onepassword-sdk-python/.github/workflows/validate.yml at main · 1Password/onepassword-sdk-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# This workflow builds, tests, and checks linting for the 1Password Python SDK.
name: Validate

on:
  push:
    paths-ignore:
      - '**.md'
  pull_request:
    paths-ignore:
      - '**.md'
  repository_dispatch:
    types: [ ok-to-test-command ]

jobs:

  test-trusted:
    # actions that are trusted by default must only be opened from within the repo, and skipped for forks because they'll fail there
    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
    strategy:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest]
        python-version: ["3.10", "3.11", "3.12", "3.13"]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v3
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: ${{ matrix.python-version }}
      - name: Integration Test
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.TEST_SERVICE_ACCOUNT_TOKEN }}
        run: |
          pip install pytest &&
          pip install pytest-asyncio &&
          pip install pydantic &&
          python -m pytest src/onepassword/test_client.py
      - name: Example Test
        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.9'
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.EXAMPLE_TESTS_OP_SERVICE_ACCOUNT_TOKEN }}
          OP_VAULT_ID: ${{ secrets.EXAMPLE_TESTS_OP_VAULT_ID }}
        run: |
          pip install cryptography &&
          pip install . &&
          python example/example.py
  lint:
    name: Lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.x'

      - name: Lint with Ruff
        run: |
          pip install ruff
          ruff check --output-format=github --exclude=src/onepassword/lib/,example/ .
        continue-on-error: true

  # This action is called by the /ok-to-test command, once the forked PR's code has been security reviewed.
  # It will checkout the forked (and now trusted) code and it will run the integration tests on it.
  # If the tests are successful this action will proceed to update the status of the forked PR integration check.
  integration-test-fork:
    # required permissions for updating the status of the pull request checks
    permissions:
      pull-requests: write
      checks: write
    strategy:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest]
    runs-on: ${{ matrix.os }}
    if: |
      github.event_name == 'repository_dispatch' &&
      github.event.client_payload.slash_command.args.named.sha != '' &&
      contains(
        github.event.client_payload.pull_request.head.sha,
        github.event.client_payload.slash_command.args.named.sha
      )
    steps:

    # Check out merge commit
    - name: Fork based /ok-to-test checkout
      uses: actions/checkout@v4
      with:
        ref: ${{ github.event.client_payload.pull_request.head.sha }}

    - name: Set up Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.x'

    - name: Integration Test
      env:
        OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.TEST_SERVICE_ACCOUNT_TOKEN }}
      run: |
        pip install pytest &&
        pip install pytest-asyncio &&
        pip install pydantic &&
        python -m pytest src/onepassword/test_client.py

    - name: Example Test
      if: matrix.os == 'ubuntu-latest'
      env:
        OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.TEST_SERVICE_ACCOUNT_TOKEN }}
        OP_VAULT_ID: ${{ secrets.TEST_SERVICE_ACCOUNT_VAULT_ID }}
      run: |
        pip install . &&
        python example/example.py

    # Update check run called "integration-fork" on the forked PR
    - uses: actions/github-script@v6
      id: update-check-run
      if: ${{ always() }}
      env:
        job: ${{ github.job }}
        ref: ${{ github.event.client_payload.pull_request.head.sha }}
        # Conveniently, job.status maps to https://developer.github.com/v3/checks/runs/#update-a-check-run
        conclusion: ${{ job.status }}
      with:
        github-token: ${{ secrets.GITHUB_TOKEN }}
        script: |
          const { data: checks } = await github.rest.checks.listForRef({
            ...context.repo,
            ref: process.env.ref
          });

          const check = checks.check_runs.filter(c => c.name === process.env.job);

          const { data: result } = await github.rest.checks.update({
            ...context.repo,
            check_run_id: check[0].id,
            status: 'completed',
            conclusion: process.env.conclusion
          });

          return result;