build: set concurrency on actions, per zizmor 1.16.0 #5219
Workflow file for this run
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | # Licensed under the Apache License: http://www.apache.org/licenses/LICENSE-2.0 | |
| # For details: https://github.com/nedbat/coveragepy/blob/master/NOTICE.txt | |
| name: "Quality" | |
| on: | |
| push: | |
| branches: | |
| - master | |
| - nedbat/* | |
| pull_request: | |
| workflow_dispatch: | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| PIP_DISABLE_PIP_VERSION_CHECK: 1 | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: "${{ github.workflow }}-${{ github.ref }}" | |
| cancel-in-progress: true | |
| jobs: | |
| changed: | |
| name: "Check changed files" | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: read # Needed for this check to run on pull requests | |
| outputs: | |
| python: ${{ steps.filter.outputs.python }} | |
| docs: ${{ steps.filter.outputs.docs }} | |
| actions: ${{ steps.filter.outputs.actions }} | |
| workflow: ${{ steps.filter.outputs.workflow }} | |
| steps: | |
| - name: "Check out the repo" | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: "Examine changed files" | |
| uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
| id: filter | |
| with: | |
| filters: | | |
| python: | |
| - "**.py" | |
| docs: | |
| - "doc/**" | |
| - "coverage/**.py" | |
| actions: | |
| - ".github/workflows/**" | |
| workflow: | |
| - ".github/workflows/quality.yml" | |
| - "tox.ini" | |
| - "requirements/*.pip" | |
| lint: | |
| name: "Pylint etc" | |
| # Because pylint can report different things on different OS's (!) | |
| # (https://github.com/PyCQA/pylint/issues/3489), run this on Mac where local | |
| # pylint gets run. | |
| runs-on: macos-latest | |
| needs: changed | |
| if: ${{ needs.changed.outputs.python == 'true' || needs.changed.outputs.actions == 'true' || needs.changed.outputs.workflow == 'true' }} | |
| steps: | |
| - name: "Check out the repo" | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: "Install Python" | |
| uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 | |
| with: | |
| python-version: "3.10" # Minimum of PYVERSIONS | |
| cache: pip | |
| cache-dependency-path: 'requirements/*.pip' | |
| - name: "Install dependencies" | |
| run: | | |
| python -m pip install -r requirements/tox.pip | |
| - name: "Tox lint" | |
| run: | | |
| python -m tox -e lint | |
| mypy: | |
| name: "Check types" | |
| runs-on: ubuntu-latest | |
| needs: changed | |
| if: ${{ needs.changed.outputs.python == 'true' || needs.changed.outputs.workflow == 'true' }} | |
| steps: | |
| - name: "Check out the repo" | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: "Install Python" | |
| uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 | |
| with: | |
| python-version: "3.10" # Minimum of PYVERSIONS | |
| cache: pip | |
| cache-dependency-path: 'requirements/*.pip' | |
| - name: "Install dependencies" | |
| run: | | |
| python -m pip install -r requirements/tox.pip | |
| - name: "Tox mypy" | |
| run: | | |
| python -m tox -e mypy | |
| doc: | |
| name: "Build docs" | |
| runs-on: ubuntu-latest | |
| needs: changed | |
| if: ${{ needs.changed.outputs.docs == 'true' || needs.changed.outputs.workflow == 'true' }} | |
| steps: | |
| - name: "Check out the repo" | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: "Fetch origin/master" | |
| # rediraffe needs to compare to origin/master | |
| run: | | |
| git fetch origin master --depth=1 | |
| - name: "Install Python" | |
| uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 | |
| with: | |
| python-version: "3.11" # Doc version from PYVERSIONS | |
| cache: pip | |
| cache-dependency-path: 'requirements/*.pip' | |
| - name: "Show environment" | |
| run: | | |
| set -xe | |
| python -VV | |
| python -m site | |
| env | sort | |
| - name: "Install dependencies" | |
| run: | | |
| set -xe | |
| python -m pip install -r requirements/tox.pip | |
| - name: "Tox doc" | |
| run: | | |
| python -m tox -e doc | |
| zizmor: | |
| name: "Zizmor GHA security check" | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| needs: changed | |
| if: ${{ needs.changed.outputs.actions == 'true' || needs.changed.outputs.workflow == 'true' }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Install the latest version of uv | |
| uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d #v7.1.0 | |
| with: | |
| enable-cache: false | |
| - name: Run zizmor | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: uvx zizmor --pedantic .github/workflows |