aspis/.github/workflows/code_checks.yml at main · VectorInstitute/aspis · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
name: code checks
permissions:
  contents: read
  pull-requests: write

on:
  push:
    branches:
      - main
    paths:
      - .pre-commit-config.yaml
      - .github/workflows/code_checks.yml
      - '**.py'
      - uv.lock
      - pyproject.toml
      - '**.ipynb'
  pull_request:
    branches:
      - main
    paths:
      - .pre-commit-config.yaml
      - .github/workflows/code_checks.yml
      - '**.py'
      - uv.lock
      - pyproject.toml
      - '**.ipynb'

jobs:
  run-code-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6.0.3

      - name: Install uv
        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39
        with:
          # Install a specific version of uv.
          version: "0.5.21"
          enable-cache: true

      - name: "Set up Python"
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
        with:
          python-version-file: ".python-version"

      - name: Install the project
        run: uv sync --all-extras --dev

      - name: Install dependencies and check code
        run: |
          source .venv/bin/activate
          pre-commit run --all-files

      - name: pip-audit (gh-action-pip-audit)
        uses: pypa/gh-action-pip-audit@1220774d901786e6f652ae159f7b6bc8fea6d266
        with:
          virtual-environment: .venv/
          # GHSA-7p48-42j8-8846: Vulnerabilities in streamlit that cannot be upgraded because it has an issue with tests:
          # https://github.com/streamlit/streamlit/issues/12566
          # GHSA-5239-wwwm-4pmq: issue with pygments 2.19.12 that can't be upgraded because it breaks the docs build
          ignore-vulns: |
            GHSA-7p48-42j8-8846
            GHSA-5239-wwwm-4pmq