hyperping-python/.github/workflows/ci.yml at main · develeap/hyperping-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

# L4: restrict token scope to minimum required
permissions:
  contents: read

jobs:
  test:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        python-version: ["3.11", "3.12", "3.13"]

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b  # v8.1.0
        with:
          python-version: ${{ matrix.python-version }}

      - name: Install dependencies
        run: uv sync --all-extras

      - name: Lint
        run: uv run ruff check src tests

      - name: Type check
        run: uv run mypy src

      - name: Test
        run: uv run pytest --cov=hyperping --cov-report=term-missing

      - name: Audit runtime dependencies
        # Audit the runtime dependency closure (what users actually install
        # via `pip install hyperping`), not the full venv. The venv contains
        # build/dev tooling such as `pip` itself and pip-audit's own
        # transitives (requests, urllib3) which are not shipped in the
        # wheel; auditing the env conflates "vulnerabilities in our package"
        # with "vulnerabilities in CI tooling" and produces noise for CVEs
        # that don't reach users. Mirrors the pattern in publish.yml (#24).
        run: |
          uv export --no-dev --no-emit-project --no-hashes \
            --format requirements.txt -o /tmp/runtime-requirements.txt
          uv run pip-audit -r /tmp/runtime-requirements.txt