Add trusted publishing #8
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| static: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| persist-credentials: false | ||
| fetch-depth: 0 | ||
| - name: Install uv | ||
| uses: astral-sh/setup-uv@v5 | ||
| with: | ||
| enable-cache: true | ||
| python-version: ${{ matrix.python-version }} | ||
| - uses: extractions/setup-just@v3 | ||
| - run: just install | ||
| - run: just lint | ||
| - run: just docs | ||
| - run: just doctest |
Check warning
Code scanning / zizmor
default permissions used due to no permissions: block Warning test
| build: | ||
| runs-on: ${{ matrix.os }} | ||
| strategy: | ||
| matrix: | ||
| os: ["ubuntu-latest", "macos-latest", "windows-latest"] | ||
| python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"] | ||
| fail-fast: false | ||
| name: CPython ${{ matrix.python-version }}-${{ matrix.os }} | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| persist-credentials: false | ||
| fetch-depth: 0 | ||
| - name: Install uv | ||
| uses: astral-sh/setup-uv@v5 | ||
| with: | ||
| enable-cache: true | ||
| python-version: ${{ matrix.python-version }} | ||
| - uses: extractions/setup-just@v3 | ||
| - name: Start MongoDB on Linux | ||
| if: ${{ startsWith(runner.os, 'Linux') }} | ||
| uses: supercharge/mongodb-github-action@1.12.0 | ||
| with: | ||
| mongodb-version: ${{ env.MAX_MONGODB }} | ||
| mongodb-replica-set: test-rs | ||
| - name: Start MongoDB on MacOS | ||
| if: ${{ startsWith(runner.os, 'macOS') }} | ||
| run: | | ||
| brew tap mongodb/brew | ||
| brew install mongodb/brew/mongodb-community@${MAX_MONGODB} | ||
| brew services start mongodb-community@${MAX_MONGODB} | ||
| - name: Start MongoDB on Windows | ||
| if: ${{ startsWith(runner.os, 'Windows') }} | ||
| shell: powershell | ||
| run: | | ||
| mkdir data | ||
| mongod --remove | ||
| mongod --install --dbpath=$(pwd)/data --logpath=$PWD/mongo.log | ||
| net start MongoDB | ||
| - run: just install | ||
| - run: just test |
Check warning
Code scanning / zizmor
default permissions used due to no permissions: block Warning test
| make_dist: | ||
| name: Make Dist | ||
| runs-on: macos-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - uses: actions/setup-python@v5 | ||
| with: | ||
| # Build sdist on lowest supported Python | ||
| python-version: '3.9' | ||
|
|
||
| - name: Install python requirements | ||
| run: | | ||
| python -m pip install uv rust-just build twine | ||
|
|
||
| - name: Build Dist | ||
| run: | | ||
| python -m build . | ||
|
|
||
| - name: Test SDist | ||
| run: | | ||
| python -m twine check --strict dist/*.* | ||
| python -m pip install dist/*.gz | ||
| cd .. | ||
| python -c "from flask_pymongo import PyMongo" | ||
|
|
||
| - uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: "dist" | ||
| path: ./dist/*.* |
Check warning
Code scanning / zizmor
default permissions used due to no permissions: block Warning
| outputs: | ||
| version: ${{ steps.pre-publish.outputs.version }} | ||
| steps: | ||
| - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 |
Check failure
Code scanning / zizmor
action is not pinned to a hash (required by blanket policy) Error
| with: | ||
| app_id: ${{ vars.APP_ID }} | ||
| private_key: ${{ secrets.APP_PRIVATE_KEY }} | ||
| - uses: mongodb-labs/drivers-github-tools/setup@v2 |
Check failure
Code scanning / zizmor
action is not pinned to a hash (required by blanket policy) Error
| aws_region_name: ${{ vars.AWS_REGION_NAME }} | ||
| aws_secret_id: ${{ secrets.AWS_SECRET_ID }} | ||
| artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }} | ||
| - uses: mongodb-labs/drivers-github-tools/python-labs/pre-publish@v2 |
Check failure
Code scanning / zizmor
action is not pinned to a hash (required by blanket policy) Error
| build-dist: | ||
| needs: [pre-publish] | ||
| uses: ./.github/workflows/dist-python.yml | ||
| with: | ||
| ref: ${{ needs.pre-publish.outputs.version }} |
Check warning
Code scanning / zizmor
default permissions used due to no permissions: block Warning
| with: | ||
| enable-cache: true | ||
| python-version: ${{ env.MIN_PYTHON }} | ||
| - uses: extractions/setup-just@v3 |
Check failure
Code scanning / zizmor
action is not pinned to a hash (required by blanket policy) Error test
| python-version: ${{ env.MIN_PYTHON }} | ||
| - uses: extractions/setup-just@v3 | ||
| - name: Install uv | ||
| uses: astral-sh/setup-uv@v5 |
Check failure
Code scanning / zizmor
action is not pinned to a hash (required by blanket policy) Error test
| with: | ||
| enable-cache: true | ||
| python-version: ${{ env.MIN_PYTHON }} | ||
| - uses: extractions/setup-just@v3 |
Check failure
Code scanning / zizmor
action is not pinned to a hash (required by blanket policy) Error test
| enable-cache: true | ||
| python-version: ${{ env.MIN_PYTHON }} | ||
| - uses: extractions/setup-just@v3 | ||
| - uses: supercharge/mongodb-github-action@1.12.0 |
Check failure
Code scanning / zizmor
action is not pinned to a hash (required by blanket policy) Error test
| with: | ||
| persist-credentials: false | ||
| - name: Setup Rust | ||
| uses: actions-rust-lang/setup-rust-toolchain@v1 |
Check failure
Code scanning / zizmor
action is not pinned to a hash (required by blanket policy) Error
No description provided.