Skip to content

ci: create separate workflows for code-quality #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 14, 2025
Merged

ci: create separate workflows for code-quality #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "daily"
23 changes: 23 additions & 0 deletions .github/dependency_review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
fail-on-severity: 'low'
allow-licenses:
- 'BSD-2-Clause'
- 'BSD-3-Clause'
- 'BSD-3-Clause-Clear'
- 'BSD-2-Clause-Views'
- 'MIT'
- 'Apache-2.0'
- 'ISC'
- 'BlueOak-1.0.0'
- '0BSD'
- 'Python-2.0'
- 'LGPL-3.0'
- 'MPL-2.0'
fail-on-scopes:
- 'runtime'
- 'development'
- 'unknown'
license-check: true
vulnerability-check: true
allow-dependencies-licenses:
- 'pkg:pypi/[email protected]'
- 'pkg:pypi/psycopg2-binary'
41 changes: 41 additions & 0 deletions .github/prepare_test_env/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: 'Prepare test environment'
inputs:
PYTHON_VERSION:
description: 'Python version to use'
required: true
SOURCE_PATH:
description: 'Path to the source code directory'
required: false
default: 'src'
type: string
VIRTUALENV_PATH:
description: 'Virtualenv path'
required: false
default: 'virtualenv'
type: string

runs:
using: "composite"
steps:
- name: Checkout main repository
uses: actions/checkout@v4
with:
path: ${{ inputs.SOURCE_PATH }}
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ inputs.PYTHON_VERSION }}
cache: 'pip'

- name: Install dependencies
shell: bash
run: |
python -m pip install --upgrade pip
python -m venv ${{ inputs.VIRTUALENV_PATH }}
source ${{ inputs.VIRTUALENV_PATH }}/*/activate
python --version
pip install ./${{ inputs.SOURCE_PATH }}
pip install -r ${{ inputs.SOURCE_PATH }}/requirements-test.txt
pip install -r ${{ inputs.SOURCE_PATH }}/requirements-dev.txt
pip install -r ${{ inputs.SOURCE_PATH }}/requirements.txt
184 changes: 63 additions & 121 deletions .github/workflows/build_upload_whl.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
description: 'PyPI API token to publish package'
required: false
inputs:
UPLOAD_PACKAGE:
RELEASE_STEPS:
description: 'Should the package be uploaded to PyPI?'
required: false
default: false
Expand All @@ -27,181 +27,123 @@
required: false
default: '3.10.11'
type: string
PUSH_TAG:
description: 'Push tag after version bump'
required: false
default: false
type: boolean
RELEASE_BUILD:
description: 'Is release build?'
required: false
default: false
type: boolean
GIT_USER:
description: 'Git user name for commit and tag'
required: true
type: string
GIT_EMAIL:
description: 'Git user email for commit and tag'
required: true
type: string
PROJECT_NAME:
description: 'Project name for tests'
description: 'Project name'
required: true
type: string
SOURCE_PATH:
description: 'Path to the source code directory'
required: false
default: 'src'
type: string
RUNS_ON:
description: 'Runner type for the job'
required: false
default: 'ubuntu-latest'
type: string
JOB_NAME:
description: 'Name of the job'
required: false
default: 'build_whl'
type: string

jobs:
build_whl:
permissions:
contents: write
id-token: write
environment:
name: "pypi"
url: https://pypi.org/p/${{ inputs.PROJECT_NAME }}
name: ${{ inputs.JOB_NAME }}
runs-on: ${{ inputs.RUNS_ON }}
steps:
- uses: actions/checkout@v4
with:
fetch-tags: true
fetch-depth: 0
path: ${{ inputs.SOURCE_PATH }}
ref: ${{ inputs.BRANCH_NAME }}
repository: ${{ inputs.REPOSITORY_NAME }}

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ inputs.PYTHON_VERSION }}
cache: 'pip'

- name: Version bumping
id: VERSION_BUMP
if: inputs.RELEASE_BUILD == true
env:
GIT_AUTHOR_NAME: ${{ inputs.GIT_USER }}
GIT_AUTHOR_EMAIL: ${{ inputs.GIT_EMAIL }}
GIT_COMMITTER_NAME: ${{ inputs.GIT_USER }}
GIT_COMMITTER_EMAIL: ${{ inputs.GIT_EMAIL }}
shell: bash
run: |
python -m pip install --upgrade pip
python -m venv bump_version
source bump_version/bin/activate
pip install python-semantic-release~=10.2
pip install -r ${{ inputs.SOURCE_PATH }}/requirements-dev.txt
pip install ./${{ inputs.SOURCE_PATH }}
mfd-create-config-files --project-dir ./${{ inputs.SOURCE_PATH }}
cd ${{ inputs.SOURCE_PATH }}
version_after_bump=$(semantic-release version --print | tail -n 1 | tr -d '\n')
version_from_tag=$(git describe --tags --abbrev=0 | tr -d '\n' | sed 's/^v//')
echo "Version after semantic-release bump is: ${version_after_bump}"
echo "Version from tag: ${version_from_tag}"
# Only check version equality if RELEASE_BUILD is true
if [ "${{ inputs.RELEASE_BUILD }}" == "true" ]; then
if [ "$version_after_bump" == "$version_from_tag" ]; then
echo "Version would not change: version_after_bump=${version_after_bump}, version_from_tag=${version_from_tag}"
exit 1
fi
fi
semantic-release version --no-push --no-vcs-release
cat pyproject.toml
echo "version_after_bump=v${version_after_bump}" >> $GITHUB_OUTPUT
- name: Create virtual environment for whl creation
shell: bash
- name: Show python version
run: python --version

- name: Run mfd-create-config-files
run: |
python -m venv whl_creation
source whl_creation/bin/activate
pip install build==1.2.2.post1
cd ${{ inputs.SOURCE_PATH }}
../whl_creation/bin/python -m build --wheel --outdir ../whl_creation/dist
ls -l ../whl_creation/dist
pip install -r requirements-dev.txt
pip install .
mfd-create-config-files --project-dir .
- name: Determine if unit and functional tests should run
id: test_check
shell: bash
- name: Check if bump version is expected
run: |
REPO_NAME=$(echo "${{ inputs.PROJECT_NAME }}")
echo "Repository name extracted: $REPO_NAME"
if [ "${{ inputs.RELEASE_BUILD }}" = "false" ]; then
COMMIT_MSG=$(git log -1 --pretty=%B)
UNIT_TEST_DIR="${{ inputs.SOURCE_PATH }}/tests/unit/test_$(echo "${REPO_NAME}" | tr '-' '_')"
FUNC_TEST_DIR="${{ inputs.SOURCE_PATH }}/tests/system/test_$(echo "${REPO_NAME}" | tr '-' '_')"
if [ -d "$UNIT_TEST_DIR" ]; then
echo "Unit tests directory exists: $UNIT_TEST_DIR"
echo "run_unit_tests=true" >> $GITHUB_OUTPUT
else
echo "Unit tests directory does not exist: $UNIT_TEST_DIR"
echo "run_unit_tests=false" >> $GITHUB_OUTPUT
fi
if [ -d "$FUNC_TEST_DIR" ]; then
echo "Functional tests directory exists: $FUNC_TEST_DIR"
echo "run_functional_tests=true" >> $GITHUB_OUTPUT
if echo "$COMMIT_MSG" | grep -Ei '^(docs|build|test|ci|refactor|perf|chore|revert):\s'; then
echo "CREATE_WHL=false" >> $GITHUB_ENV
echo "No version bump needed for commit message: $COMMIT_MSG, ending job"
else
echo "CREATE_WHL=true" >> $GITHUB_ENV
echo "Version bump needed for commit message: $COMMIT_MSG, continuing job"
fi
else
echo "Functional tests directory does not exist: $FUNC_TEST_DIR"
echo "run_functional_tests=false" >> $GITHUB_OUTPUT
echo "Skipping potential bump version check for release build"
echo "CREATE_WHL=true" >> $GITHUB_ENV
fi
- name: Install dependencies for tests
if: steps.test_check.outputs.run_unit_tests == 'true' || steps.test_check.outputs.run_functional_tests == 'true'
shell: bash
run: |
python -m venv test_env
source test_env/bin/activate
python -m pip install -r "${{ inputs.SOURCE_PATH }}/requirements.txt" -r "${{ inputs.SOURCE_PATH }}/requirements-test.txt" -r "${{ inputs.SOURCE_PATH }}/requirements-dev.txt"
python -m pip install ./${{ inputs.SOURCE_PATH }}
- name: Run python-semantic-release without version bump - force patch bump
if: env.CREATE_WHL == 'false'
uses: python-semantic-release/[email protected]
with:
build: true
vcs_release: false
push: false
strict: true
force: patch

- name: Run unit tests if test directory exists
if: steps.test_check.outputs.run_unit_tests == 'true'
shell: bash
run: |
source test_env/bin/activate
mfd-unit-tests --project-dir ${{ github.workspace }}/${{ inputs.SOURCE_PATH }}
- name: Run python-semantic-release
if: env.CREATE_WHL == 'true'
uses: python-semantic-release/[email protected]
with:
build: true
vcs_release: false
push: false
strict: true

- name: Run functional tests if test directory exists
if: steps.test_check.outputs.run_functional_tests == 'true'
- name: Check if .whl is installable
shell: bash
run: |
source test_env/bin/activate
mfd-system-tests --project-dir ${{ github.workspace }}/${{ inputs.SOURCE_PATH }}
python -m pip install dist/*.whl
- name: Publish package distributions to PyPI
if: ${{ inputs.RELEASE_BUILD == true && inputs.UPLOAD_PACKAGE == true }}
if: ${{ inputs.RELEASE_BUILD == true && inputs.RELEASE_STEPS == true }}
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: 'whl_creation/dist'
packages-dir: 'dist'
password: ${{ secrets.PYPI_TOKEN }}

- name: Publish comment how to build .whl
if: inputs.RELEASE_BUILD == false
if: inputs.RELEASE_BUILD == false && (github.event.pull_request != null && github.event.pull_request.head.repo.full_name == github.repository) # skip for forks
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GH_TOKEN }}
script: |
const prNumber = context.payload.pull_request.number;
const commentBody = "We don't publish DEVs .whl.\n To build .whl, run 'pip install git+https://github.com/${{ inputs.REPOSITORY_NAME }}@${{ inputs.BRANCH_NAME }}'";
await github.rest.issues.createComment({
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: prNumber,
body: commentBody
});
- name: Push git tag after version bump
if: ${{ inputs.RELEASE_BUILD == true && inputs.PUSH_TAG == true }}
shell: bash
env:
GIT_AUTHOR_NAME: ${{ inputs.GIT_USER }}
GIT_AUTHOR_EMAIL: ${{ inputs.GIT_EMAIL }}
GIT_COMMITTER_NAME: ${{ inputs.GIT_USER }}
GIT_COMMITTER_EMAIL: ${{ inputs.GIT_EMAIL }}
version_after_bump: ${{ steps.VERSION_BUMP.outputs.version_after_bump }}
run: |
cd ${{ inputs.SOURCE_PATH }}
git push origin "${version_after_bump}"
const alreadyCommented = comments.some(comment => comment.body === commentBody);
if (!alreadyCommented) {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: prNumber,
body: commentBody
});
}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 8 days ago

To resolve this issue, the workflow should explicitly specify the permissions block at the top level, or on relevant jobs, to restrict the default permissions of the GITHUB_TOKEN. For this particular workflow, we should set least-privilege permissions globally, and augment permissions for jobs/steps that require additional scopes.

Since the single job (build_whl) both checks out code (needs contents: read) and publishes pull request comments (needs pull-requests: write for actions/github-script), the safest fix is to put the following at the workflow root (before jobs:):

permissions:
  contents: read
  pull-requests: write

This solution provides only the privileges necessary and not more. The change should be made near the top, after name: and before on: or after on: (GitHub Actions supports both locations).

Summary of required changes:

  • Add a permissions block to .github/workflows/build_upload_whl.yml immediately after the workflow name and triggers (recommended after on:).
  • The block should grant contents: read and pull-requests: write (since the workflow publishes PR comments).
Suggested changeset 1
.github/workflows/build_upload_whl.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build_upload_whl.yml b/.github/workflows/build_upload_whl.yml
--- a/.github/workflows/build_upload_whl.yml
+++ b/.github/workflows/build_upload_whl.yml
@@ -47,6 +47,10 @@
         default: 'build_whl'
         type: string
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   build_whl:
     name: ${{ inputs.JOB_NAME }}
EOF
@@ -47,6 +47,10 @@
default: 'build_whl'
type: string

permissions:
contents: read
pull-requests: write

jobs:
build_whl:
name: ${{ inputs.JOB_NAME }}
Copilot is powered by AI and may make mistakes. Always verify output.
30 changes: 30 additions & 0 deletions .github/workflows/check_code_standard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Check Code Standard

on:
pull_request:
types: [opened, synchronize]

env:
SOURCE_PATH: 'src'
VIRTUALENV_PATH: 'virtualenv'

jobs:
run_check_standard:
strategy:
fail-fast: false
matrix:
python_version: ['3.10', '3.13']
runs-on: ubuntu-latest
steps:
- name: Checkout this repository
uses: actions/checkout@v4
with:
path: current_repo
- uses: ./current_repo/.github/prepare_test_env
with:
PYTHON_VERSION: ${{ matrix.python_version }}
- name: Run mfd-code-standard
shell: bash
run: |
source ${{ github.workspace }}/${{ env.VIRTUALENV_PATH }}/*/activate
mfd-code-standard --project-dir ${{ github.workspace }}/${{ env.SOURCE_PATH }}
Comment on lines +13 to +30

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 8 days ago

To fix this issue, you should explicitly declare a permissions block in the workflow YAML file to restrict the permissions granted to the GITHUB_TOKEN. Since the workflow steps shown only perform code checkout and code standard checking (no write actions such as deployments, issue or PR creation), the minimal required permission is likely contents: read. Add the following to the root of the workflow (after the name: and before the on: block for maximum clarity and coverage, meaning all jobs inherit these permissions unless otherwise overridden). No additional imports, methods, or formatting changes are required elsewhere; simply add the explicit permissions block.

Suggested changeset 1
.github/workflows/check_code_standard.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/check_code_standard.yml b/.github/workflows/check_code_standard.yml
--- a/.github/workflows/check_code_standard.yml
+++ b/.github/workflows/check_code_standard.yml
@@ -1,4 +1,6 @@
 name: Check Code Standard
+permissions:
+  contents: read
 
 on:
   pull_request:
EOF
@@ -1,4 +1,6 @@
name: Check Code Standard
permissions:
contents: read

on:
pull_request:
Copilot is powered by AI and may make mistakes. Always verify output.
12 changes: 12 additions & 0 deletions .github/workflows/check_pr_format.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
name: Title + Commit Validation

on:
pull_request:
types: [opened, synchronize]

jobs:
validate_pr_format:
uses: intel/mfd/.github/workflows/check_pr_format.yml@main
with:
REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }}
BRANCH_NAME: ${{ github.head_ref }}
Comment on lines +9 to +12

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 8 days ago

To fix the problem, set a permissions block at either the workflow root or at the validate_pr_format job level. Since the only job in this workflow is a reusable workflow invocation, the best fix is to add a permissions key at the job level specifying minimal necessary permissions. If the reusable workflow only needs to read PR and branch information and does not use write operations, then contents: read is sufficient; if it requires writing to pull requests (e.g., posting comments/updates) then additionally specify pull-requests: write. The change should be applied within the validate_pr_format job in .github/workflows/check_pr_format.yml, right before or after the uses: line.

Suggested changeset 1
.github/workflows/check_pr_format.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/check_pr_format.yml b/.github/workflows/check_pr_format.yml
--- a/.github/workflows/check_pr_format.yml
+++ b/.github/workflows/check_pr_format.yml
@@ -6,6 +6,9 @@
 
 jobs:
   validate_pr_format:
+    permissions:
+      contents: read
+      pull-requests: write
     uses: intel/mfd/.github/workflows/check_pr_format.yml@main
     with:
       REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }}
EOF
@@ -6,6 +6,9 @@

jobs:
validate_pr_format:
permissions:
contents: read
pull-requests: write
uses: intel/mfd/.github/workflows/check_pr_format.yml@main
with:
REPOSITORY_NAME: ${{ github.event.pull_request.head.repo.full_name }}
Copilot is powered by AI and may make mistakes. Always verify output.
Loading