Modernize tooling: Ruff, mypy, pre-commit, and CI hardening (#49) #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow runs linting, type checking, tests, and security scans | |
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| paths-ignore: | |
| - README.md | |
| - "*.md" | |
| pull_request: | |
| branches: [main] | |
| paths-ignore: | |
| - README.md | |
| - "*.md" | |
| # Cancel in-progress runs for the same branch/PR | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| lint: | |
| name: Lint and format check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| persist-credentials: false | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4 | |
| with: | |
| enable-cache: true | |
| cache-dependency-glob: "uv.lock" | |
| - name: Set up Python | |
| run: uv python install 3.13 | |
| - name: Install dependencies | |
| run: uv sync --frozen --group dev | |
| - name: Check formatting | |
| run: uv run ruff format --check biostructbenchmark/ tests/ | |
| - name: Lint | |
| run: uv run ruff check biostructbenchmark/ tests/ | |
| typecheck: | |
| name: Type check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| persist-credentials: false | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4 | |
| with: | |
| enable-cache: true | |
| cache-dependency-glob: "uv.lock" | |
| - name: Set up Python | |
| run: uv python install 3.13 | |
| - name: Install dependencies | |
| run: uv sync --frozen --group dev | |
| - name: Type check | |
| run: uv run mypy biostructbenchmark/ | |
| test: | |
| name: Test with coverage | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| persist-credentials: false | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4 | |
| with: | |
| enable-cache: true | |
| cache-dependency-glob: "uv.lock" | |
| - name: Set up Python | |
| run: uv python install 3.13 | |
| - name: Install dependencies | |
| run: uv sync --frozen --group dev | |
| - name: Run tests with coverage | |
| run: uv run pytest -v --cov=biostructbenchmark --cov-report=term-missing --cov-fail-under=80 | |
| security: | |
| name: Security scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| persist-credentials: false | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4 | |
| with: | |
| enable-cache: true | |
| cache-dependency-glob: "uv.lock" | |
| - name: Set up Python | |
| run: uv python install 3.13 | |
| - name: Install dependencies | |
| run: uv sync --frozen --group dev | |
| - name: Run Bandit | |
| run: uv run bandit -c pyproject.toml -r biostructbenchmark/ | |
| - name: Run pip-audit | |
| # PYSEC-2022-42969: ReDoS in py library's SVN path parsing - dev dependency of interrogate, not exploitable | |
| run: uv run pip-audit --ignore-vuln PYSEC-2022-42969 | |
| zizmor: | |
| name: GitHub Actions security scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| persist-credentials: false | |
| - name: Run zizmor | |
| uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0 |