Skip to content

chore: use reusable tox workflow #2057

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

chore: use reusable tox workflow #2057

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
de52c54
chore: use reusable tox workflow
ssbarnea Oct 7, 2025
423fe1c
Merge branch 'main' into fix/gha
alisonlhart Oct 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
199 changes: 18 additions & 181 deletions .github/workflows/tox.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,198 +1,35 @@
name: tox

# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#concurrency
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true

on:
create: # is used for publishing to PyPI and TestPyPI
tags: # any tag regardless of its name, no branches
- "**"
merge_group:
branches:
- "main"
push: # only publishes pushes to the main branch to TestPyPI
branches: # any integration branch but not tag
push:
branches:
- "main"
pull_request:
branches:
- "main"
schedule:
- cron: "0 0 * * *"
workflow_call:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true

jobs:
pre:
name: pre
runs-on: ubuntu-24.04
outputs:
matrix: ${{ steps.generate_matrix.outputs.matrix }}
steps:
- name: Determine matrix
id: generate_matrix
uses: coactions/dynamic-matrix@v4
with:
min_python: "3.10"
max_python: "3.13"
default_python: "3.11" # used by jobs in other_names
other_names: |
lint
docs
platforms: linux,macos
tox:
name: ${{ matrix.name }} / python ${{ matrix.python_version }}
permissions:
contents: read
id-token: write # codecov actions
checks: read # codecov actions
runs-on: ubuntu-24.04
needs: pre
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.pre.outputs.matrix) }}

steps:
- uses: actions/checkout@v5
with:
fetch-depth: 0 # needed by setuptools-scm

- name: Cache container images
if: ${{ startsWith(matrix.name, 'py') }}
uses: actions/cache@v4
with:
path: |
~/.local/share/containers
key: ${{ runner.os }}-${{ hashFiles('src/ansible_navigator/data/images_dockerfile') }}

- name: Set up Python ${{ matrix.python_version }}
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python_version }}
cache: pip
cache-dependency-path: .config/constraints.txt

- name: Install tox
run: python3 -m pip install --upgrade "tox>=4.0.2"

- name: Log Python info (${{ matrix.python_version }})
run: |
command -v python
python --version --version
python3 -m pip freeze --all
- run: ${{ matrix.command }}

- run: ${{ matrix.command2 }}
if: ${{ matrix.command2 }}

- run: ${{ matrix.command3 }}
if: ${{ matrix.command3 }}

- run: ${{ matrix.command4 }}
if: ${{ matrix.command4 }}

- run: ${{ matrix.command5 }}
if: ${{ matrix.command5 }}

- name: tox -e no-test-deps
if: ${{ startsWith(matrix.name, 'py') }}
continue-on-error: ${{ matrix.devel || false }}
run: python3 -m tox -e no-test-deps

- name: Archive logs and coverage data
if: ${{ !cancelled() }}
uses: coactions/upload-artifact@v4
with:
name: logs-${{ matrix.name }}.zip
include-hidden-files: true
path: |
.tox/**/coverage.xml
- name: Upload test results to Codecov
if: ${{ !cancelled() && hashFiles('junit.xml') != '' }}
uses: codecov/test-results-action@v1
with:
fail_ci_if_error: true
name: ${{ matrix.name }}
# unable to use wildcards yet due to https://github.com/codecov/test-results-action/issues/110
flags: ${{ matrix.python_version }},${{ matrix.os }}
use_oidc: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork) }}

- name: Change accessibility for cache
if: ${{ startsWith(matrix.name, 'py') }}
run: podman unshare chmod -R 755 ~/.local/share/containers/

- name: Report failure if git reports dirty status
run: |
if [[ -n $(git status -s) ]]; then
# shellcheck disable=SC2016
echo -n '::error file=git-status::'
printf '### Failed as git reported modified and/or untracked files\n```\n%s\n```\n' "$(git status -s)" | tee -a "$GITHUB_STEP_SUMMARY"
exit 99
fi
# https://github.com/actions/toolkit/issues/193

check:
if: always()
permissions:
contents: read
id-token: write
checks: read
needs:
- tox
runs-on: ubuntu-24.04
steps:
# checkout needed for codecov action which needs codecov.yml file
- uses: actions/checkout@v5

- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.13"

- run: pip3 install 'coverage>=7.5.1'

- name: Merge logs into a single archive
uses: actions/upload-artifact/merge@v4
with:
name: logs.zip
include-hidden-files: true
pattern: logs-*.zip
separate-directories: true

- name: Download artifacts
uses: actions/download-artifact@v5
with:
name: logs.zip
path: .

- name: Upload coverage data
uses: codecov/[email protected]
with:
name: ${{ matrix.name }}
fail_ci_if_error: true
use_oidc: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork) }}

- name: Delete Merged Artifacts
uses: actions/upload-artifact/merge@v4
with:
include-hidden-files: true
delete-merged: true

- name: Check for expected number of coverage.xml reports
run: |
JOBS_PRODUCING_COVERAGE=6
if [ "$(find . -name coverage.xml | wc -l | bc)" -ne "${JOBS_PRODUCING_COVERAGE}" ]; then
echo "::warning::Number of coverage.xml files was not the expected one (${JOBS_PRODUCING_COVERAGE}): $(find . -name coverage.xml | xargs echo)"
fi
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@release/v1
with:
jobs: ${{ toJSON(needs) }}

- name: Notify repository owners about changes affecting them
uses: sourcegraph/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# https://github.com/sourcegraph/codenotify/issues/19
continue-on-error: true
uses: ansible/team-devtools/.github/workflows/tox.yml@main
secrets: inherit
with:
min_python: "3.10"
default_python: "3.13"
max_python: "3.13"
other_names: |
pkg
lint
docs
py314-devel
Comment on lines +25 to +35

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 2 months ago

To fix the problem, insert a permissions: section at the root of the workflow, immediately after the name: (and before on:), limiting the permissions of the GITHUB_TOKEN to the minimum needed. Since this workflow delegates the actual job to a remote workflow, it is safest to set a minimal default here, such as contents: read. If more specific write privileges are needed, they should be added as required. In this case, adding permissions: contents: read at the start of the workflow should mitigate the risk and adhere to CodeQL's recommendation.

Suggested changeset 1
.github/workflows/tox.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/tox.yml b/.github/workflows/tox.yml
--- a/.github/workflows/tox.yml
+++ b/.github/workflows/tox.yml
@@ -1,4 +1,6 @@
 name: tox
+permissions:
+  contents: read
 
 on:
   create: # is used for publishing to PyPI and TestPyPI
EOF
@@ -1,4 +1,6 @@
name: tox
permissions:
contents: read

on:
create: # is used for publishing to PyPI and TestPyPI
Copilot is powered by AI and may make mistakes. Always verify output.
Loading