checks: Update pre-commit config and tools versions #11121
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Python Code Quality | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - releasebranch_* | |
| pull_request: | |
| permissions: {} | |
| jobs: | |
| python-checks: | |
| name: Python Code Quality Checks | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.job }}-${{ | |
| github.event_name == 'pull_request' && | |
| github.head_ref || github.sha }} | |
| cancel-in-progress: true | |
| strategy: | |
| matrix: | |
| include: | |
| - os: ubuntu-24.04 | |
| env: | |
| # renovate: datasource=python-version depName=python | |
| PYTHON_VERSION: "3.14" | |
| MIN_PYTHON_VERSION: "3.10" | |
| # renovate: datasource=pypi depName=flake8 | |
| FLAKE8_VERSION: "7.3.0" | |
| # renovate: datasource=pypi depName=pylint | |
| PYLINT_VERSION: "4.0.1" | |
| # renovate: datasource=pypi depName=bandit | |
| BANDIT_VERSION: "1.8.6" | |
| # renovate: datasource=pypi depName=ruff | |
| RUFF_VERSION: "0.14.1" | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| security-events: write | |
| steps: | |
| - name: Versions | |
| run: | | |
| echo "OS: ${MATRIX_OS}" | |
| echo "Python: ${PYTHON_VERSION}" | |
| echo "Minimal Python version: ${MIN_PYTHON_VERSION}" | |
| echo "Flake8: ${FLAKE8_VERSION}" | |
| echo "Pylint: ${PYLINT_VERSION}" | |
| echo "Bandit: ${BANDIT_VERSION}" | |
| echo "Ruff: ${RUFF_VERSION}" | |
| env: | |
| MATRIX_OS: ${{ matrix.os }} | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Python | |
| uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: pip # zizmor: ignore[cache-poisoning] Not creating release artifacts, less of a concern here | |
| - name: Upgrade pip | |
| run: python -m pip install --break-system-packages --upgrade pip | |
| - name: Install Ruff | |
| run: pip install --break-system-packages "ruff==${RUFF_VERSION}" | |
| - name: Run Ruff (output annotations on fixable errors) | |
| run: ruff check --output-format=github . --preview --unsafe-fixes | |
| continue-on-error: true | |
| - name: Run Ruff (apply fixes for suggestions) | |
| run: ruff check . --preview --fix --unsafe-fixes | |
| - name: Run `ruff format` showing diff without failing | |
| continue-on-error: true | |
| if: ${{ !cancelled() }} | |
| run: ruff format --diff | |
| - name: Run `ruff format` fixing files | |
| # Run `ruff format` even when `ruff check` fixed files: fixes can require formatting | |
| if: ${{ !cancelled() }} | |
| run: ruff format | |
| - name: Create and uploads code suggestions to apply for Ruff | |
| # Will fail fast here if there are changes required | |
| id: diff-ruff | |
| # To run after ruff step exits with failure when rules don't have fixes available | |
| if: ${{ !cancelled() }} | |
| uses: ./.github/actions/create-upload-suggestions | |
| with: | |
| tool-name: ruff | |
| # To keep repo's file structure in formatted changes artifact | |
| extra-upload-changes: pyproject.toml | |
| - name: Install non-Python dependencies | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -y wget git gawk findutils | |
| LC_ALL=C.UTF-8 sudo add-apt-repository -y ppa:ubuntugis/ubuntugis-unstable | |
| sudo apt-get update -y | |
| xargs -a <(awk '! /^ *(#|$)/' ".github/workflows/apt.txt") -r -- \ | |
| sudo apt-get install -y --no-install-recommends --no-install-suggests | |
| - name: Install Python dependencies | |
| run: | | |
| pip install --break-system-packages -r .github/workflows/python_requirements.txt | |
| pip install --break-system-packages -r .github/workflows/optional_requirements.txt | |
| pip install --break-system-packages --user pipx | |
| pipx ensurepath | |
| pipx install "flake8==${FLAKE8_VERSION}" | |
| pipx install "pylint==${PYLINT_VERSION}" | |
| pipx inject pylint -r .github/workflows/python_requirements.txt -r .github/workflows/optional_requirements.txt | |
| # The extra toml is only needed before Python 3.11 | |
| pipx install "bandit[sarif,toml]==${BANDIT_VERSION}" | |
| - name: Run Flake8 | |
| run: | | |
| flake8 --count --statistics --show-source --jobs="$(nproc)" . | |
| - name: Run Flake8 on additional files | |
| run: | | |
| flake8 --count --statistics --show-source --jobs="$(nproc)" python/grass/{script,jupyter}/testsuite/ | |
| - name: Bandit Vulnerability Scan | |
| run: | | |
| bandit -c pyproject.toml -iii -r . -f sarif -o bandit.sarif --exit-zero | |
| - name: Upload Bandit Scan Results | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: bandit.sarif | |
| path: bandit.sarif | |
| - name: Upload SARIF File into Security Tab | |
| uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4.30.9 | |
| with: | |
| sarif_file: bandit.sarif | |
| - name: Create installation directory | |
| run: | | |
| mkdir "${HOME}/install" | |
| - name: Set number of cores for compilation | |
| run: | | |
| echo "MAKEFLAGS=-j$(nproc)" >> "${GITHUB_ENV}" | |
| - uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878 # v1 | |
| - name: Build | |
| run: | | |
| ".github/workflows/build_${MATRIX_OS}.sh" "${HOME}/install" | |
| env: | |
| MATRIX_OS: ${{ matrix.os }} | |
| - name: Add the bin directory to PATH | |
| run: | | |
| echo "${HOME}/install/bin" >> "${GITHUB_PATH}" | |
| - name: Run Pylint on grass package | |
| # Until slower checks (like similarity) are reenabled, running in one step is faster | |
| if: false | |
| run: | | |
| PYTHONPATH="$(grass --config python_path):$PYTHONPATH" | |
| LD_LIBRARY_PATH="$(grass --config path)/lib:$LD_LIBRARY_PATH" | |
| export PYTHONPATH | |
| export LD_LIBRARY_PATH | |
| pylint --persistent=no --py-version=${{ env.MIN_PYTHON_VERSION }} --jobs="$(nproc)" grass | |
| - name: Run Pylint on other files using pytest | |
| # Until slower checks (like similarity) are reenabled, running in one step is faster | |
| if: false | |
| run: | | |
| pipx inject --include-apps pylint pytest | |
| pipx inject pylint pytest-pylint pytest-github-actions-annotate-failures pytest-timeout | |
| PYTHONPATH="$(grass --config python_path):$PYTHONPATH" | |
| LD_LIBRARY_PATH="$(grass --config path)/lib:$LD_LIBRARY_PATH" | |
| export PYTHONPATH | |
| export LD_LIBRARY_PATH | |
| pytest --pylint -m pylint --pylint-jobs="$(nproc)" \ | |
| --pylint-ignore-patterns="${{ env.PylintIgnore }}" | |
| env: | |
| PylintIgnore: "python/.*,gui/.*" | |
| - name: Run Pylint on wxGUI | |
| # Until slower checks (like similarity) are reenabled, running in one step is faster | |
| if: false | |
| run: | | |
| PYTHONPATH="$(grass --config python_path):$PYTHONPATH" | |
| LD_LIBRARY_PATH="$(grass --config path)/lib:$LD_LIBRARY_PATH" | |
| export PYTHONPATH | |
| export LD_LIBRARY_PATH | |
| pylint --persistent=no --py-version="${MIN_PYTHON_VERSION}" --jobs="$(nproc)" gui | |
| - name: Run Pylint all in one pass | |
| run: | | |
| PYTHONPATH="$(grass --config python_path):$PYTHONPATH" | |
| LD_LIBRARY_PATH="$(grass --config path)/lib:$LD_LIBRARY_PATH" | |
| export PYTHONPATH | |
| export LD_LIBRARY_PATH | |
| pylint --persistent=no --py-version="${MIN_PYTHON_VERSION}" --jobs="$(nproc)" . | |
| - name: Test compiling example modules | |
| run: | | |
| ( cd doc/examples/raster/r.example/ && make ) | |
| ( cd doc/examples/vector/v.example/ && make ) | |
| python-success: | |
| name: Python Code Quality Result | |
| needs: | |
| - python-checks | |
| if: ${{ always() }} | |
| uses: ./.github/workflows/verify-success.yml | |
| with: | |
| needs_context: ${{ toJson(needs) }} |