Fix CI

Author: rsyring

.github/workflows/nox.yaml

@@ -8,54 +8,77 @@ on:
   workflow_dispatch:
 
 
+# Limit this workflow to a single run at a time per-branch to avoid wasting worker resources
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 
+env:
+  # hardlinks don't work in containers and just spam the logs with warning messages
+  # UV_LINK_MODE: copy
+  UV_DISABLE_UPDATE: '1'
+
+
+
 jobs:
-  nox:
+  # JOB: NOX-OTHER
+  # nox-other:
+  #   runs-on: ubuntu-latest
+
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       session: [precommit, audit]
+
+  #   steps:
+  #     - uses: level12/coppy/gh-actions/nox-run@main
+  #       with:
+  #         nox-session: ${{ matrix.session }}
+
+  # JOB: NOX-PYTEST
+  nox-pytest:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout Code
         uses: actions/checkout@v4
+        with:
+          # Copier errors out with a shallow git checkout, which is the action's default.
+          fetch-depth: 0
+
+      - name: Mark repo as safe for Git
+        shell: bash
+        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+      # NOTE: use GH's action to install Python b/c uv docs say it will be faster due to caching
+      - name: "Set up Python"
+        uses: actions/setup-python@v5
+        with:
+          python-version-file: pyproject.toml
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+
+      # - uses: level12/coppy/gh-actions/uv-prep@main
+
+      - name: Add runner user to test user group
+        run: |
+          # The script returns early after adding this user to the new user's group.
+          # This is due to the need to "logout" before the user pick's up the group's identity.
+
+          # Also, the creation of the user with Ubuntu's `useradd` command hangs for 20-30s but
+          # only in CI.  Go figure.
+          uv run --no-dev tasks/test-user-prep.py
+
+      - name: Finish prepping test user
+        run: |
+          uv run --no-dev  tasks/test-user-prep.py --systemd-skip
 
-      - name: Add ~/bin to PATH
-        run: echo "PATH=/home/runner/bin:$PATH" >> $GITHUB_ENV
+          sudo setfacl --recursive -m g:coppy-tests:rwX /home/coppy-tests/
+          sudo setfacl --recursive -d -m g:coppy-tests:rwX /home/coppy-tests/
+          sudo -u coppy-tests mkdir /home/coppy-tests/.cache/uv
 
-      - name: Prep
+      - name: Run pytest
         run: |
-          # Mise
-          mkdir ~/bin
-          curl -LsS https://mise.jdx.dev/mise-latest-linux-x64 > ~/bin/mise
-          chmod +x ~/bin/mise
-
-          # build the image used to test
-          mise docker-build
-
-          # uv
-          mise use -g ubi:astral-sh/uv
-          mkdir -p /home/runner/.local/share/uv/python/
-
-          # Prep mise
-          mise trust
-          mise install
-
-      # Uncomment to help troubleshooting
-      # - name: Debug info
-      #   run: |
-      #     # Python versions
-      #     echo "Python versions:"
-      #     mise exec -- python --version
-      #     mise exec -- uv run python --version
-
-      #     # Path
-      #     echo "Path:"
-      #     echo $PATH
-
-      #     mise demo --no-bootstrap --no-nox
-      #     mise sandbox --doctor
-
-      - name: nox
-        run: mise exec -- uv run --frozen --only-group nox nox
+          uv run --frozen --only-group nox -- nox -s pytest -- -x

.github/workflows/useradd.yaml

@@ -0,0 +1,23 @@
+name: Useradd
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+
+# Limit this workflow to a single run at a time per-branch to avoid wasting worker resources
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Add Ubuntu User
+        run: |
+          sudo useradd --system --create-home --shell=/bin/bash coppy-tests

noxfile.py

@@ -7,34 +7,59 @@
 nox.options.default_venv_backend = 'uv'
 
 
-def uv_sync(session, group: str, project: bool = False):
-    # NOTE: not sure why, but sys.path doesn't get correctly configured to include the coppy pkg's
-    # `src` directory when using '--only-group'.  But, in a templated generated app, like the
-    # coppy demo, '--only-group' works just fine.  I spent some time trying to debug but am punting
-    # for now since the problem/solution seem convoluted to me.
-    groups_args = ('--no-default-groups', '--group') if project else ('--only-group',)
-    session.run('uv', 'sync', '--active', '--frozen', *groups_args, group)
-
-
 @nox.session
-def tests(session: nox.Session):
-    uv_sync(session, 'tests', project=True)
+def pytest(session: nox.Session):
+    uv_sync(session)
+    # TODO: no coverage because the far majority of the code in this project is just for testing.
+    # But it wouldn't hurt to add it.
     session.run(
         'pytest',
         '-ra',
         '--tb=native',
         '--strict-markers',
-        f'--junit-xml={package_path}/ci/test-reports/{session.name}.pytests.xml',
         'tests',
         *session.posargs,
     )
 
 
 @nox.session
-def standards(session: nox.Session):
+def precommit(session: nox.Session):
     uv_sync(session, 'pre-commit')
     session.run(
         'pre-commit',
         'run',
         '--all-files',
     )
+
+
+@nox.session
+def audit(session: nox.Session):
+    # Much faster to install the deps first and have pip-audit run against the venv
+    uv_sync(session)
+    session.run(
+        'pip-audit',
+        '--desc',
+        '--skip-editable',
+    )
+
+
+def uv_sync(session: nox.Session, *groups, project=False, extra=None):
+    # If no group given, assume group shares name of session.
+    if not groups:
+        groups = (session.name,)
+
+    # At least pytest needs the project installed.
+    project_args = () if project or session.name.startswith('pytest') else ('--no-install-project',)
+
+    group_args = [arg for group in groups for arg in ('--group', group)]
+    extra_args = ('--extra', extra) if extra else ()
+    run_args = (
+        'uv',
+        'sync',
+        '--active',
+        '--no-default-groups',
+        *project_args,
+        *group_args,
+        *extra_args,
+    )
+    session.run(*run_args)

pyproject.toml

@@ -26,10 +26,9 @@ coppy = 'coppy.cli:cli'
 
 [dependency-groups]
 dev = [
-    {include-group = "tests"},
+    {include-group = "pytest"},
     {include-group = "pre-commit"},
     {include-group = "nox"},
-    "hatch>=1.14.0",
     "ruff>=0.9.6",
     "towncrier>=25.8.0",
 ]
@@ -39,8 +38,13 @@ pre-commit = [
     'pre-commit-uv>=4.1.4',
 ]
 # Used by nox
-tests = [
+pytest = [
     'pytest>=8.3.4',
+    "hatch>=1.14.0",
+]
+# Used by nox
+audit = [
+    'pip-audit',
 ]
 # Used by CI
 nox = [

tasks/test-user-prep.py

@@ -24,43 +24,51 @@
 @click.option('--reinstall', is_flag=True, default=False)
 @logs.opts_init
 def main(systemd_skip: bool, systemd_force: bool, reinstall: bool):
+    log.info('Test user prep starting...')
+
     coppy_user = User(username)
 
     if reinstall and coppy_user.exists():
         result = utils.sudo_run('pkill', '-u', username, returns=(0, 1))
         if result.returncode == 0:
+            log.info('Waiting on all coppy-tests processes to exit')
             # Wait for user's processes to exit or userdel will fail
             utils.sub_run('pidwait', '-u', username)
         utils.sudo_run('userdel', '-r', username)
 
         # Get rid of cache
         coppy_user = User(username)
 
+    log.info('Ensuring user exists...')
     coppy_user.ensure()
     coppy_user_home = coppy_user.home_dir()
 
     if not coppy_user.is_current:
+        log.info('Adjustments to give current user access to coppy-tests home')
         curr_user = User.current()
-        # This would clear them all (i.e. fix a mistake if you have one)
-        utils.sub_run('sudo', 'setfacl', '-R', '-b', coppy_user_home)
-        # utils.sudo_run('setfacl', '-R', '-m', f'u:{curr_user.name}:rwX', coppy_user_home)
-        # utils.sudo_run('setfacl', '-R', '-d', '-m', f'u:{curr_user.name}:rwX', coppy_user_home)
+
         if coppy_user.name not in curr_user.groups():
             log.info(f'Adding your user to the user group: {coppy_user.name}')
             utils.sudo_run('usermod', '-aG', coppy_user.name, curr_user.name)
             log.warning(
                 f'Please logout and then back in to enable access to the {coppy_user.name} group.',
             )
+            return
         else:
             log.info(f'Your user is already in the group: {coppy_user.name}')
 
         # Sticky group so files created by the dev's user can be accessed by coppy-tests user.
         utils.sudo_run('chmod', 'g+ws', coppy_user_home)
 
-        # Needed for systemd files
         config_dpath = coppy_user_home / '.config/'
         config_dpath.mkdir(exist_ok=True)
+        utils.sudo_run('chmod', '-R', 'g+ws', config_dpath)
+
+        cache_dpath = coppy_user_home / '.cache/'
+        cache_dpath.mkdir(exist_ok=True)
+        utils.sudo_run('chmod', '-R', 'g+ws', cache_dpath)
 
+    log.info('Updating sudoers for passwordless access to coppy test user')
     sudoers_write('coppy', sudoers.format(coppy_user=username))
 
     # Mise & uv

template/tasks/mise-uv-init.py

@@ -73,9 +73,13 @@ def slugify(text):
 
 
 def print_log(*args, **kwargs):
-    # TODO: would it be more helpful to print errors on stderr like mise/uv do?
     with paths.log().open('a') as fo:
-        print(*args, file=fo)
+        print(*args, file=fo, **kwargs)
+
+
+def print_err(*args, **kwargs):
+    print(*args, file=sys.stderr, **kwargs)
+    print_log(*args, **kwargs)
 
 
 def sub_run(*args, env=None) -> str:
@@ -85,10 +89,10 @@ def sub_run(*args, env=None) -> str:
     try:
         result = subprocess.run(args, check=True, text=True, capture_output=True, env=env)
         if result.stderr:
-            print_log(args, '\n', result.stderr)
+            print_err(args, '\n', result.stderr)
     except subprocess.CalledProcessError as e:
         if e.stderr:
-            print_log(args, '\n', e.stderr)
+            print_err(args, '\n', e.stderr)
         raise
 
     return result.stdout.strip()

tests/coppy_tests/libs/os_prep.py

@@ -95,6 +95,7 @@ def ensure(self):
             if self.name in Group.all_names():
                 group_args = ('-g', self.name)
 
+            log.info(f'Creating user: {self.name}')
             utils.sudo_run(
                 'useradd',
                 '--system',
@@ -221,6 +222,7 @@ def install(self):
         self.sh_install(
             'https://astral.sh/uv/install.sh',
             self.uv_bin,
+            UV_DISABLE_UPDATE='1',
         )
 
     def systemd(self, force: bool = False):