chore: bump github/codeql-action from b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 to 95e58e9a2cdfd71adc6e0353d5c52f41a045d225 #171
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Integration | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| # All third-party action invocations are SHA-pinned (with the | |
| # corresponding tag in a comment) so a moved tag in the upstream | |
| # action repo cannot silently change what runs in CI. Refresh | |
| # periodically by re-running | |
| # `gh api repos/<owner>/<repo>/git/refs/tags/<tag>` (or, for branch- | |
| # tracked actions like pypa/gh-action-pypi-publish@release/v1, | |
| # `gh api repos/<owner>/<repo>/branches/<branch>`) and updating both | |
| # the SHA and the comment in lockstep across every workflow. | |
| # | |
| # nFPM is pinned to a specific release AND its archive is verified | |
| # against the goreleaser-published checksums.txt before extraction. | |
| # Update both NFPM_VERSION and the comment in any future bump; the | |
| # checksum check will fail loudly if the published file's hash changes | |
| # without an explicit version pin update on our side. | |
| env: | |
| NFPM_VERSION: "2.41.3" | |
| jobs: | |
| # Build packages once, then test on multiple OSes | |
| build-packages: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.version.outputs.VERSION }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Set up Python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 | |
| with: | |
| python-version: '3.11' | |
| - name: Extract version | |
| id: version | |
| run: | | |
| VERSION=$(grep -oP '__version__\s*=\s*"\K[^"]+' src/eneru/version.py) | |
| echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT" | |
| echo "Building version: $VERSION" | |
| - name: Install nFPM | |
| run: | | |
| BASE="https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}" | |
| ARCHIVE="nfpm_${NFPM_VERSION}_Linux_x86_64.tar.gz" | |
| curl -sLO "${BASE}/${ARCHIVE}" | |
| curl -sL "${BASE}/checksums.txt" -o nfpm_checksums.txt | |
| # Verify the downloaded archive against the publisher's | |
| # signed checksum file so an in-flight tamper is caught | |
| # before extraction and `sudo mv` install. | |
| grep " ${ARCHIVE}\$" nfpm_checksums.txt | sha256sum -c - | |
| tar -xzf "${ARCHIVE}" nfpm | |
| sudo mv nfpm /usr/local/bin/ | |
| rm "${ARCHIVE}" nfpm_checksums.txt | |
| nfpm --version | |
| - name: Build .deb package | |
| run: VERSION=${{ steps.version.outputs.VERSION }} nfpm package --packager deb --target . | |
| - name: Build .rpm package | |
| run: VERSION=${{ steps.version.outputs.VERSION }} nfpm package --packager rpm --target . | |
| - name: Upload packages | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 | |
| with: | |
| name: packages | |
| path: | | |
| *.deb | |
| *.rpm | |
| retention-days: 1 | |
| # Test pip installation across Python versions | |
| test-pip-install: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| python-version: ['3.9', '3.10', '3.11', '3.12', '3.13', '3.14', '3.15-dev'] | |
| continue-on-error: ${{ matrix.python-version == '3.15-dev' }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| allow-prereleases: true | |
| - name: Install via pip | |
| run: pip install ".[notifications]" | |
| - name: Verify installation | |
| run: eneru version | |
| - name: Validate example configs | |
| run: | | |
| for config in examples/*.yaml; do | |
| echo "Validating $config..." | |
| eneru validate --config "$config" | |
| done | |
| # Test .deb package installation on Debian/Ubuntu | |
| test-deb: | |
| needs: build-packages | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - distro: debian | |
| version: '11' | |
| name: Debian 11 (Bullseye) | |
| - distro: debian | |
| version: '12' | |
| name: Debian 12 (Bookworm) | |
| - distro: debian | |
| version: '13' | |
| name: Debian 13 (Trixie) | |
| - distro: ubuntu | |
| version: '22.04' | |
| name: Ubuntu 22.04 (Jammy) | |
| - distro: ubuntu | |
| version: '24.04' | |
| name: Ubuntu 24.04 (Noble) | |
| - distro: ubuntu | |
| version: '26.04' | |
| name: Ubuntu 26.04 (Resolute) | |
| container: | |
| image: ${{ matrix.distro }}:${{ matrix.version }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Download packages | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| with: | |
| name: packages | |
| - name: Install dependencies and package | |
| env: | |
| DEBIAN_FRONTEND: noninteractive | |
| run: | | |
| apt-get update | |
| apt-get install -y python3 python3-yaml | |
| # --force-depends lets us install even though nut-client isn't | |
| # in the test container; subsequent `apt-get install -f` then | |
| # resolves any dependencies it can. Real install failures must | |
| # surface, so the trailing `|| true` mask is gone. | |
| dpkg --force-depends -i eneru_*.deb | |
| apt-get install -f -y --no-install-recommends | |
| - name: Verify installation | |
| run: | | |
| # Check the script is installed | |
| test -f /opt/ups-monitor/eneru.py | |
| test -f /etc/ups-monitor/config.yaml | |
| # Run validation | |
| python3 /opt/ups-monitor/eneru.py version | |
| python3 /opt/ups-monitor/eneru.py validate --config /etc/ups-monitor/config.yaml | |
| - name: Validate example configs | |
| run: | | |
| for config in examples/*.yaml; do | |
| echo "Validating $config..." | |
| python3 /opt/ups-monitor/eneru.py validate --config "$config" | |
| done | |
| # Test .rpm package installation on RHEL UBI | |
| test-rpm: | |
| needs: build-packages | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - version: '8' | |
| image: registry.access.redhat.com/ubi8/ubi | |
| name: RHEL 8 (Ootpa) | |
| python_pkg: python39 python39-pyyaml | |
| - version: '9' | |
| image: registry.access.redhat.com/ubi9/ubi | |
| name: RHEL 9 (Plow) | |
| python_pkg: python3 python3-pyyaml | |
| - version: '10' | |
| image: registry.access.redhat.com/ubi10/ubi | |
| name: RHEL 10 (Coughlan) | |
| python_pkg: python3 python3-pyyaml | |
| container: | |
| image: ${{ matrix.image }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Download packages | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | |
| with: | |
| name: packages | |
| - name: Install dependencies and package | |
| run: | | |
| dnf install -y ${{ matrix.python_pkg }} | |
| # Try rpm first (fast, with --nodeps for the missing nut-client). | |
| # If that fails for non-dep reasons, fall back to dnf with | |
| # --skip-broken. Real install failures still propagate. | |
| rpm -ivh --nodeps eneru-*.rpm || dnf install -y ./eneru-*.rpm --skip-broken | |
| - name: Verify installation | |
| run: | | |
| # Check the script is installed | |
| test -f /opt/ups-monitor/eneru.py | |
| test -f /etc/ups-monitor/config.yaml | |
| # Run validation | |
| python3 /opt/ups-monitor/eneru.py version | |
| python3 /opt/ups-monitor/eneru.py validate --config /etc/ups-monitor/config.yaml | |
| - name: Validate example configs | |
| run: | | |
| for config in examples/*.yaml; do | |
| echo "Validating $config..." | |
| python3 /opt/ups-monitor/eneru.py validate --config "$config" | |
| done | |
| # Test pip installation inside containers (ensures pyproject.toml works on real distros) | |
| test-pip-in-container: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - distro: debian | |
| version: '11' | |
| name: Debian 11 | |
| - distro: debian | |
| version: '12' | |
| name: Debian 12 | |
| - distro: debian | |
| version: '13' | |
| name: Debian 13 | |
| # Ubuntu 22.04 skipped: system pip 22.0.2 has a regression with | |
| # pyproject.toml dynamic version metadata, building UNKNOWN-0.0.0. | |
| # Upgrading pip fixes it, but that no longer tests the real system. | |
| # Ubuntu 22.04 is covered by the test-deb job instead. | |
| - distro: ubuntu | |
| version: '24.04' | |
| name: Ubuntu 24.04 | |
| - distro: ubuntu | |
| version: '26.04' | |
| name: Ubuntu 26.04 | |
| - image: registry.access.redhat.com/ubi10/ubi | |
| name: RHEL 10 (Coughlan) | |
| container: | |
| image: ${{ matrix.image || format('{0}:{1}', matrix.distro, matrix.version) }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Install pip and dependencies (Debian/Ubuntu) | |
| if: matrix.distro != '' | |
| env: | |
| DEBIAN_FRONTEND: noninteractive | |
| run: | | |
| apt-get update | |
| apt-get install -y python3 python3-pip | |
| - name: Install pip and dependencies (RHEL) | |
| if: matrix.image != '' | |
| run: | | |
| dnf install -y python3 python3-pip | |
| - name: Install via pip | |
| run: | | |
| python3 -m pip install --break-system-packages ".[notifications]" || \ | |
| python3 -m pip install ".[notifications]" | |
| - name: Verify installation | |
| run: eneru version | |
| - name: Validate example configs | |
| run: | | |
| for config in examples/*.yaml; do | |
| echo "Validating $config..." | |
| eneru validate --config "$config" | |
| done |