.github/workflows/quality.yml - external/github.com/nedbat/coveragepy - Git at Google

 # Licensed under the Apache License: http://www.apache.org/licenses/LICENSE-2.0
 # For details: https://github.com/nedbat/coveragepy/blob/master/NOTICE.txt

 name: "Quality"

 on:
   push:
     branches:
       - master
       - nedbat/*
   pull_request:
   workflow_dispatch:

 defaults:
   run:
     shell: bash

 env:
   PIP_DISABLE_PIP_VERSION_CHECK: 1

 permissions:
   contents: read

 concurrency:
   group: "${{ github.workflow }}-${{ github.ref }}"
   cancel-in-progress: true

 jobs:
   changed:
     name: "Check changed files"
     runs-on: ubuntu-latest
     permissions:
       pull-requests: read   # Needed for this check to run on pull requests
     outputs:
       python: ${{ steps.filter.outputs.python }}
       docs: ${{ steps.filter.outputs.docs }}
       actions: ${{ steps.filter.outputs.actions }}
       workflow: ${{ steps.filter.outputs.workflow }}
     steps:
       - name: "Check out the repo"
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false

       - name: "Examine changed files"
         uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: filter
         with:
           filters: |
             python:
               - "**.py"
             docs:
               - "doc/**"
               - "coverage/**.py"
             actions:
               - ".github/workflows/**"
             workflow:
               - ".github/workflows/quality.yml"
               - "tox.ini"
               - "requirements/*.pip"

   lint:
     name: "Pylint etc"
     # Because pylint can report different things on different OS's (!)
     # (https://github.com/PyCQA/pylint/issues/3489), run this on Mac where local
     # pylint gets run.
     runs-on: macos-latest

     needs: changed
     if: ${{ needs.changed.outputs.python == 'true' || needs.changed.outputs.actions == 'true' || needs.changed.outputs.workflow == 'true' }}

     steps:
       - name: "Check out the repo"
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false

       - name: "Install Python"
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "3.10" # Minimum of PYVERSIONS
           cache: pip
           cache-dependency-path: 'requirements/*.pip'

       - name: "Install dependencies"
         run: |
           python -m pip install -r requirements/tox.pip

       - name: "Tox lint"
         run: |
           python -m tox -e lint

   mypy:
     name: "Check types"
     runs-on: ubuntu-latest

     needs: changed
     if: ${{ needs.changed.outputs.python == 'true' || needs.changed.outputs.workflow == 'true' }}

     steps:
       - name: "Check out the repo"
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false

       - name: "Install Python"
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "3.10" # Minimum of PYVERSIONS
           cache: pip
           cache-dependency-path: 'requirements/*.pip'

       - name: "Install dependencies"
         run: |
           python -m pip install -r requirements/tox.pip

       - name: "Tox mypy"
         run: |
           python -m tox -e mypy

   doc:
     name: "Build docs"
     runs-on: ubuntu-latest

     needs: changed
     if: ${{ needs.changed.outputs.docs == 'true' || needs.changed.outputs.workflow == 'true' }}

     steps:
       - name: "Check out the repo"
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false

       - name: "Fetch origin/master"
         # rediraffe needs to compare to origin/master
         run: |
           git fetch origin master --depth=1

       - name: "Install Python"
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "3.11" # Doc version from PYVERSIONS
           cache: pip
           cache-dependency-path: 'requirements/*.pip'

       - name: "Show environment"
         run: |
           set -xe
           python -VV
           python -m site
           env | sort

       - name: "Install dependencies"
         run: |
           set -xe
           python -m pip install -r requirements/tox.pip

       - name: "Tox doc"
         run: |
           python -m tox -e doc

   zizmor:
     name: "Zizmor GHA security check"
     runs-on: ubuntu-latest
     permissions:
       contents: read

     needs: changed
     if: ${{ needs.changed.outputs.actions == 'true' || needs.changed.outputs.workflow == 'true' }}

     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false

       - name: Install the latest version of uv
         uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 #v7.1.2
         with:
           enable-cache: false

       - name: Run zizmor
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: uvx zizmor --pedantic .github/workflows
	# Licensed under the Apache License: http://www.apache.org/licenses/LICENSE-2.0
	# For details: https://github.com/nedbat/coveragepy/blob/master/NOTICE.txt

	name: "Quality"

	on:
	push:
	branches:
	- master
	- nedbat/*
	pull_request:
	workflow_dispatch:

	defaults:
	run:
	shell: bash

	env:
	PIP_DISABLE_PIP_VERSION_CHECK: 1

	permissions:
	contents: read

	concurrency:
	group: "${{ github.workflow }}-${{ github.ref }}"
	cancel-in-progress: true

	jobs:
	changed:
	name: "Check changed files"
	runs-on: ubuntu-latest
	permissions:
	pull-requests: read # Needed for this check to run on pull requests
	outputs:
	python: ${{ steps.filter.outputs.python }}
	docs: ${{ steps.filter.outputs.docs }}
	actions: ${{ steps.filter.outputs.actions }}
	workflow: ${{ steps.filter.outputs.workflow }}
	steps:
	- name: "Check out the repo"
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	persist-credentials: false

	- name: "Examine changed files"
	uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
	id: filter
	with:
	filters: \|
	python:
	- "**.py"
	docs:
	- "doc/**"
	- "coverage/**.py"
	actions:
	- ".github/workflows/**"
	workflow:
	- ".github/workflows/quality.yml"
	- "tox.ini"
	- "requirements/*.pip"

	lint:
	name: "Pylint etc"
	# Because pylint can report different things on different OS's (!)
	# (https://github.com/PyCQA/pylint/issues/3489), run this on Mac where local
	# pylint gets run.
	runs-on: macos-latest

	needs: changed
	if: ${{ needs.changed.outputs.python == 'true' \|\| needs.changed.outputs.actions == 'true' \|\| needs.changed.outputs.workflow == 'true' }}

	steps:
	- name: "Check out the repo"
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	persist-credentials: false

	- name: "Install Python"
	uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
	with:
	python-version: "3.10" # Minimum of PYVERSIONS
	cache: pip
	cache-dependency-path: 'requirements/*.pip'

	- name: "Install dependencies"
	run: \|
	python -m pip install -r requirements/tox.pip

	- name: "Tox lint"
	run: \|
	python -m tox -e lint

	mypy:
	name: "Check types"
	runs-on: ubuntu-latest

	needs: changed
	if: ${{ needs.changed.outputs.python == 'true' \|\| needs.changed.outputs.workflow == 'true' }}

	steps:
	- name: "Check out the repo"
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	persist-credentials: false

	- name: "Install Python"
	uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
	with:
	python-version: "3.10" # Minimum of PYVERSIONS
	cache: pip
	cache-dependency-path: 'requirements/*.pip'

	- name: "Install dependencies"
	run: \|
	python -m pip install -r requirements/tox.pip

	- name: "Tox mypy"
	run: \|
	python -m tox -e mypy

	doc:
	name: "Build docs"
	runs-on: ubuntu-latest

	needs: changed
	if: ${{ needs.changed.outputs.docs == 'true' \|\| needs.changed.outputs.workflow == 'true' }}

	steps:
	- name: "Check out the repo"
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	persist-credentials: false

	- name: "Fetch origin/master"
	# rediraffe needs to compare to origin/master
	run: \|
	git fetch origin master --depth=1

	- name: "Install Python"
	uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
	with:
	python-version: "3.11" # Doc version from PYVERSIONS
	cache: pip
	cache-dependency-path: 'requirements/*.pip'

	- name: "Show environment"
	run: \|
	set -xe
	python -VV
	python -m site
	env \| sort

	- name: "Install dependencies"
	run: \|
	set -xe
	python -m pip install -r requirements/tox.pip

	- name: "Tox doc"
	run: \|
	python -m tox -e doc

	zizmor:
	name: "Zizmor GHA security check"
	runs-on: ubuntu-latest
	permissions:
	contents: read

	needs: changed
	if: ${{ needs.changed.outputs.actions == 'true' \|\| needs.changed.outputs.workflow == 'true' }}

	steps:
	- name: Checkout repository
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	persist-credentials: false

	- name: Install the latest version of uv
	uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 #v7.1.2
	with:
	enable-cache: false

	- name: Run zizmor
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: uvx zizmor --pedantic .github/workflows