Skip to content

CI: Add macOS and Windows to test matrix #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
jmrplens wants to merge 5 commits into from
Closed

CI: Add macOS and Windows to test matrix #39

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6048ef9
ci: add macos and windows to test matrix
jmrplens Jan 12, 2026
e2d0a27
ci: add post-release installation verification
jmrplens Jan 12, 2026
cbb5620
ci: add manual workflow to verify pypi installation
jmrplens Jan 12, 2026
9cf1968
revert: remove installation verification from release workflow
jmrplens Jan 12, 2026
dc5a92f
ci: reduce python test matrix to 3.13 only
jmrplens Jan 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions .github/workflows/manual_verify_install.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: Manual Verify Installation

on:
workflow_dispatch:
inputs:
version:
description: 'Specific version to install (optional, defaults to latest)'
required: false
default: ''

jobs:
verify-pypi-install:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
python-version: ["3.13"]
steps:
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}

- name: Install PyOctaveBand
run: |
python -m pip install --upgrade pip
if [ -z "${{ inputs.version }}" ]; then
pip install pyoctaveband
else
pip install pyoctaveband==${{ inputs.version }}
fi
shell: bash

- name: Verify Import
run: python -c "import pyoctaveband; print('Successfully imported pyoctaveband version:', pyoctaveband.__version__)"
Comment on lines +13 to +35

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 2 months ago

In general, fix this by explicitly specifying a permissions block, either at the workflow root (applies to all jobs) or at the individual job level, granting only what is necessary. For this workflow, the job only installs and imports a Python package and does not require write access to repository contents, issues, or pull requests, so contents: read is a safe minimal scope. If even repository contents are not needed, this is still the standard minimum GitHub recommends for most workflows.

The single best fix with minimal behavior change is to add a workflow-level permissions block after the name: declaration and before on: in .github/workflows/manual_verify_install.yml, setting contents: read. This will apply to the verify-pypi-install job without altering any steps or behavior; it only restricts the default GITHUB_TOKEN scope. No new imports, actions, or steps are required.

Concretely:

  • Edit .github/workflows/manual_verify_install.yml.

  • Insert:

    permissions:
  contents: read

    after line 1 (name: Manual Verify Installation) and before the on: block.

  • No other files or lines need to change.

Suggested changeset 1
.github/workflows/manual_verify_install.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/manual_verify_install.yml b/.github/workflows/manual_verify_install.yml
--- a/.github/workflows/manual_verify_install.yml
+++ b/.github/workflows/manual_verify_install.yml
@@ -1,5 +1,8 @@
 name: Manual Verify Installation
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
     inputs:
EOF
@@ -1,5 +1,8 @@
name: Manual Verify Installation

permissions:
contents: read

on:
workflow_dispatch:
inputs:
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
16 changes: 9 additions & 7 deletions .github/workflows/python-app.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,12 +36,14 @@ jobs:
run: bandit -r src

tests:
runs-on: ubuntu-latest
runs-on: ${{ matrix.os }}
permissions:
contents: read
strategy:
fail-fast: false
matrix:
python-version: ["3.11", "3.12", "3.13"]
os: [ubuntu-latest, macos-latest, windows-latest]
python-version: ["3.13"]
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
Expand All @@ -54,18 +56,18 @@ jobs:
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install -r requirements-dev.txt
Comment on lines 56 to 58
Copy link

@sourcery-ai sourcery-ai bot Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (bug_risk): Use python -m pip consistently instead of bare pip for better cross-platform reliability, especially now that Windows is in the matrix.

On Windows runners, pip may not point to the same interpreter configured by setup-python, depending on PATH and installation details. Using python -m pip install ... in these steps will ensure the packages are installed with the intended Python across all OSes in the matrix.

Suggested implementation:

        python -m pip install -r requirements.txt


        python -m pip install -r requirements-dev.txt


        python -m pip install .

pip install -e .
pip install .
- name: Run tests
env:
NUMBA_DISABLE_JIT: 1
run: |
pytest --junitxml=test-results-${{ matrix.python-version }}.xml --cov=src --cov-report=xml
pytest --junitxml=test-results-${{ matrix.os }}-${{ matrix.python-version }}.xml --cov=src --cov-report=xml
- name: Upload Test Results
uses: actions/upload-artifact@v4
with:
name: test-results-${{ matrix.python-version }}
name: test-results-${{ matrix.os }}-${{ matrix.python-version }}
path: |
test-results-${{ matrix.python-version }}.xml
test-results-${{ matrix.os }}-${{ matrix.python-version }}.xml
coverage.xml
if: always()
Comment on lines 65 to 72
Copy link

@sourcery-ai sourcery-ai bot Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (testing): Consider aligning coverage artifact usage with the Sonar coverage job to avoid producing unused coverage artifacts for non-ubuntu runners.

With the new matrix, every (os, python-version) now uploads JUnit + coverage.xml, but the coverage job still only downloads test-results-ubuntu-latest-3.13. So coverage from other environments is never used. Either stop uploading coverage.xml for non-ubuntu-latest/3.13 runs, or update the coverage job to intentionally aggregate coverage from multiple artifacts.

Suggested change
- name: Upload Test Results
uses: actions/upload-artifact@v4
with:
name: test-results-${{ matrix.python-version }}
name: test-results-${{ matrix.os }}-${{ matrix.python-version }}
path: |
test-results-${{ matrix.python-version }}.xml
test-results-${{ matrix.os }}-${{ matrix.python-version }}.xml
coverage.xml
if: always()
- name: Upload Test Results
uses: actions/upload-artifact@v4
with:
name: test-results-${{ matrix.os }}-${{ matrix.python-version }}
path: |
test-results-${{ matrix.os }}-${{ matrix.python-version }}.xml
if: always()
- name: Upload Coverage Report (ubuntu-latest, Python 3.13 only)
uses: actions/upload-artifact@v4
with:
name: test-results-${{ matrix.os }}-${{ matrix.python-version }}
path: |
coverage.xml
if: always() && matrix.os == 'ubuntu-latest' && matrix.python-version == '3.13'


Expand All @@ -80,7 +82,7 @@ jobs:
- name: Download coverage report
uses: actions/download-artifact@v4
with:
name: test-results-3.13
name: test-results-ubuntu-latest-3.13
- name: SonarCloud Scan
uses: SonarSource/sonarqube-scan-action@master
env:
Expand Down