ # the Mac.
+ if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') && startsWith(runner.os, 'Mac')
+ env:
+ TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
+ run: |
+ twine upload --skip-existing dist/*
+
+ test:
+ needs: build-package
+ runs-on: ${{ matrix.os }}
+ strategy:
+ matrix:
+ python-version:
+ - 2.7
+ - 3.5
+ - pypy-2.7
+ - pypy-3.6
+ - 3.6
+ - 3.7
+ - 3.8
+ - 3.9
+ os: [ubuntu-20.04, macos-latest]
+ exclude:
+ - os: macos-latest
+ python-version: pypy-2.7
+ - os: macos-latest
+ python-version: pypy-3.6
+ - os: macos-latest
+ python-version: 3.5
+
+ steps:
+ - name: checkout
+ uses: actions/checkout@v2
+ - name: Set up Python ${{ matrix.python-version }}
+ uses: actions/setup-python@v2
+ with:
+ python-version: ${{ matrix.python-version }}
+ ###
+ # Caching.
+ # This actually *restores* a cache and schedules a cleanup action
+ # to save the cache. So it must come before the thing we want to use
+ # the cache.
+ ###
+ - name: Get pip cache dir
+ id: pip-cache
+ run: |
+ echo "::set-output name=dir::$(pip cache dir)"
+
+ - name: pip cache
+ uses: actions/cache@v2
+ with:
+ path: ${{ steps.pip-cache.outputs.dir }}
+ key: ${{ runner.os }}-pip-${{ matrix.python-version }}
+ restore-keys: |
+ ${{ runner.os }}-pip-
+
+ - name: Download zope.security wheel
+ uses: actions/download-artifact@v2
+ with:
+ name: zope.security-${{ runner.os }}-${{ matrix.python-version }}.whl
+ path: dist/
+ - name: Install zope.security
+ run: |
+ pip install -U wheel
+ pip install -U coverage coverage-python-version
+ pip install -U 'faulthandler; python_version == "2.7" and platform_python_implementation == "CPython"'
+ # Unzip into src/ so that testrunner can find the .so files
+ # when we ask it to load tests from that directory. This
+ # might also save some build time?
+ unzip -n dist/zope.security-*whl -d src
+ pip install -U -e .[test]
+ - name: Run tests with C extensions
+ if: ${{ !startsWith(matrix.python-version, 'pypy') }}
+ run: |
+ python -m coverage run -p -m zope.testrunner --test-path=src --auto-color --auto-progress
+ - name: Run tests without C extensions
+ run:
+ # coverage makes PyPy run about 3x slower!
+ PURE_PYTHON=1 python -m coverage run -p -m zope.testrunner --test-path=src --auto-color --auto-progress
+ - name: Report Coverage
+ run: |
+ coverage combine
+ coverage report -i
+ - name: Submit to Coveralls
+ # This is a container action, which only runs on Linux.
+ if: ${{ startsWith(runner.os, 'Linux') }}
+ uses: AndreMiras/coveralls-python-action@develop
+ with:
+ parallel: true
+
+ coveralls_finish:
+ needs: test
+ runs-on: ubuntu-20.04
+ steps:
+ - name: Coveralls Finished
+ uses: AndreMiras/coveralls-python-action@develop
+ with:
+ parallel-finished: true
+
+ docs:
+ needs: build-package
+ runs-on: ${{ matrix.os }}
+ strategy:
+ matrix:
+ python-version: [3.9]
+ os: [ubuntu-20.04]
+
+ steps:
+ - name: checkout
+ uses: actions/checkout@v2
+ - name: Set up Python ${{ matrix.python-version }}
+ uses: actions/setup-python@v2
+ with:
+ python-version: ${{ matrix.python-version }}
+ ###
+ # Caching.
+ # This actually *restores* a cache and schedules a cleanup action
+ # to save the cache. So it must come before the thing we want to use
+ # the cache.
+ ###
+ - name: Get pip cache dir
+ id: pip-cache
+ run: |
+ echo "::set-output name=dir::$(pip cache dir)"
+
+ - name: pip cache
+ uses: actions/cache@v2
+ with:
+ path: ${{ steps.pip-cache.outputs.dir }}
+ key: ${{ runner.os }}-pip-${{ matrix.python-version }}
+ restore-keys: |
+ ${{ runner.os }}-pip-
+
+ - name: Download zope.security wheel
+ uses: actions/download-artifact@v2
+ with:
+ name: zope.security-${{ runner.os }}-${{ matrix.python-version }}.whl
+ path: dist/
+ - name: Install zope.security
+ run: |
+ pip install -U wheel
+ pip install -U coverage
+ pip install -U "`ls dist/zope.security-*.whl`[docs]"
+ # Until repoze.sphinx.autointerface supports Sphinx 4.x we cannot use it:
+ pip install -U "Sphinx < 4"
+ - name: Build docs
+ env:
+ ZOPE_INTERFACE_STRICT_IRO: 1
+ run: |
+ sphinx-build -b html -d docs/_build/doctrees docs docs/_build/html
+ sphinx-build -b doctest -d docs/_build/doctrees docs docs/_build/doctest
+
+ lint:
+ needs: build-package
+ runs-on: ${{ matrix.os }}
+ strategy:
+ matrix:
+ python-version: [3.9]
+ os: [ubuntu-20.04]
+
+ steps:
+ - name: checkout
+ uses: actions/checkout@v2
+ - name: Set up Python ${{ matrix.python-version }}
+ uses: actions/setup-python@v2
+ with:
+ python-version: ${{ matrix.python-version }}
+ ###
+ # Caching.
+ # This actually *restores* a cache and schedules a cleanup action
+ # to save the cache. So it must come before the thing we want to use
+ # the cache.
+ ###
+ - name: Get pip cache dir
+ id: pip-cache
+ run: |
+ echo "::set-output name=dir::$(pip cache dir)"
+
+ - name: pip cache
+ uses: actions/cache@v2
+ with:
+ path: ${{ steps.pip-cache.outputs.dir }}
+ key: ${{ runner.os }}-pip-${{ matrix.python-version }}
+ restore-keys: |
+ ${{ runner.os }}-pip-
+
+ - name: Download zope.security wheel
+ uses: actions/download-artifact@v2
+ with:
+ name: zope.security-${{ runner.os }}-${{ matrix.python-version }}.whl
+ path: dist/
+ - name: Install zope.security
+ run: |
+ pip install -U pip
+ pip install -U wheel
+ pip install -U `ls dist/zope.security-*`[test]
+ - name: Lint
+ # We only need to do this on one version, and it should be Python 3, because
+ # pylint has stopped updating for Python 2.
+ # TODO: Pick a linter and configuration and make this step right.
+ run: |
+ pip install -U pylint
+ # python -m pylint --limit-inference-results=1 --rcfile=.pylintrc zope.security -f parseable -r n
+
+ manylinux:
+ runs-on: ubuntu-20.04
+ # We use a regular Python matrix entry to share as much code as possible.
+ strategy:
+ matrix:
+ python-version: [3.9]
+ image: [manylinux2010_x86_64, manylinux2010_i686, manylinux2014_aarch64]
+
+ steps:
+ - name: checkout
+ uses: actions/checkout@v2
+ - name: Set up Python ${{ matrix.python-version }}
+ uses: actions/setup-python@v2
+ with:
+ python-version: ${{ matrix.python-version }}
+ ###
+ # Caching.
+ # This actually *restores* a cache and schedules a cleanup action
+ # to save the cache. So it must come before the thing we want to use
+ # the cache.
+ ###
+ - name: Get pip cache dir
+ id: pip-cache
+ run: |
+ echo "::set-output name=dir::$(pip cache dir)"
+
+ - name: pip cache
+ uses: actions/cache@v2
+ with:
+ path: ${{ steps.pip-cache.outputs.dir }}
+ key: ${{ runner.os }}-pip_manylinux-${{ matrix.image }}-${{ matrix.python-version }}
+ restore-keys: |
+ ${{ runner.os }}-pip-
+
+ - name: Update pip
+ run: pip install -U pip
+ - name: Build zope.security (x86_64)
+ if: matrix.image == 'manylinux2010_x86_64'
+ # An alternate way to do this is to run the container directly with a uses:
+ # and then the script runs inside it. That may work better with caching.
+ # See https://github.com/pyca/bcrypt/blob/f6b5ee2eda76d077c531362ac65e16f045cf1f29/.github/workflows/wheel-builder.yml
+ # The 2010 image is the most recent spec that comes with Python 2.7,
+ # and only up through the tag 2021-02-06-3d322a5
+ env:
+ DOCKER_IMAGE: quay.io/pypa/${{ matrix.image }}
+ run: |
+ bash .manylinux.sh
+ - name: Build zope.security (i686)
+ if: matrix.image == 'manylinux2010_i686'
+ env:
+ DOCKER_IMAGE: quay.io/pypa/${{ matrix.image }}
+ PRE_CMD: linux32
+ run: |
+ bash .manylinux.sh
+ - name: Build zope.security (aarch64)
+ if: matrix.image == 'manylinux2014_aarch64'
+ env:
+ DOCKER_IMAGE: quay.io/pypa/${{ matrix.image }}
+ run: |
+ # First we must enable emulation
+ docker run --rm --privileged hypriot/qemu-register
+ bash .manylinux.sh
+
+ - name: Upload zope.security wheels
+ uses: actions/upload-artifact@v2
+ with:
+ path: wheelhouse/*whl
+ name: manylinux_${{ matrix.image }}_wheels.zip
+ - name: Restore pip cache permissions
+ run: sudo chown -R $(whoami) ${{ steps.pip-cache.outputs.dir }}
+ - name: Publish package to PyPI
+ uses: pypa/gh-action-pypi-publish@v1.4.1
+ if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags')
+ with:
+ user: __token__
+ password: ${{ secrets.TWINE_PASSWORD }}
+ skip_existing: true
+ packages_dir: wheelhouse/